More Signatures with Repeated Nonces.

[johoe]

My script that I still occasionally run has detected repeated nonces (r-value) in signatures again.  Looks like a bad random number generator; the repetitions usually happen some days apart.  The problem seems already to be fixed but the addresses that were compromised are still used.

There were at least 135 keys involved of which at least 82 are compromised now.  Most keys are related to 1BTrViTDX... (in the sense that they are inputs in the same transaction).

I setup a bot to sweep the compromised keys.  If you can prove that it is your address, you can contact me to get the collected funds back.

But don't use the addresses again.  There will probably be other persons setting up bots soon...

EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b.  This address doesn't seem to be compromised yet.  Note that this address has also been exposed and should not be used any more.

So far I have collected about 7 BTC.

EDIT2: Fixed the number of addresses.  I accidently counted five unrelated addresses.  Here is a complete list (addresses marked with + can be cracked):
http://johoe.mooo.com/bitcoin/2016-03-compromised.txt

[1714193118]

1714193118

[1714193118]

1714193118

[1714193118]

1714193118

[1714193118]

1714193118

[1714193118]

1714193118

[setupbounds]

The mentioned signature can be used in wallets typically hardware wallets Only?

Please also give us the link to generate new Signature with repeated nonces.

[johoe]

The last time this happened was the Blockchain.info December 2014 incident.  You can read it up here

  https://bitcointalk.org/index.php?topic=581411.0

AFAIK all hardware wallets use deterministic signatures by now, so I don't think it is a hardware wallet.  The wallet is reusing random nonces to generate the signatures.  It could be a bad random number generator or someone cloned the random state (e.g. by cloning a virtual machine or forking processes) or maybe even another openssl problem.  I guess a cloned virtual machine is most likely from the pattern I observe.  It wouldn't have happened if they had used deterministic signatures.

https://blockchain.info/tx/fc9c8c56ce09b48f1e593a0df3f9a03f8dc33ba2027621e047fc5fc4f86f93f6
https://blockchain.info/tx/34535e979bf3e0b960d7e3be85713fa6561a4d9642c7199a7bdf93b721b529a7
https://blockchain.info/tx/e1c9b009cfa861501ae6f3379148fcc5c0de98c5774a6c576fb9f9e6eb2879eb

All three transactions use r = 538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951

[annette786]

Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

[johoe]

Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

Only, if you spend the paper wallet with a broken client.  But if you don't reuse paper wallets after emptying them, you are not affected by this problem.

[calkob]

Great job johoe, i admire your honesty Sir.  What in your estimation is the source of this problem?

[AgentofCoin]

...
EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b.  This address doesn't seem to be compromised yet.  Note that this address has also been exposed and should not be used any more.

After looking at some of the tx going into and out of one of the compromised addresses,
it seems to me (but of course in Bitcoin we can never really know), the address's connections
may have some associations with a few different darknet markets.

So, if the above is true, I assume we will never hear from the true owner of the compromised addresses
and learn what was the wallet used and the cause of this reuse issue.

[johoe]

What in your estimation is the source of this problem?

My guess is a cloned virtual machine state. 

Observation: The reuse happened several days apart and then the nonces are repeated in roughly the same order.  This happened three times.  Then another completely different set of 10 nonces were repeated again after a few days. 

Possible Explanation: The nonces are generated by a random number generator whose state is stored in a virtual machine image.  After a few days the machine was restored to an earlier snapshot and restarted.  Then again after a few days the machine was restored to this state. 

[lucasjkr]

I would have thought that among all the other noise that an RNG should be using to seed itself, one of those inputs would be tied to the date and time? So that even if you had cloned a VM, and started it a few days late, it would have new seed data to generate randoms from than the original before it was cloned?

[jl2012]

Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

Only, if you spend the paper wallet with a broken client.  But if you don't reuse paper wallets after emptying them, you are not affected by this problem.

Don't reuse paper wallets after emptying them, and don't reuse paper wallets before emptying them

[eddie13]

I setup a bot to sweep the compromised keys.  If you can prove that it is your address, you can contact me to get the collected funds back.

So how much BTC have you so far "swept"?

[throwaway084575]

I have a paper wallet from bitcoinpaperwallet.com, created a few years ago and use mycelium to spend a little from it every so often. The change always goes back to the address should I move all those funds to a new wallet and not spend from paper wallets like that?

[johoe]

So how much BTC have you so far "swept"?

I updated the first post, so far 7 BTC.

I have a paper wallet from bitcoinpaperwallet.com, created a few years ago and use mycelium to spend a little from it every so often. The change always goes back to the address should I move all those funds to a new wallet and not spend from paper wallets like that?

It's better to empty the paper wallet at once into Mycelium and never use it again.  If that contains too much, create several paper wallets with smaller amounts.
Mycelium is not affected by this bug (I think they use deterministic signatures).

[GermanGiant]

I have a few questions here...

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

2. Blockchain.info has recently introduced HD wallets. Are they safe now ?

3. Are multisig addresses (starting with 3) unaffected by this ?

4. If https://coinb.in (https://github.com/OutCast3k/coinbin/) is run from local machine to spend from addresses generated by https://www.bitaddress.org (https://github.com/pointbiz/bitaddress.org) running at local machine, will that be safe ?

[Kprawn]

Hey, OP once again thank you for your honesty. I doubt if these funds will be claimed if they connected to the Darkweb. A typical reason to setup a virtual machine is to evade

tracking and eliminating footprints. {Starting from a clean image} If this is in any way linked to illegal activities, please report it to the authorities. We do not need any bad

publicity. Good work, I hope you will run your script more regularly to expose these compromised signatures. 

[jl2012]

I have a few questions here...

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

You won't be affected if you NEVER spend, of course

3. Are multisig addresses (starting with 3) unaffected by this ?

yes

EDIT: yes, they are affected

[johoe]

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

2. Blockchain.info has recently introduced HD wallets. Are they safe now ?

3. Are multisig addresses (starting with 3) unaffected by this ?

4. If https://coinb.in (https://github.com/OutCast3k/coinbin/) is run from local machine to spend from addresses generated by https://www.bitaddress.org (https://github.com/pointbiz/bitaddress.org) running at local machine, will that be safe ?

1. If you empty the wallet with a single transaction there is only a very tiny chance that you are affected.  For this the client must be really buggy selecting the same nonce twice in this transaction, and someone (amaclin  ) needs to have his bot running that tries to immediately double spend your transaction after seeing it.  I have seen such a double-spend attempt once but it didn't succeed; although if it had succeeded, I wouldn't have seen it.

2. Probably no bitcoin client is completely safe.  With regards to this problem, they are safe since they use deterministic signatures (January 2015).

3. No.  My script also scans for multisig (at least I intended to do that).  But I haven't found a reused nonce in a multisig so far.

4. They claim to use deterministic signatures.  If that is correct, they are safe.

[Answerme2]

Hello
i have 1 question.
Suppose i use two electrum wallets on two different machines one offline and one online.If i use offline machine to just sign transactions via electrum and then transfer the signed transaction to the online electr wallet on another PC for broadcasting.Am i safe?
Do i risk getting my bitcoins stolen?Can my private keys leak? and if so how's that possible?

[shorena]

Hello
i have 1 question.
Suppose i use two electrum wallets on two different machines one offline and one online.If i use offline machine to just sign transactions via electrum and then transfer the signed transaction to the online electr wallet on another PC for broadcasting.Am i safe?
Do i risk getting my bitcoins stolen?Can my private keys leak? and if so how's that possible?

If the wallet on the online machine is watch only, if you are not using a virtual machine and electrum the keys will not leak. There is always the risk that someone will break in and take the offline machine. A virus will most likely not reach the offline machine.

[Answerme2]

Hello
i have 1 question.
Suppose i use two electrum wallets on two different machines one offline and one online.If i use offline machine to just sign transactions via electrum and then transfer the signed transaction to the online electr wallet on another PC for broadcasting.Am i safe?
Do i risk getting my bitcoins stolen?Can my private keys leak? and if so how's that possible?

If the wallet on the online machine is watch only, if you are not using a virtual machine and electrum the keys will not leak. There is always the risk that someone will break in and take the offline machine. A virus will most likely not reach the offline machine.

No as i said i am not using a virtual machine.
I am using a completely different PC that's running linux and my online watch online wallet is on different PC running windows so would i be at risk of this attack mentioned by the OP in this thread?  or any other attack?