Over 220,000 BTC Addresses Was Said To Be Exposed

[suzanne5223]

Firstly, this is not to make people panic, but to notify people that their wallet addresses may be affected, so they can move the coin to a safe wallet.

There's a recent warning posted on Twitter by F2Pool & Cobo co-founder Shenyu, which revealed that the private keys to 120,000 bitcoins are exposed, and the most surprising thing is that wallet owners are still using the exposed wallet till now.
These keys were said not to be obtained through cracking or hacking, but a randomness flaw in the private key generation process, also known as a pseudo-random number generator (PRNG).

The vulnerability in the subject was said to affect more than 220,000 BTC wallets, as private keys were created using a flawed pseudo-random number generator (PRNG). PRNG was alleged to use a fixed offset and pattern, which resulted in a situation where keys were partially predictable.

Incomplete statistics show that over 220,000 addresses have been affected by this vulnerability. The complete address list can be found at: https://git.distrust.co/milksad/data  
What's even more outrageous is that people are still transferring money to these addresses to this day... The hackers are probably thinking: I thought you didn't want it, so I'll help you hold onto it.

John von Neumann once made a statement which cautioned people about the misinterpretation of a PRNG as a truly random generator, joking that "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.

Lastly, I don't have the computing knowledge. I would have provided the list of the wallets affected, but I decided to do my part in creating awareness, and I hope this saves someone from losing the previous BTC.

Edit: The Co-founder of F2Pool & Cobo, who made the announcement, added additional information hour ago. Most of the information is provided in Chinese, but it is possible that the affected wallets are wallet with Libbitcoin bx seed, Trust Wallet, Cake Wallet, and Lubian.com. According to the news provided here, this vulnerability has already been used by the US government to seized $15 billion worth of BTC from theft.

There are too many specific details, so I made a PPT with Claude, which makes it easier to read https://claude.ai/public/artifacts/5daeb697-8c18-451f-9d99-eec35aa4935c

[Cryptohygenic]

Incomplete statistics show that over 220,000 addresses have been affected by this vulnerability. The complete address list can be found at: https://git.distrust.co/milksad/data  
What's even more outrageous is that people are still transferring money to these addresses to this day... The hackers are probably thinking: I thought you didn't want it, so I'll help you hold onto it.

Rumours. So why is the statistic incomplete? Is it due incapable data computation this founder or what?
How can an experience user be send funds in the wallet and the funds disappears and the user keep sending more money. An exposed wallet keys are trashed. It does not take a big deal to creat or afford another one. A very terrifying fake news.
I either don't trust the website. So I have to go through 220,000 Wallet address to check if mine was affected?

Lastly, I don't have the computing knowledge. I would have provided the list of the wallets affected, but I decided to do my part in creating awareness, and I hope this saves someone from losing the previous BTC.

Yeah I understand you but dont you also feel terrified that your own wallet might be among the affected? Don't you feel worried about your Wallet safety after reading and trying to believe that information regardless that you don't have the technical knowledge to go through it?
When we sees fake just say it is fake when creating awareness of it and don't try to give it a second thought so that vulnerables does not feel panic.

[Hatchy]

Wouldn't this be as a result of creating wallet with some random app? Or making modifications to your wallet software when you have no knowledge of what you are actually doing. From the post, I was trying to see how they randomly got the stats in the first place and the wallets which they had on their list but it's not really giving me a full list.. there are many crypto wallets today flooding the app stores and the internet, many people don't even bother to make research as to reputable wallets apps to use, they simply think.all apps performs same actions. Some can be designed to favor the scammer.

[SilverCryptoBullet]

There's a recent warning posted on Twitter by Cobo co-founder Shenyu, which revealed that the private keys to 120,000 bitcoins are exposed, and the most surprising thing is that wallet owners are still using the exposed wallet till now.

You claimed that you are not making FUD but this sentence is like FUD.

Because we know "It's not your key, it's not your coin" and if private keys are exposed, those bitcoins no longer belong to original owners. Writing a sentence like this is like a FUD, and if you did not want to make a FUD, you can write it differently for describing it clearly that it's not private key exposed.

I agree that it is still a good warning and again, people must know which Bitcoin wallets are good: open source, non custodial and use good BIP.

[examplens]

I either don't trust the website. So I have to go through 220,000 Wallet address to check if mine was affected?

TL;DR,
Does it perhaps say somewhere in the text that the best check would be to enter the private key directly on that site, to determine whether it already exists in the database? 

If there really is such a flaw, why are only 220k addresses at risk?

[Josefjix]

My intuition is telling me that the news is fake, why sudden hack will occur and no withdrawal from the hacker is recorded, you expect a hacker to spend more time and funds to get tools hacking private keys to about 220k wallet and no transaction is been made while calling it PRNG.

We should have heard all over the internet that 220k users crying over their theft funds and NO, a good hearted hacker does nothing to the funds, where does that happens, who could hack and not touch coins.

I dont think this news is right.

[348Judah]

[There's a recent warning posted on Twitter by Cobo co-founder Shenyu, which revealed that the private keys to 120,000 bitcoins are exposed, and the most surprising thing is that wallet owners are still using the exposed wallet till now.
These keys were said not to be obtained through cracking or hacking, but a randomness flaw in the private key generation process, also known as a pseudo-random number generator (PRNG).

This is a useful 8youre bringing to table for the bitcoin users to check for their own self of they were not probably among those affected from this PRNG scam attempt, because it is also important that we know how we could be safe from any form of hack or scam leading to forfeiture of our coins to scammers, but platform like this will always expose them as long as we are informed, we should also try not to have all the assets in one place, for reasons like this.

[Satofan44]

A rich person opened a short position and then proceeded to create a post about 220k Bitcoin being at risk due to a random vulnerability while providing no proof at all. They just posted a list of wallets without an explanation of why they are vulnerable, which vulnerabilities specifically affected which wallet type, which time frame this was in and how they derived the list of wallets. Without this information their announcement is useless and probably market manipulation.

My intuition is telling me that the news is fake, why sudden hack will occur and no withdrawal from the hacker is recorded, you expect a hacker to spend more time and funds to get tools hacking private keys to about 220k wallet and no transaction is been made while calling it PRNG.

We should have heard all over the internet that 220k users crying over their theft funds and NO, a good hearted hacker does nothing to the funds, where does that happens, who could hack and not touch coins.

This is not a hacker. You didn't even click on the Twitter to see who made the announcement.

[Richbased]

I don't know how true this information is, but this is the reason why cold storage wallets are preferable for those who holds large amount of bitcoins since the private keys are stored offline it will not be vulnerable to hacks, malware and attacks. The reason why i will doubt this news is that if such numbers of BTC addresses are exposed there is no way that the hackers wouldn't have moved out the bitcoins in those wallets and that would have even given more clarity on the numbers of wallets that is affected. I just hope that my wallet address is not among one of them, though i don't own huge amount of bitcoins that is why i haven't considered a cold storage wallet.

If there really is such a flaw, why are only 220k addresses at risk?

OP said it's more than that, probably it could be the statistics they could figure out as at the time the information was posted.

[pooya87]

I would have provided the list of the wallets affected, but I decided to do my part in creating awareness, and I hope this saves someone from losing the previous BTC.

Awareness is only created if you had provided the name of the wallet software that they are claiming to be affected. That way we could see how serious this is. For example if you throw in a name that nobody has ever heard, that's not even a problem since that should have been expected. But if it were some popular software then it would have been a different story.

[joniboini]

Looks like the data has been public for 2 months (or longer). Looks like some of those "weak addresses" are brain wallet, or suspected to be one. Not really a surprise considering how many times people said brain wallet shouldn't be used. That being said, it looks like the website first showed up in 2023.

I just hope that my wallet address is not among one of them, though i don't own huge amount of bitcoins that is why i haven't considered a cold storage wallet.

Why not check the data they shared? The website is very slow on my end, tbf.

[suzanne5223]

Incomplete statistics show that over 220,000 addresses have been affected by this vulnerability. The complete address list can be found at: https://git.distrust.co/milksad/data  
What's even more outrageous is that people are still transferring money to these addresses to this day... The hackers are probably thinking: I thought you didn't want it, so I'll help you hold onto it.

Rumours. So why is the statistic incomplete? Is it due incapable data computation this founder or what?
How can an experience user be send funds in the wallet and the funds disappears and the user keep sending more money. An exposed wallet keys are trashed. It does not take a big deal to creat or afford another one. A very terrifying fake news.
I either don't trust the website. So I have to go through 220,000 Wallet address to check if mine was affected?

First, when an information is provided please read understand. The wallet seem not to be aware of the vunerability which is why they are still using the wallet and if you follow the news about the US Department of Justice announced the seizure of BTC worth $15 billion from Prince Group's operation of forced labor scam compounds across Iran, China and Cambodia, through the vunerability provided by Shenyu you'll understand this genuine.
Second, lets agree this is a rumor. Why would a co-founder of F2Pool & Cobo who is also Bitcoin enthusiast that has been exploring risk since 2017 spread fud to spoil his image?

Yeah I understand you but dont you also feel terrified that your own wallet might be among the affected? Don't you feel worried about your Wallet safety after reading and trying to believe that information regardless that you don't have the technical knowledge to go through it?
When we sees fake just say it is fake when creating awareness of it and don't try to give it a second thought so that vulnerables does not feel panic.

Before you tag something fake always do your homework on it because this is someone that has been announcing wallet vunerability for years, and if i dont feel a level of sincereity in his statement i wont have make a thead about it.

Wouldn't this be as a result of creating wallet with some random app?  

Yes, according to my research this have to do with wallet that use libbitcoin or pseudo random number generator to generate wallet private information.

I would have provided the list of the wallets affected, but I decided to do my part in creating awareness, and I hope this saves someone from losing the previous BTC.

Awareness is only created if you had provided the name of the wallet software that they are claiming to be affected.

Most of Shenyu information are wrting in Chinese but he mentioned Libbitcoin bx seed, Trust Wallet, Cake Wallet, and Lubian.com

Looks like the data has been public for 2 months (or longer). Looks like some of those "weak addresses" are brain wallet, or suspected to be one. Not really a surprise considering how many times people said brain wallet shouldn't be used. That being said, it looks like the website first showed up in 2023.

Thank you.
I'm here telling some people what i have read about some wallet vunerability and some people are saying it's fud when the information was provided by some who is co-founder of F2Pool & Cobo.

[Ambatman]

This isn't a new news but was escalated on by the author of Mastering Bitcoin Two years ago
[WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure!
You can see the news here.

Vulnerabilities was found by wallets that made use of Libbitcoin bx seed
And Cake wallet informed their users to migrate from wallets created before 2021
https://milksad.info/posts/research-update-9/#:~:text=Summary%20&%20Outlook-,Urgent%20Warning,Mersenne%20Twister%20based%20wallet%20keys.

I wasn't surprised to see Trustwallet been there with it being close sourced
And this isn't the first time wallet were compromise as a result of their supposed randomness generator
Happened with Blockchain.info

Awareness is only created if you had provided the name of the wallet software that they are claiming to be affected.

Cake wallet, Trust wallet and wallets that relied on Libbitcoin bx seed.

[PostQuantumBTC]

Looks like the data has been public for 2 months (or longer). Looks like some of those "weak addresses" are brain wallet, or suspected to be one.

I can see Trust wallet there also.

Brain wallets are the worst bitcoin wallets because they are not secure.

And this isn't the first time wallet were compromise as a result of their supposed randomness generator

A good example is Atomic wallet.

[sokani]

In 2020, the Lubian wallet hack, which saw the Chinese mining pool lose 127,426 Bitcoins to hackers, is a stark reminder why people shouldn't use wallets whose private keys are generated using a pseudo-random number generator (PRNG).


https://x.com/arkham/status/1951729790299394113

For those who still use brainwallet to generate their private keys, they should immediately ditch them and get a good one. They are generated using a weak entropy. The private keys can be reconstructed and the funds can be stolen.

[Ojima-ojo]

The moment I saw that this is an incomplete work made the whole thing look suspicious and incapable of telling the fact about wallet vulnerability and Private keys exposure.

Quite sure if the wallet keys are with the hacker they will have start moving some funds from those wallets, I see that trust wallet is mentioned there also.

[Cricktor]

Every Bitcoin private key is already known and this is a simple fact. IIRC, starting from (decimal) 1 to 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,908,834,671,663 (this is 2²⁵⁶-2³²-977, the group order of secp256k1).

What makes Bitcoin secure, you don't know which (hopefully random!!) private key actually controls funds. And this is the key point: your private keys must have been generated from good "randomness" and not some bad or weak PRNG. It's not easy to describe.

A private key should not be predictable in any way. This makes it secure in the overly vast number of all private keys available.

There are some wallets where their developers thought they were smart^{actually not so much} and could cut corners with entropy and their PRNG. That certainly backfires or backfired once discovered. If you don't understand the importance of good randomness, you shouldn't try to develop a Bitcoin wallet, period! Of course, closed-source wallets don't allow you to easily be able to check how well the importance of good randomness at various spots is treated. Another reason to avoid closed-source wallets.


The problem with bad brain wallets is when they are derived from more or less publicly known data, known words, known literature, known poems, known song texts, you name it.

A brain wallet based on e.g. the secret "ECoe6Oe%Ym%06szOdZq6WZp19SO*8^y*ZWIVPWr3" is secure. Needless to say, don't use my example because it's "burned" and now publicly known. An example of a rather bad brain wallet is maybe based on "My cat's name is Garfield". You get the point.

Whatever limits the entropy of private keys and makes them "weaker", more predictable, weakens the security of funds controlled by such "bad" private keys.

I don't like the title of this thread. The blockchain is public, all funded public addresses are public because all UTXOs are known and public, too. It's about potentially weak private keys, for whatever reasons they're weak and thus more predictable than they could be if they were as truely random as possible. (PRNGs aren't necessarily bad if well developed, but I won't open this can of worms here.)


Not sure what to take from the story here. I don't care about what's posted on shit platforms like X and other attention seeking and fueling (a)social media, waste of life time...

[suzanne5223]

This isn't a new news but was escalated on by the author of Mastering Bitcoin Two years ago
[WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure!
You can see the news here.

Vulnerabilities was found by wallets that made use of Libbitcoin bx seed
And Cake wallet informed their users to migrate from wallets created before 2021
[snip]

I wasn't surprised to see Trustwallet been there with it being close sourced
And this isn't the first time wallet were compromise as a result of their supposed randomness generator
Happened with Blockchain.info

Yes, this is not a new flaw, and like I said in the OP "John von Neumann once made a statement which cautioned people about the misinterpretation of a PRNG as a truly random generator, joking that "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin."

This was even before the author of Mastering Bitcoin, but some people with no adequate crypto knowledge, like us, are not aware of these flaws, and they are making use of this wallet, especially the newbies, so this information is technically news to them.
So, I don't see any harm in spreading the information again, so we won't have people who will blame BTC for their naive mistake.

[Agbamoni]

Edit: The Co-founder of F2Pool & Cobo, who made the announcement, added additional information hour ago. Most of the information is provided in Chinese, but it is possible that the affected wallets are wallet with Libbitcoin bx seed, Trust Wallet, Cake Wallet, and Lubian.com. According to the news provided here, this vulnerability has already been used by the US government to seized $15 billion worth of BTC from theft.

There are too many specific details, so I made a PPT with Claude, which makes it easier to read https://claude.ai/public/artifacts/5daeb697-8c18-451f-9d99-eec35aa4935c

This is bad news. The Good news is, I have no coin in the aforementioned wallet that was affected. So, literally I'm safe for now.
In a wider sense, I feel some developers are monitoring blockchain activity on the wallet. Funny enough they all have something in common. Libbitcoin bx seed, Trust Wallet, Cake Wallet, and Lubian.com share a a lot in common, especially in how they handle wallet generation and how they sign transactions unlike other wallets that were not affected.