This is an implementation bug (from 2011).
When signing a message using Elliptic Curve Digital Signature Algorithm (ECDSA) the first step (after finding
e) is to choose a random number k∈[0,n] then multiply that with curve's generator point (G). The
r value in the signature is the x coordinate of the resulting point.
Now when an implementation of ECDSA is using a bad RNG it can produce the same
k and as a result produce the same
r and consequently let an attacker calculate the private key that was used to create this signature.
P.S. This is one of the reasons why
RFC6979 is being used by most wallets nowadays.
