Pages:
Author

Topic: Stolen BTCs from paper wallet (Read 885 times)

legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
May 16, 2023, 06:40:07 AM
#43
I just remembered that my case, cause OP also could face with the same fake clone web address while generating his paper wallet - fake clone in global WWW (with the similar spelling) or fake clone provided through DNS spoofing (OP saw bitaddress.org in his web browser, but actually visited completely different IP address).

Somebody should do a write up on how DNS spoofing works and how to protect ourselves from it.

This is going to hit s lot of inexperienced people who don't know how to avoid that kind of thing.

The typosquatting is easier to spot though.

The problem with a write up on DNS spoofing is there are a lot of people that have no idea what DNS is never mind spoofing.

https://www.proofpoint.com/us/threat-reference/dns-spoofing

Drifting OT a bit, but still within the I typed in www.some-internet-site.com and wound up at www.some-other-internet-site.com but it still showed www.some-internet-site.com is probably one of the biggest issue of free public Wi-Fi.

Going back to a comment I made here:

They block port 8333. Or a lot of times it's the other way, they only allow traffic on ports 80 (http) and 443 (https) and everything else is blocked. They may allow certain mail RECEIVING ports (110,143,993,995) and perhaps 587 for authenticated mail send but that's it. It's free, but they don't want to deal with the hassle of people doing anything other then browsing the web. So it's all blocked. I do that for a lot of my customers who want to offer public Wi-Fi. It really is more of free web browsing, for anything else get your own internet.

Although it's about downloading the blockchain I can put a lot of rules  nto the routes that you are connecting to (so can any ISP) and hard code just about anything into the DHCP DNS serves you are connecting to (so can any ISP) so you sit down at your local coffee shop and connect to their Wi-Fi if the people operating the back end are trying to steal, it's not going to be impossible to do.

Even more so if you don't pay attentin and make sure you are going to HTTPS:// whatever instead of HTTP:// since faking SSL certificates is not as easy. Although it's not impossible.

-Dave
newbie
Activity: 1
Merit: 0
May 15, 2023, 07:50:20 AM
#42
I lost 0.6 BTC at the same time as you (dec 10 -22), and when I googled the addresses involved it took me to this forum. And there are six other addresses that was emptied in the same transaction. And following the transfer of the BTC on and on between several addresses and tracing backwards on other "branches" you find a LOT of addresses emptied at the same time the same day. So there is no doubt the theft was made possible by monitoring the creation of the keys. It was not done on your end.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
January 19, 2023, 02:39:45 PM
#41
I just remembered that my case, cause OP also could face with the same fake clone web address while generating his paper wallet - fake clone in global WWW (with the similar spelling) or fake clone provided through DNS spoofing (OP saw bitaddress.org in his web browser, but actually visited completely different IP address).

Somebody should do a write up on how DNS spoofing works and how to protect ourselves from it.

This is going to hit s lot of inexperienced people who don't know how to avoid that kind of thing.

The typosquatting is easier to spot though.
sr. member
Activity: 443
Merit: 350
January 19, 2023, 12:41:09 PM
#40
I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

....

I remembered that 3+ years ago was confused why bitaddress.org generated wrong wallets. Here is my post: https://bitcointalksearch.org/topic/m.52190779

The issue was I used wrong web address: "Everybody should be very careful. The addresses above were actually generated not by bitaddress.org, but by biladdress.org ("l" instead of "t"). I do not know how did I go there... probably some fake link :-("

That time fake clone was working and provided wrong public addresses (so, users received incorrect public btc addresses, and actually they did not have private keys to btc addresses showed on their "paper wallets").

I just remembered that my case, cause OP also could face with the same fake clone web address while generating his paper wallet - fake clone in global WWW (with the similar spelling) or fake clone provided through DNS spoofing (OP saw bitaddress.org in his web browser, but actually visited completely different IP address).
legendary
Activity: 2268
Merit: 18771
January 10, 2023, 11:24:22 AM
#39
That doesn't mean that I didn't make many other mistakes in that day.
You should obviously be moving any other coins on wallets from that scam site to a more secure wallet if you haven't already. But as you say and as discussed above, you made a lot of mistakes in your whole process, so I wouldn't trust any wallet you made that day (or any other day in which you followed the same steps).

It's fair to say at this point that it is not a bug but rather it is actively malicious. The owner was made aware of the issue, apparently removed it temporarily, and then reintroduced it. The malicious code is also years old at this point with hundreds of reports of people losing their coins. There is simply no way the owner is unaware of it. It continues to exist because he is actively scamming people.

This is part of the reason that I don't think anyone should use any website to generate wallets or private keys.

legendary
Activity: 952
Merit: 1386
January 10, 2023, 11:10:11 AM
#38
I don't have the historic of the day I generated the wallets, but I made many of them, some in walletgenerator and others in bitaddress. The one stoled was generated in walletgenerator according to the image of it that I printed in that day. So, one more mistake made by me.

Sorry for the mistake, I forgot that I generate some wallets in walletgenerator.net. That doesn't mean that I didn't make many other mistakes in that day.

Nooo do not tell me they still have that bug:
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

Sometimes you go too far, you suspect your colleagues, your network admin, you suspect MITM attack... and at the end you see that the most probably you were cheated by the wallet itself.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
January 10, 2023, 06:32:30 AM
#37
The one stoled was generated in walletgenerator according to the image of it that I printed in that day.
That website has been scamming users for many years.
copper member
Activity: 10
Merit: 12
January 10, 2023, 05:55:19 AM
#36
I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.



Thanks for replying.

I was reading many topics here in bitcointalk and saw a topic telling that walletgenerator.net should not be used. I don't have the historic of the day I generated the wallets, but I made many of them, some in walletgenerator and others in bitaddress. The one stoled was generated in walletgenerator according to the image of it that I printed in that day. So, one more mistake made by me.

Sorry for the mistake, I forgot that I generate some wallets in walletgenerator.net. That doesn't mean that I didn't make many other mistakes in that day.

legendary
Activity: 2268
Merit: 18771
December 25, 2022, 06:25:55 AM
#35
For many years it's been hosted on github.com

If the site was compromised then there would be proof in the form of a malicious version of the code.
Thanks for replying. In reference to the above - am I right in saying that the website as it stands redirects to pointbiz.github.io, meaning that the code on Github must be the code that is running on the site? But I am also right in saying that your bitaddress.org hosting could be compromised and lead to bitaddress.org pointing to a different repository or running a different set of code altogether. Given that, we cannot rely on your statement that if the site was compromised there would be proof in the form of malicious code. We would be entirely relying on you telling us, and people could easily be scammed by the compromised site in the meantime.

I don't believe that there were any problems with bitaddress.org which were the cause of OP losing their coins here, but the fact remains that using any live website, be it bitaddress, iancoleman, or anything else, is a risk. The only safe way to use such sites is by downloading and verifying the code from Github and running it offline.
hero member
Activity: 1439
Merit: 513
December 24, 2022, 03:10:38 PM
#34
I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.


Thank you for clarifying Merry Christmas!
sr. member
Activity: 437
Merit: 415
1ninja
December 24, 2022, 03:06:22 PM
#33
I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.

hero member
Activity: 1439
Merit: 513
December 24, 2022, 09:38:02 AM
#32
However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.
OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.
Since its outside of a 10 year window there's potential it could have slipped.
I still think DaveF and I are onto something, IT guys don't get enough credit and I feel this post validates that. MSP's can flag too with very simple macros systems.
If pointbiz validates the status of a good-standing bitaddress.org, OP unknowingly got ripped off from a co-worker or used a wrong URL.
Maybe we can talk him into implementing segwit, its a lot of work though. A LOT! I've attempted it and failed miserably.
legendary
Activity: 2268
Merit: 18771
December 24, 2022, 09:30:47 AM
#31
On the other hand, if you have many funded addresses, it's much safer to import one private key than the entire seed phrase. How many people are really creating an airgapped secure setup for that?
Good point. My paper wallets are only ever imported in to live OS on an airgapped device, but yeah, good point that the majority of people don't do that and probably just sweep them using whatever hot wallet they happen to have installed at the time.

Agreed. Bitaddress should update to Segwit. There are some other sites that offer it, but I don't trust them.
It's not so much the Segwit issue, but rather I think single key pair wallets should only by used by those who really understand what they are doing and not by >99% of users.

Don't you think you should do proper research before using these external sites for crypto transactions instead of asking later when the damage is done ?
This is pretty standard across the whole crypto ecosystem. People buy shitcoins with no research and then wonder later how they were scammed, despite the whole thing being a plagiarized money grab from the start. People deposit coins to centralized exchanges and then wonder later why they went bankrupt, when their terms of service clearly state that they are gambling with your money. No different when it comes to using various wallet software. People only care after they have personally been affected.
member
Activity: 150
Merit: 17
December 24, 2022, 08:41:43 AM
#30
Hello guys,

I will tell the story how I lost 0.4 BTC. I want to ask you advices.

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.
Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?
Any other ideas about how that happened?

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
- generate the wallets
- restore the windows, erasing everything
- take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
- return the HD to the previous notebook and install Windows again
Only now, turn on the internet.

Any risk in this procedure?

Thank you.


I am curious as to how new you are to crypto ? You are asking us regarding the safety and security of the website "bitaddress" after using it. Don't you think you should do proper research before using these external sites for crypto transactions instead of asking later when the damage is done ?
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 24, 2022, 08:29:42 AM
#29
I wouldn't include any raw private keys, though. This simply encourages people to import them individually
On the other hand, if you have many funded addresses, it's much safer to import one private key than the entire seed phrase. How many people are really creating an airgapped secure setup for that?
By importing just one key into a hot wallet, at least you're not risking all your funds at once.

Quote
But the paper wallets created by such websites are outdated and should really no longer be used at all.
Agreed. Bitaddress should update to Segwit. There are some other sites that offer it, but I don't trust them.
legendary
Activity: 2268
Merit: 18771
December 24, 2022, 08:25:15 AM
#28
Now that you mention it: Electrum should have a PDF-feature for that. If the user has to manually copy/paste the addresses, keys and QR-codes to be able to print one page, chances are they mess up.
That's not a bad idea at all. You could always propose something along those lines on GitHub if you wanted.

I wouldn't include any raw private keys, though. This simply encourages people to import them individually and run in to all the usual problems of importing single keys. All you need is a seed phrase, the first couple of addresses (configurable), and a QR code for those addresses. Perhaps with an option to include the xpub and its QR code at your chosen derivation path so you can easily create a watch-only wallet for the paper wallet and see exactly how much bitcoin you have spread across all the addresses.

The only reason websites are still in use for paper wallets, is because it's the most easiest way to create them.
But the paper wallets created by such websites are outdated and should really no longer be used at all.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 24, 2022, 07:54:38 AM
#27
Far better to back up a seed phrase and the first couple of addresses, generated by a secure piece of airgapped wallet software.
Now that you mention it: Electrum should have a PDF-feature for that. If the user has to manually copy/paste the addresses, keys and QR-codes to be able to print one page, chances are they mess up.
So we need trusted open source software. The only reason websites are still in use for paper wallets, is because it's the most easiest way to create them.
legendary
Activity: 2268
Merit: 18771
December 24, 2022, 05:38:55 AM
#26
There is no known bitaddress compromisations as far as I'm concerned.
That means nothing, and relying on one person telling you something is unsafe is an incredibly unsafe practice anyway. The source code for bitaddress on GitHub has not changed in years, but there is zero guarantee that the source code of the live website hasn't been changed. And since OP simply used the website (while online, no less, and with no guarantee he was actually on the legitimate website at all and not a malicious clone), there is no telling what code he was actually running.

Maybe.
Maybe.
Maybe.
Such is the beauty of such a scam. There are so many potential ways that OP could have lost his coins, that the real method the attacker used is unlikely to be discovered, making tracing him down impossible.

It is probably time the community stopped recommending such websites at all. Single key pair paper wallets come with many other risks and drawbacks that most newbies don't understand anyway. Far better to back up a seed phrase and the first couple of addresses, generated by a secure piece of airgapped wallet software.
hero member
Activity: 504
Merit: 1065
Crypto Swap Exchange
December 24, 2022, 05:23:14 AM
#25
However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.
OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.

Before 2022-10-19, I find :



      "updatedDate": "2022-03-11T00:00:13+00:00",
    },
    {
      "updatedDate": "2021-09-05T18:40:37+00:00",
    },
    {
      "updatedDate": "2021-09-05T18:40:37+00:00",
    },
    {
      "updatedDate": "2021-04-25T00:00:13+00:00",
    },
    {
      "updatedDate": "2020-06-09T00:00:25+00:00",
    },
    {
      "updatedDate": "2019-07-25T00:00:15+00:00",
    },
    {
      "updatedDate": "2018-07-25T00:00:23+00:00",
    },
    {
      "updatedDate": "2018-07-25T00:00:23+00:00",
    },
    {
      "updatedDate": "2018-07-02T18:38:45+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2014-09-05T14:13:33+00:00",
    },
    {
      "updatedDate": "2014-09-05T14:13:33+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2011-11-04T03:51:30+00:00",
    }
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 24, 2022, 01:56:16 AM
#24
However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.
OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.
Pages:
Jump to: