Stolen BTCs from paper wallet

[LoyceV]

Isn't it possible a hacker just spent his other money along with OP's in one transaction?

Maybe. But that wouldn't make sense, it's bad for the bad guy's privacy (and extra work).

Or that their office had malware all across the computers and there were more than 1 employee who used bitaddress?

Maybe. But that's too much of a coincidence, unless someone convinced several people to do that.

Yes, but doesn't the administrator announce compromisation afterwards?

Maybe. But not if the site owner is behind the theft.

Isn't that what had happened with BitcoinPaperWallet?

No, it got sold, and the new owner scammed people. As far as I know, that's still ongoing.

[BlackHatCoiner]

Maybe. But that wouldn't make sense, it's bad for the bad guy's privacy (and extra work).

Not all know to use bitcoin properly. There are people who regularly screw it up with their privacy, security, who they don't care, who they use bad software, who they haven't studied it a lot etc. There are a lot of examples of thieves who got caught because of these. From thieves who stole coins and deposited to CEX later on, to two folks who stored the private keys of billions worth of bitcoin in a cloud service.

Also, that's still possible:

You screwed it up in the process, and you didn't notice.

[WhyFhy]

@pointbiz @1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN usually will come around when summoned, maybe they can clarify things on their end?

pointbiz owns bitaddress.org

It's in my best interest to know too since we use the tool for merging keys. tld compromised means more could be as well.

However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.

Name: bitaddress.org

Dates
Registry Expiration: 2023-09-04 04:17:42 UTC
Updated: 2022-10-19 04:18:19 UTC
Created: 2011-09-04 04:17:42 UTC

[LoyceV]

However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.

OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.

[paid2]

However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.

OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.

Before 2022-10-19, I find :



      "updatedDate": "2022-03-11T00:00:13+00:00",
    },
    {
      "updatedDate": "2021-09-05T18:40:37+00:00",
    },
    {
      "updatedDate": "2021-09-05T18:40:37+00:00",
    },
    {
      "updatedDate": "2021-04-25T00:00:13+00:00",
    },
    {
      "updatedDate": "2020-06-09T00:00:25+00:00",
    },
    {
      "updatedDate": "2019-07-25T00:00:15+00:00",
    },
    {
      "updatedDate": "2018-07-25T00:00:23+00:00",
    },
    {
      "updatedDate": "2018-07-25T00:00:23+00:00",
    },
    {
      "updatedDate": "2018-07-02T18:38:45+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2014-09-05T14:13:33+00:00",
    },
    {
      "updatedDate": "2014-09-05T14:13:33+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2011-11-04T03:51:30+00:00",
    }

[o_e_l_e_o]

There is no known bitaddress compromisations as far as I'm concerned.

That means nothing, and relying on one person telling you something is unsafe is an incredibly unsafe practice anyway. The source code for bitaddress on GitHub has not changed in years, but there is zero guarantee that the source code of the live website hasn't been changed. And since OP simply used the website (while online, no less, and with no guarantee he was actually on the legitimate website at all and not a malicious clone), there is no telling what code he was actually running.

Maybe.
Maybe.
Maybe.

Such is the beauty of such a scam. There are so many potential ways that OP could have lost his coins, that the real method the attacker used is unlikely to be discovered, making tracing him down impossible.

It is probably time the community stopped recommending such websites at all. Single key pair paper wallets come with many other risks and drawbacks that most newbies don't understand anyway. Far better to back up a seed phrase and the first couple of addresses, generated by a secure piece of airgapped wallet software.

[LoyceV]

Far better to back up a seed phrase and the first couple of addresses, generated by a secure piece of airgapped wallet software.

Now that you mention it: Electrum should have a PDF-feature for that. If the user has to manually copy/paste the addresses, keys and QR-codes to be able to print one page, chances are they mess up.
So we need trusted open source software. The only reason websites are still in use for paper wallets, is because it's the most easiest way to create them.

[o_e_l_e_o]

Now that you mention it: Electrum should have a PDF-feature for that. If the user has to manually copy/paste the addresses, keys and QR-codes to be able to print one page, chances are they mess up.

That's not a bad idea at all. You could always propose something along those lines on GitHub if you wanted.

I wouldn't include any raw private keys, though. This simply encourages people to import them individually and run in to all the usual problems of importing single keys. All you need is a seed phrase, the first couple of addresses (configurable), and a QR code for those addresses. Perhaps with an option to include the xpub and its QR code at your chosen derivation path so you can easily create a watch-only wallet for the paper wallet and see exactly how much bitcoin you have spread across all the addresses.

The only reason websites are still in use for paper wallets, is because it's the most easiest way to create them.

But the paper wallets created by such websites are outdated and should really no longer be used at all.

[LoyceV]

I wouldn't include any raw private keys, though. This simply encourages people to import them individually

On the other hand, if you have many funded addresses, it's much safer to import one private key than the entire seed phrase. How many people are really creating an airgapped secure setup for that?
By importing just one key into a hot wallet, at least you're not risking all your funds at once.

But the paper wallets created by such websites are outdated and should really no longer be used at all.

Agreed. Bitaddress should update to Segwit. There are some other sites that offer it, but I don't trust them.

[arhipova]

Hello guys,

I will tell the story how I lost 0.4 BTC. I want to ask you advices.

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.
Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?
Any other ideas about how that happened?

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
- generate the wallets
- restore the windows, erasing everything
- take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
- return the HD to the previous notebook and install Windows again
Only now, turn on the internet.

Any risk in this procedure?

Thank you.

I am curious as to how new you are to crypto ? You are asking us regarding the safety and security of the website "bitaddress" after using it. Don't you think you should do proper research before using these external sites for crypto transactions instead of asking later when the damage is done ?

[o_e_l_e_o]

On the other hand, if you have many funded addresses, it's much safer to import one private key than the entire seed phrase. How many people are really creating an airgapped secure setup for that?

Good point. My paper wallets are only ever imported in to live OS on an airgapped device, but yeah, good point that the majority of people don't do that and probably just sweep them using whatever hot wallet they happen to have installed at the time.

Agreed. Bitaddress should update to Segwit. There are some other sites that offer it, but I don't trust them.

It's not so much the Segwit issue, but rather I think single key pair wallets should only by used by those who really understand what they are doing and not by >99% of users.

Don't you think you should do proper research before using these external sites for crypto transactions instead of asking later when the damage is done ?

This is pretty standard across the whole crypto ecosystem. People buy shitcoins with no research and then wonder later how they were scammed, despite the whole thing being a plagiarized money grab from the start. People deposit coins to centralized exchanges and then wonder later why they went bankrupt, when their terms of service clearly state that they are gambling with your money. No different when it comes to using various wallet software. People only care after they have personally been affected.

[WhyFhy]

However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.

OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.

Since its outside of a 10 year window there's potential it could have slipped.
I still think DaveF and I are onto something, IT guys don't get enough credit and I feel this post validates that. MSP's can flag too with very simple macros systems.
If pointbiz validates the status of a good-standing bitaddress.org, OP unknowingly got ripped off from a co-worker or used a wrong URL.
Maybe we can talk him into implementing segwit, its a lot of work though. A LOT! I've attempted it and failed miserably.

[pointbiz]

I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.

[WhyFhy]

I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.

Thank you for clarifying Merry Christmas!

[o_e_l_e_o]

For many years it's been hosted on github.com

If the site was compromised then there would be proof in the form of a malicious version of the code.

Thanks for replying. In reference to the above - am I right in saying that the website as it stands redirects to pointbiz.github.io, meaning that the code on Github must be the code that is running on the site? But I am also right in saying that your bitaddress.org hosting could be compromised and lead to bitaddress.org pointing to a different repository or running a different set of code altogether. Given that, we cannot rely on your statement that if the site was compromised there would be proof in the form of malicious code. We would be entirely relying on you telling us, and people could easily be scammed by the compromised site in the meantime.

I don't believe that there were any problems with bitaddress.org which were the cause of OP losing their coins here, but the fact remains that using any live website, be it bitaddress, iancoleman, or anything else, is a risk. The only safe way to use such sites is by downloading and verifying the code from Github and running it offline.

[Dimi Neutron]

I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.

Thanks for replying.

I was reading many topics here in bitcointalk and saw a topic telling that walletgenerator.net should not be used. I don't have the historic of the day I generated the wallets, but I made many of them, some in walletgenerator and others in bitaddress. The one stoled was generated in walletgenerator according to the image of it that I printed in that day. So, one more mistake made by me.

Sorry for the mistake, I forgot that I generate some wallets in walletgenerator.net. That doesn't mean that I didn't make many other mistakes in that day.

[LoyceV]

The one stoled was generated in walletgenerator according to the image of it that I printed in that day.

That website has been scamming users for many years.

[PawGo]

I don't have the historic of the day I generated the wallets, but I made many of them, some in walletgenerator and others in bitaddress. The one stoled was generated in walletgenerator according to the image of it that I printed in that day. So, one more mistake made by me.

Sorry for the mistake, I forgot that I generate some wallets in walletgenerator.net. That doesn't mean that I didn't make many other mistakes in that day.

Nooo do not tell me they still have that bug:
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

Sometimes you go too far, you suspect your colleagues, your network admin, you suspect MITM attack... and at the end you see that the most probably you were cheated by the wallet itself.

[o_e_l_e_o]

That doesn't mean that I didn't make many other mistakes in that day.

You should obviously be moving any other coins on wallets from that scam site to a more secure wallet if you haven't already. But as you say and as discussed above, you made a lot of mistakes in your whole process, so I wouldn't trust any wallet you made that day (or any other day in which you followed the same steps).

Nooo do not tell me they still have that bug:
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

It's fair to say at this point that it is not a bug but rather it is actively malicious. The owner was made aware of the issue, apparently removed it temporarily, and then reintroduced it. The malicious code is also years old at this point with hundreds of reports of people losing their coins. There is simply no way the owner is unaware of it. It continues to exist because he is actively scamming people.

This is part of the reason that I don't think anyone should use any website to generate wallets or private keys.

[MrFreeDragon]

I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

....

I remembered that 3+ years ago was confused why bitaddress.org generated wrong wallets. Here is my post: https://bitcointalk.org/index.php?topic=43496.msg52190779#msg52190779

The issue was I used wrong web address: "Everybody should be very careful. The addresses above were actually generated not by bitaddress.org, but by biladdress.org ("l" instead of "t"). I do not know how did I go there... probably some fake link :-("

That time fake clone was working and provided wrong public addresses (so, users received incorrect public btc addresses, and actually they did not have private keys to btc addresses showed on their "paper wallets").

I just remembered that my case, cause OP also could face with the same fake clone web address while generating his paper wallet - fake clone in global WWW (with the similar spelling) or fake clone provided through DNS spoofing (OP saw bitaddress.org in his web browser, but actually visited completely different IP address).