“My Bitcoin was taken. How?” A Reddit user thought they were following best practices until two days ago when their Bitcoin wallet was completely cleaned out.
$29,476 from their “secure” paper wallet.
On July 24, a Redditor by the name /jdmcnair posted on the r/Bitcoin subreddit, asking for an explanation on how a hacker could have been able to steal over $3,000 worth of Bitcoin from their supposedly secure paper wallet — which was even generated on an offline computer.
“I was doing self-custody, generated my key and printed it on paper on an offline computer, transferred my BTC to this offline wallet, and kept it stored in a safe that only I have the key for,” the user wrote.
“I thought I was keeping it in one of the more secure ways possible.”
In an update to his initial post, the Redditor revealed that they used the wallet creation tool walletgenerator.net to create their wallet’s private keys, which some users highlighted have been infamous for vulnerabilities in the past.
Speaking to Coin telegraph, blockchain security firm CertiK’s director of security operations Hugh Brooks said users should think twice before using a crypto wallet generator.
Such online wallet generators have served as a viable hacking tool for a while now, Brooks said:
“Some of these wallet generators could be straight-up scams. The website that the post claims returns an IP address in Russia. When looking at a tool such as Criminal IP we can see that the address has several abuse reports filed against it.”
Paper wallet generators have been known to contain serious vulnerabilities since 2019, Brooks said, adding that if anyone has generated wallets using walletgenerator.net then it’s likely “the same keys have been given to different users.”
The Profanity wallet generator exploit was a textbook example of this security vulnerability which led to the $160 million hack on algorithmic market maker Wintermute in September.
The solution is simple, according to Brooks. Users wanting safe crypto storage should use a “trusted hardware wallet provider such as Ledger and Trezor.”
Related: Almost $1M in crypto stolen from vanity address exploit
The Redditor was baffled as to why the exploiter waited over 12 months to exploit the funds, prompting another to offer a possible explanation.
“[The hackers] wait for enough noobs to think they generated secure private keys, wait for them to deposit significant amounts, and then, one day, swipe all the funds, so there is no time to react to reports of the site being compromised.”
With a sudden increase in long-dormant Bitcoin wallets waking up — many with funds in the millions — some pundits think it’s due to wallet generators being hacked.
Hackers managed to snatch over $300 million in Q2 2023, according to CertiK, a 58% decline from the same period last year.