It was just past midnight on Jan. 7, 2021, when “Nick Wendell” (a pseudonym) lost half a million dollars in bitcoin.
Bitcoin’s price was roaring toward $40,000, and Wendell was moving some of his bitcoin to a paper wallet generated by BitcoinPaperWallet.com. These wallets allow you to store your private key on a pdf that can then be printed out or saved as a computer file.
Within a minute of depositing 14.5 BTC, worth over $500,000 at the time (and now worth over $700,000), it was all gone. Someone had swept the funds from Wendell’s wallet and, after playing blockchain hopscotch across multiple addresses, sent them to the Binance exchange.
The situation set Wendell’s world spinning.
“Within one minute I realized what happened and it felt like I was falling but [wouldn’t] hit the ground for several minutes. I remember walking in circles around the kitchen as if I were dizzy,” Wendell told CoinDesk.
Wendell is one of at least half a dozen users who claim to have lost dizzying sums to the paper wallet. A quick Google search reveals posts on Reddit, Bitcointalk and elsewhere that tell several individual accounts of a multi-million dollar collective heist: Someone with access to the site appears to be filching user funds through a back door in the code that gives them access to private keys.
In fact, some users of the most popular bitcoin paper wallet generator on Google’s search ranking claim to have collectively lost millions of dollars worth of bitcoin over the past two years, CoinDesk has learned.
It’s poetic if tragic that something called a “paper wallet” is so fragile. While it might seem intuitively sensible to store your bitcoin offline on a slip of paper or a USB drive to protect it from hackers, doing so can be fraught with risk.
Before loss or degradation, a couple of risks associated with storing bitcoin this way, the primary concern is private key generation – in other words, how you are creating your private keys. If you’re using a third-party software to generate a paper wallet, you’re trusting that the generator creates the private key securely.
If the software isn’t honest, then your wallet is vulnerable at its core.
The BitcoinPaperWallet.com back door
According to security researchers, BitcoinPaperWallet.com sends a copy of every private key it generates on behalf of its users to the site’s servers. Whoever has access to the BitcoinPaperWallet’s back end can then access these keys and steal the funds associated with wallets generated on the site.
Colin and Bryan Aulds, two brothers who run the PrivacyPros blog, nearly purchased the website last year. But after they were tipped off to the series of heists during the negotiation process, they began investigating it for fraud and published their findings on their blog.
If you have the MetaMask or MyEtherWallet (MEW) extensions installed on your computer, the app will automatically redirect you to a page warning you that BitcoinPaperWallet.com unsafe. According to MetaMask, the site is registered on their “domain warning list” because “it has been explicitly identified as a malicious site.”
In May of last year, Ethereum wallet provider MyCrypto released a video and tweet thread warning about a “vulnerability” in BitcoinPaperWallet which creates “a back door that leaves you at risk of your funds being stolen.”
The Aulds brothers mention that the code for this particular exploit no longer exists in BitcoinPaperWallet’s build. But something new has replaced it and people are still losing money because “someone is actively changing [the back door] once the current exploit is published widely,” Bryan Aulds told CoinDesk.
CoinDesk spoke with some of the wallet’s victims. One, who asked to remain anonymous, had made incremental deposits into his wallet throughout August 2020. On the 21st of the month, his funds were gone, on their way to the Binance exchange.
“I mistook it for another legit website that I had used years ago. Basically, I googled ‘Bitcoin paper wallet’ and this scam comes up first,” they told CoinDesk.
Another victim interviewed by CoinDesk lost 50.1 BTC in December. The person deposited funds into a wallet generated by the website, went to get a COVID-19 test and came back to find an empty wallet address.
Still another, who also asked to remain anonymous, lost 1.8 BTC in May 2019. One user on Reddit reported losing BCH to the site as well.
How does the exploit work?
When you create a bitcoin wallet, you have to generate a private key that gives you access to and control over the wallet. To do this, most wallet softwares use a random number generator that multiplies one really long random number by another to generate a private key.
One Reddit user, Senor_Curioso, diagnosed how BitcoinPaperWallet’s key generation process appears to be used to steal funds in this Reddit thread. Per the explanation, the wallet generator automatically creates the seed for you when you load it up.
“When you load the wallet generator from the server, it dynamically embeds 60 random number seeds which hide in the HTML as ‘test keys,’” Curioso said.
Curioso told CoinDesk the test key is, in fact, the wallet’s private key.
When you generate one of BitcoinPaperWallet’s wallets to create the private key yourself, you have to move your mouse across a pop-up window to create the ‘randomness’ needed to generate a cryptographically secure key.
But “when the generator makes your wallets,” Curioso explained, “the cryptographically secure random seed you made by moving your mouse around is ignored. Instead, those ‘test keys’ are used as seeds to generate predictable public and private keys. … The proof: If you eliminate all but one of the ‘test keys’ in the HTML code, the wallet will simply generate the same private and public key over and over. There is no randomness.”
Since these keys are likely saved on BitcoinPaperWallet’s server, anyone who has access to the site’s backend can sweep them at will, he concluded.
A developer for PrivacyPros vetted Curioso’s findings and confirmed the presence of the back door code. He added that the test_key code for generating the private key behind a user’s back “isn’t present in the source code” on the BitcoinPaperWallet’s Github originally authored by its creator; the back door code had been added at a later date.
Dustin Dettmer, an independent Bitcoin developer and researcher, verified the findings as well.
Who owns BitcoinPaperWallet?
Up until 2018, BitcoinPaperWallet was owned and operated by Canton Becker, but it was sold to Sarkis Sarkissian in April of that year.
It wasn’t until after the sale that people began reporting losses from wallets generated on the site. Before the shadow play, one source commented, the wallet generator “was a well-known and trusted website used by the Bitcoin community.”
There’s no way to attribute the alleged thefts to any one person with certainty, but that person would have required access to the website’s code in order to sweep the funds. Unlike a phishing scam, where an outsider tricks you into revealing your private key or sending funds to the wrong address, this back door is internal to BitcoinPaperWallet’s design.
One user told CoinDesk he lost 22.5 BTC to the website in mid 2018. By early 2019, others on social media began reporting stolen funds (one of whom lost 22.15 BTC).
When CoinDesk reached out to Sarkissian to request comment on the back door in the wallet’s code, he attributed the losses to “users who never had proper key management in the first place.”
“Indeed, we’ve received complaints from users who claim to have lost their bitcoin using our website. Those complaints are always resolved except for a select few who cannot fathom it was their own fault and must place the blame on us.”
When asked again to clarify if he knew of a back door in his wallet generator’s code, Sarkissian said, “We have searched our source code for the issues present in those documents and we cannot reproduce the same results. Our servers and source code has been verified clean by [our security expert Jonel Richard]. He is still on retainer and continues to investigate, trying to reproduce the issue found by others.”
CoinDesk reached out to Richard to ask for a copy of his analysis but did not hear back by press time.
Both Wendell and another victim have filed police reports with their respective police departments but nothing has come of the investigations thus far.
BitcoinPaperWallet scams larger holders
BitcoinPaperWallet appears to have featured flawed code since at least the middle of 2018, so how did it go under the radar for so long?
It seems the thief only drained high-value bitcoin wallets or those with at least 1 BTC deposited, not pocket change or smaller sums. According to social media and first-hand accounts, the culprit has stolen at least 124.85 BTC valued at roughly $6.2 million at today’s prices.
BitcoinPaperWallet’s back door is a reminder that, for small or large amounts, storing your bitcoin on a wallet generated from a website is probably not a good idea. In fact, unless you know what you’re doing and generate the paper wallet yourself from scratch, you should just stick with a hardware wallet from a well-known, verified manufacturer and, if you can, secure your funds with a multisignature wallet.
“It is critical wallet generation be completed by a trusted manufacturer in an entirely offline process,” Dettmer told CoinDesk. “You should think of websites, your computer, and the internet generally as trying to voyeuristically get a peek at your seed. Because sometimes they are — and they can steal your entire balance if they succeed.”