Stolen BTCs from paper wallet

[Dimi Neutron]

Hello guys,

I will tell the story how I lost 0.4 BTC. I want to ask you advices.

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.
Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?
Any other ideas about how that happened?

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
- generate the wallets
- restore the windows, erasing everything
- take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
- return the HD to the previous notebook and install Windows again
Only now, turn on the internet.

Any risk in this procedure?

Thank you.

[1714307190]

1714307190

[1714307190]

1714307190

[1714307190]

1714307190

[1714307190]

1714307190

[1714307190]

1714307190

[Edwardard]

I will tell the story how I lost 0.4 BTC.

First of all sorry for your loss mate. Thats a really big amount for most of the average working people.

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work

Thats the problem. If you generated it online, you cant say it as a paper wallet. Its an online web-wallet and your keys can be stolen if you have trojen/malware in your pc, as simple as that. Please beware next time, and clean your PC.
Read this: How To Run The Bitaddress.org Tool In A Secure Offline TAILS Temporary Live Boot Session

[LoyceV]

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.

You made all the mistakes in the book
The main reason to use a paper wallet, is to create cold storage. Cold storage, by definition, has never touched the internet. That's the only way to make sure nobody can ever hack it.
By using an online website on an online computer and a network printer, you've added many risk factors.

Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?

I've never read a credible scam accusation against bitaddress.org (but there are phishing sites out there).

Any other ideas about how that happened?

You've broadcasted your paper wallet through several channels.

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?

No website is safe is you use it incorrectly.

The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
- generate the wallets
- restore the windows, erasing everything
- take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
- return the HD to the previous notebook and install Windows again
Only now, turn on the internet.

There's a much simpler approach: use an offline air-gapped system running from RAM (Tails OS, for instance), connected by cable to a dumb printer (without memory), and create a paper wallet from there.

For future planning: if you ever want to use your paper wallet, you shouldn't expose it to an internet connected computer too. This is much safer:

Online:
Install Electrum on your PC.
Import your address to create a watch-only wallet.
Preview the transaction, Copy the unsigned transaction. Put it on a USB stick.

Offline and running without hard drive storage:
Get a Linux LIVE DVD. Use Knoppix or Tails for instance, or any other distribution that comes with Electrum pre-installed.
Unplug your internet cable. Close the curtains. Reboot your computer and start up from that DVD. Don't enter any wireless connection password. Keep it offline.
Start Electrum. Import your private key.
Copy your unsigned transaction from the USB stick, load it into Electrum.
CHECK the transaction in Electrum. Check the fees, check the amount, check all destination addresses (character by character).
If all is okay, sign the transaction. Copy it back to your USB stick.
Turn off the computer. That wipes the Live LINUX from memory and all traces are gone.

Online:
Use your normal online Electrum to (check again and) broadcast the transaction.

[NeuroticFish]

Any other ideas about how that happened?

The first and easiest possibility would be that the website you've used to generate the paper wallet wasn't only showing it to you, instead it also made a copy of that paper wallet for the website owner.
And at some point, when he noticed you've funded it, he stole your money since he had too the private key.

Another discussion is about what you've done with the paper wallet an how you've stored it. If anyone else copied the private key, he could steal your money.
A paper wallet as you've done it is a private key and an address. Those can be kept on paper, but some keep it (wrongly!) in e-mail or cloud storage, giving others the chance to steal.

Plus if your computer has malware, for example, it was open to the internet.

These are the first possibilities coming into my mind.

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
- generate the wallets
- restore the windows, erasing everything
- take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
- return the HD to the previous notebook and install Windows again
Only now, turn on the internet.

Any risk in this procedure?

I don't know how good is bitaddress. If people say it's OK, fine, but such a tool can easily generate the keys even by a certain rule and make it easy to recover by the site owner. I would use a wallet to generate the private key.
Apart of the first step and using a paper wallet generator, the rest of the steps look pretty good (although booting from an USB stick with a live OS with no persistence would achieve that easier).

I would use Bitcoin core (offline, without downloading blockchain) or Electrum (offline) at first step and, as a later step, I would recover the wallet from the private key and make sure the address is the one expected (so you avoid surprises there too).


Later edit: if you invest into amounts like 0.4 BTC, is it so difficult to invest in a hardware wallet? It would be safer and easier even for making yourself some sort of paper wallets, if you still want those.

[o_e_l_e_o]

I generated it online, in my work.

Obviously I don't know your exact set up at work, but chances are that anyone in your IT department could probably have watched what you were doing.

The system is protected by firewall and VPN.

Neither of those mean that the system is safe or free from malware.

Then I printed it in the printer connected in the network.

Again exposing your wallet to anyone who had network privileges to view it. Additionally, the file would have been saved in the printer's own memory and could be retrieved later, and also potentially saved in your company's servers.

The network is very safe - I will not tell the name of company for privacy.

You have absolutely no way to know that, and you are relying on the common sense of every one of your colleagues to not download and expose the network to malware.

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?

It is (so far) been as safe as a website can be. But be aware that websites are generally a poor choice to generate private keys in the first place, and other paper wallet websites which were perfectly legitimate for years suddenly turned in to scams and resulted in lots of people having their coins stolen. I would agree with the advice above to generate your keys using Core or Electrum instead.

The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:

Turning off the internet for 5 minutes on a computer which has had frequent or constant internet access prior to this achieves almost nothing. The process needs to be done on a dedicated airgapped computer - that is one which has never had any internet access since you last formatted it and installed an open source Linux distro, and will never have any internet access again. You also need to connect that airgapped computer directly to an old fashioned dumb printer which does not have any internal memory or WiFi capabilities.

[dkbit98]

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.

You made a big mistake. Who knows what kind of malware and keyloggers you have, that can't be detected easily.
No matter how ''safu'' you think your computer is, it's still connected to internet and paper wallet should be printed from website that is download and generated offline.
Nobody knows if your office have hidden cameras or other type of surveillance, but paper wallets should never be used like this.

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?

Why are you using paper wallets in the first place, and why the heck are you doing this on your work place??

[Dimi Neutron]

Thank you for the answers, guys. Believe me, I keep asking myself how could I be so idiot to trust in that network.

I forgot to show the wallet:
https://www.blockchain.com/explorer/addresses/btc/14AKAd16AEZZoW3dp4KEyANMJ3G5bPCrwE

It looks like someone stole from several wallets, mine was just one of that.

I will buy a hard wallet now. I suppose I was lucky, I have more BTC in the broker and was about to send them to my wallets - I generate several using the same way. Just this one had BTC, and, of course, I will never use them again.

A few more infomations: I've never said that my work's network was 100% safe or that I trust 100% in the IT guys (I'm not in the IT team). I just said that I don't think that it was the problem and, for the safe of arguments, try to find other security problems.

[LoyceV]

I forgot to show the wallet:
https://www.blockchain.com/explorer/addresses/btc/14AKAd16AEZZoW3dp4KEyANMJ3G5bPCrwE

You first funded it on September 15, and it was emptied on December 10. In that same transaction, 76 inputs were used, and a few different addresses had many different inputs.

It looks like someone stole from several wallets, mine was just one of that.

Your address was emptied after 3 months, some of the other addresses after a year or almost 2 years.

If someone somehow compromised your paper wallet from outside your office, that means they've patiently been waiting for people to make multiple deposits to those paper wallets before robbing them. That may also mean it will happen to more people.

Hey Google, let the owners of 18CxzMfmadEvjwPjW8uzFe5n6xBDeraoJ6 and 1AmwSjzv6H3ujR7rFuVXLNz1yJfnJt2TFA find this topic!

[DaveF]

Some other random thoughts.

1) Many corporate printers will generate a copy of everything you print for management /

2) Same with company owned machines, they know & see everything you do. In this case it's not even 'I went to a bad site and got malware installed' but the company PC came with it to report on you.

3) Eliminating 1 & 2 don't forget the person in the cube or office next to you. Did they see what you were doing?

Not saying any of that happened here, but adding to 'not your keys not your coins' should also be 'not your PC not your DATA'

-Dave

[mendace]

It is possible that there could have been a malicious intermediate between your computer and bitaddress.org that intercepted the communication and accessed your paper wallet information. However, it is also possible that the compromise occurred at some other point, such as through a vulnerability in the system or network that you were using.

As for the method you are considering for generating a paper wallet on bitaddress.org, it seems like a fairly secure method as long as you take the necessary precautions to ensure that the computer you are using is clean and free of any malware or other vulnerabilities. Disconnecting from the internet and wiping the hard drive before generating the wallet can help to reduce the risk of interception or compromise. However, it is also important to ensure that you are using a trusted computer and operating system, and to keep the computer and all software up to date with the latest security patches.

[BlackHatCoiner]

Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?

Yes. Here's what might have happened:

• Your computer was malware affected.
• Your computer has been spied (not necessarily from an unintended spyware, lots of offices do spy on purpose).
• Somebody at work saw you generating a private key, and took a picture.
• Cameras (if any) caught you generating a private key.
• bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).
• The printer exchanged sensitive information with your computer, private key included, and someone happened to find read access.
• You screwed it up in the process, and you didn't notice.

[LoyceV]

Here's what might have happened:

• bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).

This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.[/list]

[WhyFhy]

Here's what might have happened:

• bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).

This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.[/list]

Or originations are possibly the same. for example, 1 co-worker tells 3?
  "Supposing that there's no one from inside evolved"
Judging by OP's wording of actions he learned about it at work, and thinks they are smart.
When he started printing wallets the powers that be educated themselves as well or led OP to a trap.
I think this scenario more likely than bitaddress.org being compromised I don't rule it out though.
And to be fair on a newbie's behalf, bitaddress.org doesn't really elaborate that much on security, Air gapping, or anything commonsense really,
A byproduct singular person coding without UX consultation.
The information's portrayed to a more advanced person that probably knows how to generate their own wallet as if they can use PGP and checksums and things of this nature.
They don't tell you anything until after you've made the wallet causing you to react uninformed.
Not a guy who heard about it on his smoke break at his 8-5.

A Bitcoin wallet is as simple as a single pairing of a Bitcoin address with its corresponding Bitcoin private key. Such a wallet has been generated for you in your web browser and is displayed above.

To safeguard this wallet you must print or otherwise record the Bitcoin address and private key. It is important to make a backup copy of the private key and store it in a safe location. This site does not have knowledge of your private key. If you are familiar with PGP you can download this all-in-one HTML page and check that you have an authentic version from the author of this site by matching the SHA256 hash of this HTML with the SHA256 hash available in the signed version history document linked on the footer of this site. If you leave/refresh the site or press the "Generate New Address" button then a new private key will be generated and the previously displayed private key will not be retrievable. Your Bitcoin private key should be kept a secret. Whomever you share the private key with has access to spend all the bitcoins associated with that address. If you print your wallet then store it in a zip lock bag to keep it safe from water. Treat a paper wallet like cash.

Add funds to this wallet by instructing others to send bitcoins to your Bitcoin address.

Check your balance by going to blockchain.info or blockexplorer.com and entering your Bitcoin address.

Spend your bitcoins by going to blockchain.info and sweep the full balance of your private key into your account at their website. You can also spend your funds by downloading one of the popular bitcoin p2p clients and importing your private key to the p2p client wallet. Keep in mind when you import your single key to a bitcoin p2p client and spend funds your key will be bundled with other private keys in the p2p client wallet. When you perform a transaction your change will be sent to another bitcoin address within the p2p client wallet. You must then backup the p2p client wallet and keep it safe as your remaining bitcoins will be stored there. Satoshi advised that one should never delete a wallet.

[NotATether]

It looks like someone stole from several wallets, mine was just one of that.

Your address was emptied after 3 months, some of the other addresses after a year or almost 2 years.

If someone somehow compromised your paper wallet from outside your office, that means they've patiently been waiting for people to make multiple deposits to those paper wallets before robbing them. That may also mean it will happen to more people.

Could this indicate something larger, that Bitaddress itself could be compromised?

I mean, that's exactly what happened to BitcoinPaperWallet several years ago.

(of course, if you downloaded the webpage, inspected the Javascript, and opened the offline page before generating private keys, you shouldn't be at risk of theft).

[o_e_l_e_o]

Could this indicate something larger, that Bitaddress itself could be compromised?

Certainly it could. Or that there is a malicious clone site out there that several people are stumbling across. I always suggest people should use Core or Electrum over bitaddress or any other website in order to generate wallets.

There are plenty of other explanations for the pattern of transactions see though. Perhaps several other people at OP's company also generated paper wallets using bitaddress, which were then stored on some server or printer memory bank or similar. This was hacked or otherwise accessed, and therefore the attacker accessed all the wallets at the same time and swept them all at once. Or perhaps OP also uploaded a copy of his paper wallet to his email or cloud storage, and again, a hack or rogue employee or similar then discovered his wallet at the same time as several other wallets, seed phrase back ups, or similar.

[hosseinimr93]

Hey Google, let the owners of 18CxzMfmadEvjwPjW8uzFe5n6xBDeraoJ6 and 1AmwSjzv6H3ujR7rFuVXLNz1yJfnJt2TFA find this topic!

There's another address in that transaction too.
1AhgYZ7Js6ytokA4zCD994MJJbpFsCUd61

And there are probably more victims.
OP's fund was sent to bc1qtjt2qa2pghrea2xv5fwn0t6a7gmrc4f2238rnr in this transaction and then to bc1qhwppsmswazl9pghsq9k4v7jy502cvlwjqr34hk in this transaction. Therefore, bc1q87jd5xfq6xypy9tx6ssfhynq0e5z99u8whnuvp and bc1ql5cz9yp23ggdz2tjhmj3hkr37wula3u34sa30e are owned by the hacker/thief too.
If you check the history of these two addresses, you see that the same thing as OP has happened to 1P4o7U7tDsxeHVhRPRMFgmrmaFhGxRmjQx and 19fikpWsuxRnqQqrgnSWvVETvQHRMa9a3k.

[seoincorporation]

1) Many corporate printers will generate a copy of everything you print for management /

2) Same with company owned machines, they know & see everything you do. In this case it's not even 'I went to a bad site and got malware installed' but the company PC came with it to report on you.

I was thinking the same, for security reasons the printers at work used to save a copy of all the printed files, so, it was a terrible mistake to use the office printer for a paper wallet because even if the network is secure the saved files in the printer are not.

And the second big mistake was to generate the address online, that's a terrible mistake that no one should do because you don't know if the page saves in a database each generated address.

[LoyceV]

(of course, if you downloaded the webpage, inspected the Javascript, and opened the offline page before generating private keys, you shouldn't be at risk of theft).

Note that people still lost their money after downloading the BPW site once it turned into a scam.

[BlackHatCoiner]

This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.

Isn't it possible a hacker just spent his other money along with OP's in one transaction? Or that their office had malware all across the computers and there were more than 1 employee who used bitaddress?

Could this indicate something larger, that Bitaddress itself could be compromised?

I mean, that's exactly what happened to BitcoinPaperWallet several years ago.

Yes, but doesn't the administrator announce compromisation afterwards? Isn't that what had happened with BitcoinPaperWallet? There is no known bitaddress compromisations as far as I'm concerned.

[DaveF]

Here's what might have happened:

• bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).

This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.[/list]

Actually, look at it this way: keep going with my earlier 'not your PC not your DATA' statement.

It might not have even been someone at that company. A lot of places use external MSPs for things.
It's a somewhat simple task for most of the software that is placed on corporate PCs for monitoring / remote service and things to generate an alert when something happens / someone goes to a specific site and so on.

So if it's an external 3rd party that has access for legitimate reasons, and one of their staff has setup and alert to send an email to them when users go to a specific site and then record all actions done then, they could easily get 5 private keys from 5 people in different parts of the world. Then you delete the alert and data as part of the 'monthly database clean' or whatever and tan you take the BTC and run.

Now 5 people who never met each other, some of them who do not even know what the name of the MSP their company uses is have missing coins.
Good luck tracking that down.

In theory figuring it out is very simple. Since the MSP is the common link. In reality since if they did it with a bit of thought, everyone worked for a different company and every company has a no private work on the work PC it's even better. Do you eat the loss or report it and risk loosing your job.

-Dave