(Almost sure)brainwallet.org stole 22BTC from me

[jonald_fyookball]

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

they could be scraping or using weak rng...and maybe some fancy elliptic curve calculation where they can determine your curve points once the transaction is made.

i think serious cold storage efforts should involve rolling physical dice.

[AgentofCoin]

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

I think that if what you are saying is true, then it is possible that brainwallet.org was a scam site all along and was storing peoples passphrases.
Brainwallet.org then used the "brainwallet cracker presentation" as an excuse to shut down, steal all users BTC, and cover their tracks.
They can just claim now that someone has used the cracker program and your passphase wasn't safe enough.

For the record, any user making brainwallets, make sure you create them on offline computers if you are using any sites' source code.

[unamis76]

Did not realize that the Defcon presentation everyone is talking about on twitter had to do with brainwallet... They really got shamed if they closed down! I guess by this time many brainwallets have been hacked...

[LiteCoinGuy]

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

I think that if what you are saying is true, then it is possible that brainwallet.org was a scam site all along and was storing peoples passphrases.
Brainwallet.org then used the "brainwallet cracker presentation" as an excuse to shut down, steal all users BTC, and cover their tracks.
They can just claim now that someone has used the cracker program and your passphase wasn't safe enough.

For the record, any user making brainwallets, make sure you create them on offline computers if you are using any sites' source code.

this or there was some kind of bug in the code .... or maleware on OPs PC (Teamviewer?!)   

it is always a good idea to use several methods of storing your BTC:

33% paper wallet
33% hardware wallet
33% some other way

[ransomer]

It is far to unsafe to store any real wealth in for the average person.

I'm an average person. I've been using Bitcoin for over 4 years now. I've never lost a single coin.

All it takes is some responsibility. I learned enough (common sense really) to realize that private keys were the "key" to security. After that, it's child's play.

Create secure private keys offline, keep them offline, and your bitcoins will be quite secure.

Learn a little bit about shamir's secret sharing and you will have an asset that is more secure than any traditional asset known to man.

Data is easy to copy, so do it!

There is reliable, open source software which will accomplish all your bitcoin security needs without any additional education (beyond the basics I just mentioned) for the user.

So... I'll rephrase your post as follows: It is far too unsafe to store any real wealth in for the irresponsible, ignorant, unmotivated person. As it should be.

First of all, you are unlikely to be an average person. All of us in here are likely to be interested in bitcoin and perhaps even technology more than the average person.

A grandmother in Ukraine working in the super market all day might have zero interest in learning any of the things you talk about. A sheep herder in Nigeria (remember that BTC is supposed to be especially good for the unbanked in the third world..) would have a hard time figuring out how to do simple things in Microsoft Word.

I think some people need to consider that just because they are average among their peers - they might be far from average compared to the rest of the world.


Bitcoin is far far far from ready for mass adoption because of security issues.

[ransomer]

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

they could be scraping or using weak rng...and maybe some fancy elliptic curve calculation where they can determine your curve points once the transaction is made.

i think serious cold storage efforts should involve rolling physical dice.

A million opinions on what the best way is...and every time something goes wrong a million explanations regarding what could have gone wrong.

This inspires trust in bitcoin only in the most naiive.

[HugoTheSpider]

I think that if what you are saying is true, then it is possible that brainwallet.org was a scam site all along and was storing peoples passphrases.

I have an old copy of brainwallet.org running because of the useful utilities and just rechecked it using a network inspector few minutes ago: it didn't store or send the passphrases I entered.

I'm thinking about follow possibilities:

• He used this address with a software which had the RNG implementation faulty, his private key was exposed to the cracker after recovering the R value
• brainwallet.org turned into a full scam site a few hours to days before the shutdown
• His passphrase was too weak, example: wrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhw rhwrh has 84 characters but it's still guessable
• He had the private key in the clipboard while pressing CTRL+v in the wrong browser window without even noticing
• He had the private key imported into an insecure wallet software and forgot about it

[AgentofCoin]

I think that if what you are saying is true, then it is possible that brainwallet.org was a scam site all along and was storing peoples passphrases.

I have an old copy of brainwallet.org running because of the useful utilities and just rechecked it using a network inspector few minutes ago: it didn't store or send the passphrases I entered.

I'm thinking about follow possibilities:

• He used this address with a software which had the RNG implementation faulty, his private key was exposed to the cracker after recovering the R value
• brainwallet.org turned into a full scam site a few hours to days before the shutdown
• His passphrase was too weak, example: wrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhw rhwrh has 84 characters but it's still guessable
• He had the private key in the clipboard while pressing CTRL+v in the wrong browser window without even noticing
• He had the private key imported into an insecure wallet software and forgot about it

Everything you are saying is correct and ultimately we won't really know what happened unless the thief/hacker/scammer/etc tells us.

But I just think it is suspect that brainwallet.org would shut down because of a brainwallet cracker program presentation?
Seems unusual to me. If the brainwallet design is sound and people use it appropriately, then you don't need to take the site down.

I'm also now thinking LiteCoinGuy might be right when he said:

... or there was some kind of bug in the code...

That would explain why the site went down if it was not a scam site, IMO.

[Za1n]

This is still th biggest hinderance to bitcoin getting mass recognition.

It is far to unsafe to store any real wealth in for the average person.

Exactly, and the all the useless posts that usually accompany such sad events saying the victim should have done this or that, or used this other wallet, or they were foolish for using said wallet, or site, will not change this basic fact. Until a secure wallet can be developed that doesn't take a month of hard core research to figure out all the ins and outs before using, the average Joe will stay away.

Downloading Electrum and installing it doesn't require any hard core research and making offline cold storage wallets with it or with downloaded bitaddress doesn't take any hard core research either, if you're too careless with your money and use online tools to generate addresses or store funds in online wallets than sooner or later you'll get robbed, it's same like keeping your fiat with unknown strangers and expecting that they don't steal it.

Any average Joe who's familiar with Computers and Internet can easily maintain Cold storage wallets for bigger funds and a Hot wallet for day to day expenses, it's not the problem of bitcoin, it's just that people take things too lightly.

I think you unintentionally made my point. For one, your caveat "average Joe who's familiar with Computers and Internet" is not an average Joe. Sure a lot of people can probably logon, check their email, Facebook, etc., but I would not consider them computer savvy. They have a hard time adding a printer or setting up a backup to an automated external drive. Why do you think the plug and play or zero touch configuration market is so huge, most people just want to download an app or program, plug in a device, or use a website and be done.

How are they to know Brainwallet is any less secure than Electrum without putting some time and effort into it? In most cases it would be more than simply visiting a few websites as their technical competence is not as high as almost anyone posting here and they would have a hard time understanding what makes one more secure over the other.

The average Joe I referenced puts his fiat in the bank, if bank gets robbed or if his CC gets compromised, he is still ok with minimal (maybe $50) or no liability. This same Joe maybe hears about Bitcoin, does a bit of research and all he sees is hacked wallets, hacked exchanges, scams, Mt Gox was a scam, etc. on and on. This is what is keeping Bitcoin from exploding. You are not getting 10's of millions of users until much more progress is made in this avenue. it is not simply making something more secure, it is making it more secure and something your grandma, barber, bartender, car mechanic, waitress, little league coach, and so on can use. I think hardware wallets are a step in the right direction but much more needs to be done on all fronts.

[ransomer]

This is still th biggest hinderance to bitcoin getting mass recognition.

It is far to unsafe to store any real wealth in for the average person.

Exactly, and the all the useless posts that usually accompany such sad events saying the victim should have done this or that, or used this other wallet, or they were foolish for using said wallet, or site, will not change this basic fact. Until a secure wallet can be developed that doesn't take a month of hard core research to figure out all the ins and outs before using, the average Joe will stay away.

Downloading Electrum and installing it doesn't require any hard core research and making offline cold storage wallets with it or with downloaded bitaddress doesn't take any hard core research either, if you're too careless with your money and use online tools to generate addresses or store funds in online wallets than sooner or later you'll get robbed, it's same like keeping your fiat with unknown strangers and expecting that they don't steal it.

Any average Joe who's familiar with Computers and Internet can easily maintain Cold storage wallets for bigger funds and a Hot wallet for day to day expenses, it's not the problem of bitcoin, it's just that people take things too lightly.

I think you unintentionally made my point. For one, your caveat "average Joe who's familiar with Computers and Internet" is not an average Joe. Sure a lot of people can probably logon, check their email, Facebook, etc., but I would not consider them computer savvy. They have a hard time adding a printer or setting up a backup to an automated external drive. Why do you think the plug and play or zero touch configuration market is so huge, most people just want to download an app or program, plug in a device, or use a website and be done.

How are they to know Brainwallet is any less secure than Electrum without putting some time and effort into it? In most cases it would be more than simply visiting a few websites as their technical competence is not as high as almost anyone posting here and they would have a hard time understanding what makes one more secure over the other.

The average Joe I referenced puts his fiat in the bank, if bank gets robbed or if his CC gets compromised, he is still ok with minimal (maybe $50) or no liability. This same Joe maybe hears about Bitcoin, does a bit of research and all he sees is hacked wallets, hacked exchanges, scams, Mt Gox was a scam, etc. on and on. This is what is keeping Bitcoin from exploding. You are not getting 10's of millions of users until much more progress is made in this avenue. it is not simply making something more secure, it is making it more secure and something your grandma, barber, bartender, car mechanic, waitress, little league coach, and so on can use. I think hardware wallets are a step in the right direction but much more needs to be done on all fronts.

Amen

[OBAViJEST]

The site owner can just record all the pass phrase type on their website.

Yup... This is why you should have a different pw for every site/exchange/etc.

[jonald_fyookball]

The site owner can just record all the pass phrase type on their website.

Yup... This is why you should have a different pw for every site/exchange/etc.

Doubt he was.  but if you have a virus you're screwed anyway.
Real cold storage = computer never online.  Don't know if people
are ignorant of that, keep forgetting that, can't seem to bother,
or "think it will never happen to them".  Cold storage, people.
COLD STORAGE!

[kelsey]

It is far to unsafe to store any real wealth in for the average person.

I'm an average person. I've been using Bitcoin for over 4 years now. I've never lost a single coin.

All it takes is some responsibility. I learned enough (common sense really) to realize that private keys were the "key" to security.

Average Joe wont do that  .

Like it or not, we will have bitcoin banks (we already have Coinbase etc but that is just the beginning.)

then that pretty much is full circle and defeats the whole purpose of alt to fiat currencies.

the upside to cryptos is they put you in control of your money.

the downside to cryptos is they put you in control of your money 

simple rule don't put anyone else in control of you cryptos otherwise ur better off sticking to fiat.

[ransomer]

It is far to unsafe to store any real wealth in for the average person.

I'm an average person. I've been using Bitcoin for over 4 years now. I've never lost a single coin.

All it takes is some responsibility. I learned enough (common sense really) to realize that private keys were the "key" to security.

Average Joe wont do that  .

Like it or not, we will have bitcoin banks (we already have Coinbase etc but that is just the beginning.)

then that pretty much is full circle and defeats the whole purpose of alt to fiat currencies.

the upside to cryptos is they put you in control of your money.

the downside to cryptos is they put you in control of your money 

simple rule don't put anyone else in control of you cryptos otherwise ur better off sticking to fiat.

If that is the final word - and keeping BTC safe cannot be made much easier than it is now...then BTC will not be the mass success we want it to but rather be (and remain) a nice technology used by a small niche of enthusiasts.

Personally I don't believe that is how it will be. I think we are where Internet was in early 1990ties and with all the promise but also the same lack of proper user interface for easy use.

Solutions that will make it very simple and easy for everyone to keep their BTCs safe will be innovated I think.

[ransomer]

The site owner can just record all the pass phrase type on their website.

Yup... This is why you should have a different pw for every site/exchange/etc.

Doubt he was.  but if you have a virus you're screwed anyway.
Real cold storage = computer never online.  Don't know if people
are ignorant of that, keep forgetting that, can't seem to bother,
or "think it will never happen to them".  Cold storage, people.
COLD STORAGE!

Ask 1000 random people in a mall what cold storage is... and I guess 0 to 1 will have a clue what it roughly means. Among actual owners of BTC I guess a large proportion are uncertain about all the details in creating perfect cold storage.

This is a case of - once we know how, it seems so simple, but for someone who doesn't know it is so far from anything we have done before that we cannot even imagine what it is or how it would be done.

[FlipperBTC]

Brainwallet.org did NOT hack you.

The website was part of Github pages, which means that the site is a complete copy of the open-sourced github repository. In other wordsm they can't steal it without anyone seeing.

What's far more likely is this: you used a very weak passphrase. A security researcher just released a brainwallet cracker which cracks things up to 8 or 10 words long. What's happened is someone has cracked your weak passphrase.

Brainwallet shut down because of the now insecure method of keeping bitcoins.

[hodedowe]

Ask 1000 random people in a mall what cold storage is... and I guess 0 to 1 will have a clue what it roughly means. Among actual owners of BTC I guess a large proportion are uncertain about all the details in creating perfect cold storage.

This is a case of - once we know how, it seems so simple, but for someone who doesn't know it is so far from anything we have done before that we cannot even imagine what it is or how it would be done.

This was my main trepidation when getting into BTC. Any time you look at bitcoin as an outsider it looks like a bunch of hackers randomly stealing each other's BTC wallets back and forth. Scary if you're putting real money into it. Thankfully that's not the case, just the hype from poor news reporting.

For anyone looking to move their funds to cold storage, it's easy. Just get a 40.00 laptop off of Ebay and install Armory etc. Import your wallet, export a "watching only" wallet to run on your main computer, then turn that laptop off and stick it in the closet. You won't use it again until you need to spend your savings.


Youtube shows the various ways with various wallets. It's worth the extra 10 minutes.

[jonald_fyookball]

Ask 1000 random people in a mall what cold storage is... and I guess 0 to 1 will have a clue what it roughly means. Among actual owners of BTC I guess a large proportion are uncertain about all the details in creating perfect cold storage.

This is a case of - once we know how, it seems so simple, but for someone who doesn't know it is so far from anything we have done before that we cannot even imagine what it is or how it would be done.

This was my main trepidation when getting into BTC. Any time you look at bitcoin as an outsider it looks like a bunch of hackers randomly stealing each other's BTC wallets back and forth. Scary if you're putting real money into it. Thankfully that's not the case, just the hype from poor news reporting.

For anyone looking to move their funds to cold storage, it's easy. Just get a 40.00 laptop off of Ebay and install Armory etc. Import your wallet, export a "watching only" wallet to run on your main computer, then turn that laptop off and stick it in the closet. You won't use it again until you need to spend your savings.


Youtube shows the various ways with various wallets. It's worth the extra 10 minutes.

Yes.  five years ago 0 out of 1000 people in a mall had even heard of Bitcoin.  Takes time for
knowledge to propagate.

[LiteCoinGuy]

It is far to unsafe to store any real wealth in for the average person.

I'm an average person. I've been using Bitcoin for over 4 years now. I've never lost a single coin.

.........

So... I'll rephrase your post as follows: It is far too unsafe to store any real wealth in for the irresponsible, ignorant, unmotivated person. As it should be.

First of all, you are unlikely to be an average person. All of us in here are likely to be interested in bitcoin and perhaps even technology more than the average person.

.......

I think some people need to consider that just because they are average among their peers - they might be far from average compared to the rest of the world.


Bitcoin is far far far from ready for mass adoption because of security issues.

the good part:

that is the reason why are have bitcoin at 250 USD and not 25.000 USD  

[yohanip]

From now and on, please use those which are open sourced and could be run locally.
Generating a private key on a website is a big no..
this would apply too to those vanity address provider..
we should always consult back to the basic law.. there is a very good reason it was called a private key..