Paper wallets are considered a fairly secure way of storing bitcoin. Such a wallet is not connected to the Internet, which means that once having printed out a pair of public and private keys, the user will be able to use it in the future to safely transfer cryptocurrency for cold storage. This is so, if at the stage of creating the keys someone else does not recognize them, as happened with the users of the BitcoinPaperWallet.com service.
Nick Wendell (pseudonym) lost half a million dollars in bitcoin on January 7th. The cryptocurrency rate was approaching $ 40,000, and Wendell decided to transfer part of his assets to a paper wallet. Not even a minute had passed since the 14.5 BTC was credited to the address created with the help of the service, as they left in an unknown direction. After several moves, the cryptocurrency found a home on Binance.
“Within a minute, I realized what had happened. For several minutes it seemed to me that I was falling, that I did not reach the ground. I remember walking in circles in the kitchen, as if my head was clouded , “- said Wendell in a conversation with CoinDesk .
According to the portal, there are at least about half a dozen such victims. They all claim to have lost large sums after using the service. Presumably, the account of losses over the past two years goes to the millions of dollars.
Experts have found that BitcoinPaperWallet sends a copy of each private key it creates to the server, that is, directly into the hands of attackers. Brothers Brian and Colin Olds, who run the PrivacyPros blog, said they were ready to buy the site last year, but came across evidence of fraud.
If MetaMask or MyEtherWallet (MEW) wallet extensions are installed in the browser, they automatically detect BitcoinPaperWallet.com as a phishing resource and warn the user about it. In May 2020, the MyCrypto service also reported a “vulnerability” of this paper wallet, creating a “backdoor that puts assets at risk of theft.”
The Olds say that the backdoor described by MyCrypto in BitcoinPaperWallet is no longer present, but “someone is actively changing the device of the site after the publication of information about vulnerabilities,” and users continue to lose money.
An example of a wallet created with BitcoinPaperWallet
One of the victims reported that he deposited assets on an incremental basis in the BitcoinPaperWallet during August 2020, until they were withdrawn to Binance by outsiders on the 21st. “I confused it with another full-fledged site that I used a few years ago. In fact, I just entered a “paper bitcoin wallet” into Google, and this scam came out first, ”he said.
Another claims to have lost 50.1 BTC in December. He sent the cryptocurrency to the proposed address, went to be tested for coronavirus, and when he returned, it was gone. Another user lost 1.8 BTC in May 2019, and they write on Reddit about stealing Bitcoin Cash from wallets created through the same site.
BitcoinPaperWallet users are encouraged to move their cursor around the screen, ostensibly to ensure randomness during the wallet creation process, but this does not affect the final result. Even more curious, there is no such backdoor in the original code on Github. Until 2018, BitcoinPaperWallet belonged to Canton Becker, until he sold it to a certain Sargis Sargsyan in April of the same year. Until that time, no one had reported missing funds, and BitcoinPaperWallet itself was trusted by the community. Sargsyan argues that money is lost by users “who initially did not manage keys properly.”
“Indeed, we receive complaints from users claiming that they lost their bitcoins after using our site. These complaints are always resolved, except in individual cases when users cannot realize their own mistake and shift the blame onto us, ”he said. “We examined the source code for problems and were unable to achieve the same results. The servers and source code have been checked for cleanliness by our security expert Jonel Richard. He is still investigating, trying to reproduce the problem reported by others. “
Something wrong with BitcoinPaperWallet has been happening since at least mid-2018, but users haven’t sounded the alarm for a long time. Presumably, only large wallets containing at least 1 BTC are emptied. Users of such wallets reportedly lost at least 124.85 BTC worth $ 6.2 million at current exchange rates.
Note that this is not the first such incident with paper wallets. Since mid-2018, wallets created through the WalletGenerator service have remained vulnerable . In his case, the randomization of the key pairs produced also turned out to be fiction.
“It is critical that the keys are generated by a trusted provider with no Internet connection at all. Think of websites, your computer, and the Internet in general as voyeurs trying to spy on your data. Because sometimes that’s what they do. They can empty the entire balance if they succeed, ”said independent bitcoin developer and researcher Dustin Dettmer.