Hacked Bitcoin: Reddit User Falls Victim to Wallet Generator

• A Reddit member seeks clarification regarding his offline wallet hack.
• Blockchain security firm CertiK explains why wallet generators are unsafe.
• Crypto paper wallet generators have been deemed vulnerable since 2019.

A Redditor has been left puzzled and dismayed after discovering that the Bitcoin wallet he created a year ago has been completely drained. The confused crypto enthusiast posted a thread explaining the unfortunate situation.

Firstly, the user, who goes by the name r/jdmcnair, generated his key on a computer not connected to the internet and then transferred the BTC stash to an offline wallet stored in a physical vault.

Secondly, the unfortunate crypto enthusiast ensured the private key on paper was folded without exposure in a tamper-proof container. While this procedure is deemed one of the safest ways to store crypto, the weak link in this plan turned out to be the wallet generator.

A year later, the cold wallet was completely drained, but in an unusual way for modern-day fraudsters, with 20 transactions simultaneously sending the rightful owner’s funds to different wallets.

How to Spot Vulnerabilities

The disgruntled Reddit user continued to analyze possible scenarios and confirmed that there was no way that somebody would have physically broken into the vault and copied the private keys. However, the crypto community member later disclosed that he’d generated the wallet key using walletgenerator.net, which runs on JavaScript.

According to the victim, the page was loaded with the client, and the computer was disconnected from the internet moments after. Then, the user generated the private keys, exported them into PDF, and sent them to the in-house printer. Besides, while the printer spooler was identified as a likely vulnerability, the victim was surprised that the hack happened over a year after the creation.

However, the main issue here is the wallet generator. Online paper wallet generators tend to run on vulnerable code, giving the same private keys to multiple, sometimes tens or even hundreds of users. 

This was discovered back in 2019 by numerous security researchers. In particular, Harry Denley investigated the walletgenerator.net website in May 2019, discovering that the bulk generator returns just 120 unique keys instead of 1000.

How to Stay Safe

Faulty code is not the only reason more experienced crypto aficionados stay away from paper wallet key generators. For instance, the blockchain security firm CertiK director of security operations Hugh Brooks alerted that “some of these wallet generators could be straight-up scams.”

Indeed, the aforementioned website’s IP address returns a location in the Russian Federation and points to a lengthy list of abuse reports. Brooks highlighted the possibility that the same private keys had been given to different users.

According to CertiK, crypto scammers managed to loot over $300 million in crypto funds in Q2 of 2023. One clear solution to this problem is using a highly reputable cold wallet provider, such as Trezor or Ledger.

While online wallet generators are best to avoid, other security measures should include keeping your private keys physically safe – it’s not recommended to have email backups because any digital device can be hacked.