I just lost 2.3 Bitcoin I had stored on an address generated with this service.
Edit: I don't know why this didn't pop up when I initially researched the site. Just lost 2.3+ BTC today to this site.
I made a reddit post on this topic.
You can upvote it here if you're so inclined:
http://www.reddit.com/r/Bitcoin/comments/1y7upu/bitcoinvanityappspotcom_is_not_secure_and/Here's the blow by blow:
Oh the blessings and curses of irreversible transactions. I'll be honest - this one stings a bit.
I have some pretty damning circumstantial evidence that bitcoinvanity.appspot.com is skimming the private keys of their users, and transferring away Bitcoin from those who create addresses on their service.
Here's the sequence of events:
1) Over the weekend, I decided I wanted to create some vanity BTC addresses for myself and family (because, hey, if those 1Enjoy 1Sochi bitspammers get one, why not me?).
2) Of the several addresses I created, on of them was a goof account (1FartsVaXCqT8MAJxAjTwrfz3UAXqVKbCh).
3) I imported the vanity addresses into my hot-wallet on Blockchain.info.
4) I swept an old, non-vanity address where I kept change from purchases into the new vanity address
5) I messaged a buddy of mine, joking that I was going to bitspam the world with 1Enjoy 1Farts, and showed him the address.
6) He replied back "Whoa, looks like there was once 2.36244159 BTC in there."
7) As soon as I see it, my stomach sinks, because that BTC should not be in the past tense.
I log into Blockchain.info, and notice that the BTC is 8 confirmations away from a wallet address I control, having been transferred to 1JMPsVyyCrLt8xRSiBypG6JKawsUVTGjKy.
I rang up my aforementioned buddy (a BTC veteran) diagnosed the possibilities:1) My blockchain.info account has been compromised. I determine this to be unlikely, since only the contents of that vanity address have been swept, not the entire wallet.
2) Blockchain.info may have erroneously swept the address into another holding address. That's possible, since it says the transfer occurred on a BCI IP adress.
3) The vanity address generator I used (
https://bitcoinvanity.appspot.com) has been compromised. I haven't seen anything on the web indicating that, but it's the most likely thing, since it's the only address that's been compromised in my wallet. I'm 100% certain my traffic wasn't packet-sniffed since I created the vanity address on my home network, which is highly-engineered and secured by me. I'm on a Chromebook that I regularly check for malware, so I'm not being keylogged. The only vulnerability is the obvious one: the service.
I'm hoping and praying, at this point, that it's #2, and BCI can fix it, but I know that I've been scammed, and it was stupid to put a non-trivial amount of BTC into a newly created address that's possibly insecure... I know in the pit of my stomach that it's #3.
I ping a few people I know that can fast track my ticket at BCI, and get directly in touch with Mandrik of Blockchain.info, who was very apologetic as he confirmed what I suspected.
He pointed me to a discussion I'd missed in my research on the vanity address service that described what had happened to me. I noted that the transaction showed that it was relayed by BCI, but as I suspected and he confirmed, that meant very little:
"There really isn't anything we can do if the funds really were stolen, whether the transaction was relayed by us or not. Anyone can relay a transaction through our site, but they could just as easily do it from any other wallet app. They could easily import any private key across multiple wallets if they wanted to, too. If these funds were stolen, then they are essentially gone forever. The only person who can return them is the one who has access to the key the funds were sent to."At some point, I'll probably pursue some legal action against this company (there is a British corporation listed, according to a friend I was just on the phone with). I haven't had the time to contemplate or investigate my options - this all happened over the last couple of hours.
Here's the lessons to take away from this one:1) Don't trust third-party services (free or paid) with non-trivial amounts of coin unless they have a seriously impeccable reputation.
2) Blockchain.info customer service is pretty bad-ass, but they're not miracle workers. Irreversible transactions are irreversible.
3) If you're using a third-party service where you're risking non-trivial amounts of money, and you have a seed of doubt, either conclusively quash that seed through research, or don't use them.
Tip me? 1LpLLDP1hMp34eDQXSS6yFj9FVtsJ83WWA
