en
Back to the list

Crypto Users Claim Popular Bitcoin Paper Wallet Generator Is Compromised, Millions Allegedly Stolen

source-logo  news.bitcoin.com 25 February 2021 22:30, UTC

Crypto Users Claim Popular Bitcoin Paper Wallet Generator Is Compromised, Millions Allegedly Stolen

A number of forum posts and tweets say that the website bitcoinpaperwallet.com is compromised and people have said they have lost bitcoin using the paper wallet generator. Three years ago the website domain changed ownership and ever since then losses have been reported on Reddit forums, bitcointalk.org, Twitter, and other public venues. The owner of the paper wallet generating web portal denies the platform’s codebase is compromised and claims it has been audited by a security expert.

Bitcoinpaperwallet.com Wallet Generator Site Accused of Being Compromised and Unsafe

Years ago, a website that was once operated and owned by, Canton Becker, called bitcoinpaperwallet.com was once an extremely popular paper wallet generator. However, when the website was sold in 2018, bitcoinpaperwallet.com’s reviews became very negative. The complaints continue to this day and a month ago on Reddit, a user named u/heroiclife created a thread asking people to help him shut down the website.

“Help me shut down the bitcoinpaperwallet.com scam,” the post explains.

The Reddit user u/heroiclife said he wasn’t personally affected, but he was a crypto wallet recovery service provider that heard about several cases.

“I’ve heard from customers who had their Bitcoin stolen there. It’s dumb to use a paper wallet in 2021, but not everyone knows that,” the individual said. He also asked if bitcoiners could help submit abuse complaints to Enom the domain registrar, report abuse to Linode the web host, and to flag the website on Google Safe Browsing as malicious.

Twitter is also littered with posts that say that bitcoinpaperwallet.com has been compromised. On January 3, 2021, on Bitcoin’s 12th anniversary, Dustin Dettmer said: “Just had a friend lose all his holdings using this website, which appears to be a total scam. How do we get it shut down? We should get the word out about this particular scam bitcoinpaperwallet.com,” Dettmer added.

On December 13, 2019, a Reddit user named u/maff1989 said he lost funds after getting a paper wallet inside a Christmas card.

User Claims His $700,000 in Bitcoin Was Sent to Another Wallet One Minute After Loading the Paper Wallet

A month ago, on the web portal stackexchange.com one user said he leveraged the website bitcoinpaperwallet.com offline and sent 14.5 BTC ($700k+) to the wallet’s public key. A minute later, his 14.5 BTC was sent to another wallet. “Any advice on what I can do?” he asked. “I’ve accepted the loss and the lesson (should have used the offline generator) but want to make sure this doesn’t happen to others.”

After the site was sold in 2018, some Reddit users have accused the current owner of going “rogue.” Others have said that it is obvious that the website is not producing private keys as it should. The Reddit user u/senor_curioso explains it can be tested and said:

“Yes, here is how you can prove that the current site is producing predictable keys.

  • Save the HTML generator to computer
  • Find the long set of “testing keys” represented by eckey_test=[{,,,}]; and replace it with just a single keypair like this:eckey_test=[{pub:”MUtDQ25Td05uQ0I0Y05ZN0hFc0hja1M4Vjk5bUxFNjJKZQ==”,priv:”NUpreTZtM2lZS2FxTm1NZ2NvaEdYb2o0dXVyVTNXaXhiak54R1N4NmNlbmU3S25FWGR6″}];
  • Now load up the generator. It will generate the exact same (predictable) wallet over and over.
  • The server is giving each visitor a different set of “testing keys”. They are not being used as tests. There are being used as seeds for the random number generator, and are obviously being saved on the server so that they can be stolen later.”

Website Owner Claims Paper Wallet Generator’s ‘Servers Are Clean’ and Audited by a Security Expert

A recent report written by the author, Colin Harper, details that the paper wallet generating website is currently maintained by an individual named Sarkis Sarkissian. In the report, Sarkissian is quoted as saying that the owner has “received complaints from users who claim to have lost their bitcoin using our website.”

It seems he was available for commentary concerning the matter at hand. Sarkissian stressed, however, that the complaints were likely “resolved” or the user figured out it was “their own fault.” Harper also asked Sarkissian if he was aware of a “back door” in the bitcoinpaperwallet.com codebase.

“We have searched our source code for the issues present in those documents and we cannot reproduce the same results,” Sarkissian was quoted as saying. “Our servers and source code has been verified clean by [our security expert Jonel Richard]. He is still on retainer and continues to investigate, trying to reproduce the issue found by others,” the website’s current owner insisted.

Creating a paper wallet must be handled with great care and it’s possible that user error was involved with a number of the accusations toward the domain strewn across the web. It is always mentioned in many walkthrough guides, no matter what type of wallet generator leveraged, it should always be done completely offline. A person who attempts to create a cryptocurrency paper wallet online, while being connected to the web, is extremely vulnerable to hacking exploits.

news.bitcoin.com