Several users have seen their bitcoins disappear after generating a paper wallet on the “BitcoinPaperWallet” website, because they are not the only ones to have the private keys to their coins, indicate researchers from Privacy Pros.
According to one research from Privacy Pros, the paper wallet “BitcoinPaperWallet”, used by thousands of users to generate paper wallets where they can store their bitcoins for a long time, has a back door, which is responsible for the loss and disappearance of more than 124,8 BTC so far, which are valued at over $6,35 million, as of this writing.
Colin Aulds, founder of Privacy Pros, a cybersecurity and privacy blog for Bitcoin (BTC) and cryptocurrencies, , calls on the crypto community to Do not use the “BitcoinPaperWallet” website to store any type of cryptoasset, because the security and reliability of the website is compromised.
According to the researcher, this website is running a “sweeping scam,” where the paper wallets generated by users through the portal they are not safe. Apparently the website is manipulated and is giving out the private keys of the stored bitcoins to a fraudster, who soon steals the funds and leaves the wallets empty.
It may interest you: Hardware Wallets: The vulnerability present in Coldcard and the strange theft in Ledger
Interest in BitcoinPaperWallet
Colin Aulds and his brother Bryan Aulds were determined to purchase a paper wallet generator website to complement the products and services they offer to their clients, so they began researching “BitcoinPaperWallet”, the top-ranked paper wallet generator. from the entire Internet, and as the researchers explained, with incredible and very promising metrics.
Although Colin and Bryan's investigation began with their interest in purchasing the website, they later discovered that something bad was happening, and that “BitcoinPaperWallet” was absolutely involved.
The researchers contacted the founder of the website, Canton Becker, but this had been sold to a new owner in 2018, Sarkis Sarkissian, which Colin and Bryan tried to contact without getting any response. After several attempts, and hearing nothing from the new owner, the researchers again contacted the founder, Becker, who informed them that “had received several emails over the years from people claiming to have lost funds using the site”.
These notifications filled the researchers with doubts, who began to investigate further to verify if these were true or not. Colin and Bryan came across several messages on social media from people complaining about having lost millions in Bitcoin after using the paper wallet generator.
Although they were only messages, and conclusive evidence was lacking, they continued investigating, as it could be inexperienced users who blamed the website, or failing that, the new owner was using the paper wallet generator maliciously to steal the bitcoins and other cryptocurrencies. that users stored.
Research
Privacy Pros researchers decided not to buy the site, but to uncover the truth behind user complaints, and began contacting alleged victims. In collaboration with the founder of “BitcoinPaperWallet”, Colin and Bryan were able to speak with several of the affected users, including one named “Kunal”, which told investigators what had happened to their funds and provided them with several of the affected Bitcoin addresses.
The researchers enlisted the help of other experts, such as Tony Sanak and other researchers at Blockchain Intelligence Group (BIG), who traced the addresses and discovered that the funds were being “intentionally” routed to exchanges of cryptocurrencies, such as Binance, specifically to the same Binance address.
“It appears that [the funds] were intentionally routed through those specific addresses, and the funds essentially split up and go in two different addresses only to end up back at the same Binance address.”, stated the BIG team.
BIG researchers also found that the scammer's time frame for stealing funds is approximately 2 hours, enough time for transactions to be confirmed and users to verify that their funds are at their address from a blockchain explorer. Also, BIG researchers point out that those behind this scam are dedicated to draining addresses with large sums of money, containing at least 1 BTC or more.
The victims
Since mid-2018, when the website changed ownership, the number of victims of “BitcoinPaperWallet” is surprising. In 2019, a user on Reddit expressed who lost all his bitcoins stored in a paper wallet generated in “BitcoinPaperWallet” after 8 months of creating the wallet. According to him, his keys were not compromised at any time, since he stored them with absolute security; Even so, his funds were drained from his paper wallet. Another user, nicknamed “sucks1717171” also expressed on Reddit that his bitcoins disappeared from his paper wallet generated in “BitcoinPaperWallet”.
“I was sending them to a paper wallet I generated at bitcoinpaperwallet.com. I printed this paper wallet on a piece of paper hidden inside my house. “I never saved the private key anywhere on my computer.”
Sucks1717171 verified that the sent bitcoins reached his wallet address through a blockchain explorer, and notes that “they always did”, but despite the precautions he took in saving his private keys, his bitcoins also disappeared.
Several of the redditors who responded to his message point out that the mistake was trusting “BitcoinPaperWallet” and not a hardware wallet.
Reality
Although “BitcoinPaperWallet” was a very popular website and is very well positioned on the Internet, It is not a safe or reliable site to generate a paper wallet and store bitcoins or other cryptocurrencies. AND the problem is not the paper wallet or the paper wallet itself, but the website that is compromised and it has a back door that puts it in risk of having your funds stolen.
In the middle of last year, the company MyCrypto Inc. published a video on Twitter demonstrating that “BitcoinPaperWallet” is not secure, and that the security vulnerability present in this wallet generator can cause you to lose all your funds. The company also indicated that this vulnerability is similar to the one detected in “WalletGenerator.net” in 2018, and that it is a backdoor that always reappears on the website.
In the forum BitcoinTalk, many users are also reporting thefts they have had after using the paper wallet generator, warning not to use bitcoinpaperwallet.com at any time.
Privacy Pros researchers verified that the website's security was compromised when they generated the same paper wallet over and over again. On their blog, Colin and Bryan show how they used various methods to generate “different” paper wallets, but they always had the same predictable result, and the same wallet.
Source: Privacy Pros
The BitcoinTalk user “o_e_l_e_o” explains that using this paper wallet generator offline is not a guarantee of security, since it could easily show you an address that seems “newly generated”, but that has previously been manipulated and that actually belongs to a list of addresses generated by an attacker malicious, regardless of the private key that is entered or the mouse movement and random keystrokes that are made when trying to create the wallet.
Developing
After discovering the modus operandi From the website, Privacy Pro researchers informed the victims of what happened and Binance, as the stolen funds are being directed to this exchange. Binance stated that it is willing to cooperate with law enforcement authorities as long as the victims, the owners of the stolen Bitcoin addresses, file a police report.
In the meantime, the research is still ongoing and researchers promise to keep the crypto community informed of new discoveries or actions as it progresses.
Colin and Bryan Aulds explain that it is not yet certain whether Sarkis Sarkissian, current owner of the website “BitcoinPaperWallet” is behind the thefts, or if an attacker discovered an exploit in the site's code and is exploiting them for his benefit. but due to Sarkissian's refusal to cooperate with his investigation, “may be responsible for the stolen funds.”
In summary, the researchers recommend that under no circumstances should wallets generated on bitcoinpaperwallet.com be used to store any amount of Bitcoin or other cryptocurrencies. The website is no longer trustworthy and has become a scam to steal your funds.
The most advisable thing if you want to store a significant or small amount of Bitcoin is to use hardware wallets from well-known and verified manufacturers, and not trust these websites that offer to give you a “random” wallet, since despite the vulnerabilities found in hardware wallets, no direct theft of cryptocurrencies from these devices has been reported.
Continue reading: Soroban, the new Samourai Wallet tool that improves user privacy
