Pages:
Author

Topic: RarityCheck VIBGYOR gilded #12 swept yesterday. - page 8. (Read 4059 times)

copper member
Activity: 577
Merit: 171
Rarity Check:

I really hate that this happened to you and your team. I appreciate the ways you are responding to help owners of these coins and I wish you the best moving forward.

Steeley

Thank you! 🙏  your wishes mean a lot. Very difficult times for us and our customers.
We are trying to help as much as possible.
hero member
Activity: 2562
Merit: 607
We made a mistake. We have been doing lots of digging since morning on how this could have happened. We knew this isn't a hardware issue as we never connect any of our hardware to internet. Plus, we have no backups so this isn't a  personnel issue.

Issue is with the keygen software we used.

In full transparency, for the first version of vigilante series, and for the hole coins we have used https://github.com/bitaddress/bitaddress.org to create keys on an airgap computer.

For VIBGYOR orange we used https://github.com/walletgeneratornet/WalletGenerator.net again on an airgap computer.
Unfortunately, since morning we started digging into looks like walletgeneratornet is actually compromised.

We have learned from our mistake and we can only look forward from here. We have been refunding the clients (still few to go).

For next generation of our coins, we will use better keygens + also, print and post sample private keys before using those for the coins.

We appreciate all support from the forum members.




 


Which keygen software did you use for LCS- v1?

Disregard as you already answered.
copper member
Activity: 577
Merit: 171
My coin was unfortunately part of this debacle… hoping to be made whole. No way I was able to recoup any funds as this unfolded.. my coin is still in a icg slab and in my safe 1000 miles away from me currently. .001 lost, which isn’t huge but the principle of it matters.

Please pm us an address for refund.
sr. member
Activity: 1164
Merit: 268
Byzantine Generals' Problem solved,Prosperity Next
Rarity Check:

I really hate that this happened to you and your team. I appreciate the ways you are responding to help owners of these coins and I wish you the best moving forward.

Steeley
copper member
Activity: 186
Merit: 111
₿IT VIP COINS CEO
My coin was unfortunately part of this debacle… hoping to be made whole. No way I was able to recoup any funds as this unfolded.. my coin is still in a icg slab and in my safe 1000 miles away from me currently. .001 lost, which isn’t huge but the principle of it matters.
copper member
Activity: 577
Merit: 171
We made a mistake. We have been doing lots of digging since morning on how this could have happened. We knew this isn't a hardware issue as we never connect any of our hardware to internet. Plus, we have no backups so this isn't a  personnel issue.

Issue is with the keygen software we used.

In full transparency, for the first version of vigilante series, and for the hole coins we have used https://github.com/bitaddress/bitaddress.org to create keys on an airgap computer.

For VIBGYOR orange we used https://github.com/walletgeneratornet/WalletGenerator.net again on an airgap computer.
Unfortunately, since morning we started digging into looks like walletgeneratornet is actually compromised.

We have learned from our mistake and we can only look forward from here. We have been refunding the clients (still few to go).

For next generation of our coins, we will use better keygens + also, print and post sample private keys before using those for the coins.

We appreciate all support from the forum members.




 
copper member
Activity: 577
Merit: 171
Hey guys

Just finished analysing everything we could from our side.
copper member
Activity: 406
Merit: 485
Track Burns @ burned.money
✂️

We still posses all the hardware used.
We will share exact details of what we think has happened.
None of the used hardware has ever been connected to the internet.
And the computers  used are also wiped out.

As this is a widespread issue(beyond our collectibles) this means this is an issue with the private key generator we used for VIBGYOR.

We will share the details at 9 pm UK time today.

✂️

raritycheck team: It is imperative that you share how the keys for the VIBGYOR series were generated in as much detail as possible - software used, people involved, computer used, printer used, and everything else that is available. This does appear to be a more widespread attack and funds for many others people outside of collectibles may be at risk.


I see no reason why there should be any more delays on sharing the keygen software and process.

I'm sure everyone appreciates raritycheck's efforts to compensate affected users, but without more concrete information the community is still being asked to take the fact that other series are not impacted on faith.

Additionally, given the on-chain evidence highlighted by Eclipse33 and myself previously in the thread, actively withholding the software and process involved is putting other Bitcoin users at risk.

I've reached out to the raritycheck team multiple times over PM to offer help in analyzing this situation (I have a long, long background in building and operating custody systems), and have had no material response.

I'm hopeful raritycheck sticks to their promise of a details update and posts it soon - in the mean time, if anyone has been provided any additional information
 on the keygen process not in this thread by the team, I would encourage you to share it.
sr. member
Activity: 2107
Merit: 416
Cryptoshi Blockomoto
Hi raghav

We will not pull the eBay listing.
If someone orders we will send them coins with new holos and new keys.

We understand that not just other coins but our wallets are impacted but even we are trying to root cause it.
We are not 100% sure how this has happened.
But we think the key gen software we used is compromised.
Rest ensured as soon as we know we will provide details.

Since you "are not 100% sure how this has happened", how are you 100% certain that the newly generated keys will be 100% safe? (even if you use a different key generation method for creating the key pairs)
legendary
Activity: 2254
Merit: 2419
EIN: 82-3893490
maybe he had yogg create them for him...
copper member
Activity: 406
Merit: 485
Track Burns @ burned.money
copper member
Activity: 672
Merit: 113
RC needs to dox the key-gen software.

I suspect it's backdoored with pregenerated rolling codes or pregenerated private keys.

It's not vanitygen or vanitysearch.

Prob some small-time dinky key-gen.

Why he has not doxxed it yet is beyond me. A real headscratcher.



makes me feel he's not doing it because he know something else happened that wasn't the software, but the longer he takes the more shady it looks. there is ZERO reasons not to share the name of the software for some of the professionals  on here to investigate further, news flash:  you don't have to say its was the softwares fault or even figure out if its secure or not for you to be able to take the time to share the softwares name and URL.    
jr. member
Activity: 258
Merit: 1
RC refunded me .001 btc for the swiped silver #49 for the record.
copper member
Activity: 1105
Merit: 459
Eclipse™ Experimental Cryptographic Technology
RC needs to dox the key-gen software.

I suspect it's backdoored with pregenerated rolling codes or pregenerated private keys.

It's not vanitygen or vanitysearch.

Prob some small-time dinky key-gen.

Why he has not doxxed it yet is beyond me. A real headscratcher.

legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
We didn’t say our wallets were impacted.
I literally quoted the post in which you said that.

I believe they were referring to the fact that the bad keygen software used has resulted in BTC from other, non-collectibles wallets potentially held by normal, regular users who have nothing to do with this forum, being moved and stolen.

I'm baffled as to why they don't share the software at this stage, given that it could save other folks.


Many people who tried using a vanity gen software have been compromised. You should have stuck with your original software that worked on your first coins.

   I know you didn't end up using the vangen part but you still used their software. Did the swept funds go to any exchange? Perhaps you can reach out to them to freeze the funds. Always stick with what works. And in your case the first key generation code looks like it was solid.

   Also please post where you got that software so others do not fall in the same trap. And perhaps take legal action as well

Yes and yes, there are 2 well known pieces of vanity address generating software.

VanitySearch: https://bitcointalksearch.org/topic/vanitysearch-yet-another-address-prefix-finder-5112311
And the older Vanitygen: https://bitcointalksearch.org/topic/vanitygen-vanity-bitcoin-address-generatorminer-v022-25804

They are well known and people have been using them for YEARS with no issues.

Heck in 8 minutes on my old work laptop with NO GPU I got 3 keys for an address starting with "1V1BG" with a decent video card it should take no time at all.

Without a lot more detail we are all just guessing what happened here.

-Dave
legendary
Activity: 2254
Merit: 2419
EIN: 82-3893490
I also created a thread on how I generate my keys as well.

   https://bitcointalksearch.org/topic/info-so-you-wanna-generate-your-own-keys-for-physical-bitcoin-items-5416519

   For those people who do not trust software download off of the internet or do not own a mycelium entropy...there is another way that I suggest.

   Simply....buy a Trezor...generate a new seed and place the 12 word seed instead of a private key.

    You can use it this method as many times as you wish simply by resetting the Trezor. And yes of course you have to trust Trezor as well. If not then use a hardware wallet of your choice. Coldard is also another one I would trust especially the latest Q wallet which is all done air gapped!

     Or simply roll the dice. Lol

I believe you had one already - maybe several - as you have walked thru your process very clearly and meticulously several times.

as a note - many have peeled all their RC coins. When a coin maker has been compromised, one must assume all works are compromised.

we really need to hear about your key generation process and how it was different for the affected coins vs the ones you claim are safe.

and then a very detailed post on how exactly you generated keys for each project.

yes. We will provide details.
But Mopar this thread is for helping those who are impacted.

As this is a widespread issue(not only for VIBGYOR coins). This is an issue beyond our collectibles.
Please let’s use the other thread for root causing and keep this for helping those impacted.

and by widespread you mean what? if there is some larger issue, you need to state it now vs later - the sooner the better.
hero member
Activity: 943
Merit: 783
In Memory of Zepher

As this is a widespread issue(beyond our collectibles) this means this is an issue with the private key generator we used for VIBGYOR.

We will share the details at 9 pm UK time today.

why did you come up with the idea of using a different key generator for the VIBGYOR series and why not always the same as for the previous editions?
unfortunately, that doesn't make sense to me

i am very curious about the further details...

i can say from personal experience how stressful the whole thing is for raritycheck now and i hope that he can refund all victims and present/clear up everything completely



It was pure luck. We wanted to try creating vanity addresses (1O) for VIBGYOR coins so we looked at multiple options.
In the end we didn’t end up creating vanity addresses
But still went with the software we trying to generate vanity addresses

We are currently trying to help every impacted customer.
Please note that we aim to reach out to every single one by Sunday evening.



Which vanitygen software did you use?  

Most people have used either this one: samr7/vanitygen: https://github.com/samr7/vanitygen  

Or the 10gic/vanitygen-plusplus? https://github.com/10gic/vanitygen-plusplus

Or was it some .EXE program you found somewhere?  Which operating system? How did you transfer the software to your airgapped PC?
legendary
Activity: 3206
Merit: 3596
Quote
I strongly encourage the team to share details with folks who have the background and skills to help get to the bottom of this.

The refunds and efforts to make people whole are commendable and important, but based on the on-chain activity there are more wallets at risk than just collectibles.

I'm volunteering my time and effort in helping to track this down, but it is extremely important that the RC team provides the information and background for the key generation process, and how it differs from that of their other series.

I have separately dropped them a PM to ask for the same information, in the event that (for whatever reason) they are unwilling to share it publicly at this stage.
Hi raghav

We will not pull the eBay listing.
If someone orders we will send them coins with new holos and new keys.

We understand that not just other coins but our wallets are impacted but even we are trying to root cause it.
We are not 100% sure how this has happened.
But we think the key gen software we used is compromised.
Rest ensured as soon as we know we will provide details.




From the looks of it you generated keys with the computer still on-line

My recommendation is stop making keys immediately, refund everyone impacted and just send out replacement holograms

Regardless of what you are trying to do to make this right, your keys will never be trusted again... so why make it worse by offering to rekey the coins? Huh

full member
Activity: 1318
Merit: 184
Krogothmanhattan alt account
 I also created a thread on how I generate my keys as well.

   https://bitcointalksearch.org/topic/info-so-you-wanna-generate-your-own-keys-for-physical-bitcoin-items-5416519

   For those people who do not trust software download off of the internet or do not own a mycelium entropy...there is another way that I suggest.

   Simply....buy a Trezor...generate a new seed and place the 12 word seed instead of a private key.

    You can use it this method as many times as you wish simply by resetting the Trezor. And yes of course you have to trust Trezor as well. If not then use a hardware wallet of your choice. Coldard is also another one I would trust especially the latest Q wallet which is all done air gapped!

     Or simply roll the dice. Lol
copper member
Activity: 406
Merit: 485
Track Burns @ burned.money
Given the explanation and partial information provided so far, I've removed the alerts from Rarity Check creator page and non-VIBGYOR series.

Rarity Check VIBGYOR Orange Set Gilded and Rarity Check VIBGYOR Orange Set Silver will continue to show the Compromised Keys alert on both the series page and individual item listings.

Pages:
Jump to: