A Reddit user believed they followed the best Bitcoin cold storage practices until their BTC was stolen — after a year of wallet inactivity. How?
The user turned to the r/Bitcoin subreddit, seeking an explanation for how a hacker managed to steal more than $3,000 worth of Bitcoin from their allegedly secure paper cold wallet.
“I thought I was keeping it one of the more secure ways possible. I was doing self-custody, generated my key and printed it on paper on an offline computer, transferred my BTC to this offline wallet, and kept it stored in a safe that only I have the key for. Nevertheless, someone transferred all of my BTC to another wallet,” — u/jdmcnair.
Later on, he updated his post, answering numerous clarifying questions. It turned out that he had generated the wallet via the online tool walletgenerator.net.
“Edit: … I generated the wallet using the https://www.walletgenerator.net/ JavaScript wallet generator client. It has been over a year since I generated it, but if I recall correctly I loaded the page with the client, disconnected my computer from the internet, generated the wallet and exported to a pdf, closed browser, cleared history/cache, then reconnected to the network and sent the pdf to my network printer. I suppose the printer spooler could be one compromise vector, but I wonder why they would bother to wait over a year to take advantage of the compromise,” — u/jdmcnair.
This is far from the first such case; in particular, walletgenerator.net has been known to have vulnerabilities. In fact, if anyone has used walletgenerator.net to generate wallets, the same keys will likely be given to different users. This vulnerability was exploited in the infamous Profanity wallet generator hack, which resulted in a $160 million loss for algorithmic market maker Wintermute last September.
Nevertheless, walletgenerator.net is still recommended as a “proven” and “reliable” generator in some tutorials.
CEO of @CertiK, a blockchain security firm, warned Cointelegraph readers to think twice before using such online wallet generators:
“Some of these wallet generators could be straight-up scams. The website that the post claims returns an IP address in Russia. When looking at a tool such as Criminal IP, we can see that the address has several abuse reports filed against it,” — Hugh Brooks, CEO at CertiK. (Source)
Brooks further emphasized that paper wallet generators have been known to contain severe vulnerabilities since 2019. To ensure safe crypto storage, he recommends better using trusted hardware wallet providers like Trezor and Ledger (the latter with some caveats, though).
This incident serves as a reminder of the risks of using insecure wallet generators. And as more dormant Bitcoin wallets become active, some speculate that the hacking of wallet generators may contribute to this.