A backdoor has been found on the popular paper wallet site BitcoinPaperWallet.com. When the wallet was created, the private keys fell into the hands of cybercriminals, as a result, users lost more than 124 BTC.
Bitcoin paper wallets are a way to “cold” store cryptocurrencies. The user simply prints out the public and private keys and can transfer bitcoins to this wallet for storage.
As it turned out, the popular site for generating paper wallets BitcoinPaperWallet.com was vulnerable to a backdoor, which allowed attackers to gain access to the private keys of at least some of the wallets created by users. Once bitcoins arrive on these wallets, hackers instantly steal them.
Computer security experts talked about the vulnerability: usually, when creating a wallet, the user must move the mouse to generate a random key. However, on the site BitcoinPaperWallet.com, the cybercriminals implemented a method called “test_keys” – during creation, several test keys were generated and saved on the server. One of these keys was used when the creation was completed, not a user-generated random key. And the hackers had access to these test keys.
At the same time, there is no such method in the original BitcoinPaperWallet code posted by the creator on the GitHub portal. Accordingly, someone specifically “upgraded” the code to steal keys from users’ wallets.
On January 7, BitcoinPaperWallet.com user under the pseudonym “Nick Wendell” lost 14.5 BTC. He created a paper wallet and transferred bitcoins to it, but after a few minutes they were stolen. Subsequently, bitcoins were listed on the Binance exchange. At the current exchange rate, this is more than $ 700,000.
“Within a minute I realized what had happened. I had the feeling that I was falling from a height and would never reach the bottom. I remember walking in circles around the kitchen in shock, “the user wrote.
Note that the MetaMask extension for popular browsers detects BitcoinPaperWallet.com as a phishing site and warns the user about it.
“It is critically important that the creation of the wallet takes place using trusted software and completely offline. It is important to remember that if the private key is lost, attackers can steal all of your savings, ”- said independent Bitcoin developer Dustin Dettmer.
In 2019, MyCrypto.com specialists discovered a vulnerability in the Wallet Generator, due to which the same private keys could be generated when creating wallets.