Topic: Stolen BTCs from paper wallet (Read 790 times)

Somebody should do a write up on how DNS spoofing works and how to protect ourselves from it.

This is going to hit s lot of inexperienced people who don't know how to avoid that kind of thing.

The typosquatting is easier to spot though.

They block port 8333. Or a lot of times it's the other way, they only allow traffic on ports 80 (http) and 443 (https) and everything else is blocked. They may allow certain mail RECEIVING ports (110,143,993,995) and perhaps 587 for authenticated mail send but that's it. It's free, but they don't want to deal with the hassle of people doing anything other then browsing the web. So it's all blocked. I do that for a lot of my customers who want to offer public Wi-Fi. It really is more of free web browsing, for anything else get your own internet.

I just remembered that my case, cause OP also could face with the same fake clone web address while generating his paper wallet - fake clone in global WWW (with the similar spelling) or fake clone provided through DNS spoofing (OP saw bitaddress.org in his web browser, but actually visited completely different IP address).

I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

....

That doesn't mean that I didn't make many other mistakes in that day.

Nooo do not tell me they still have that bug:
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

I don't have the historic of the day I generated the wallets, but I made many of them, some in walletgenerator and others in bitaddress. The one stoled was generated in walletgenerator according to the image of it that I printed in that day. So, one more mistake made by me.

Sorry for the mistake, I forgot that I generate some wallets in walletgenerator.net. That doesn't mean that I didn't make many other mistakes in that day.

The one stoled was generated in walletgenerator according to the image of it that I printed in that day.

I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.

For many years it's been hosted on github.com

If the site was compromised then there would be proof in the form of a malicious version of the code.

I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.

OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.

On the other hand, if you have many funded addresses, it's much safer to import one private key than the entire seed phrase. How many people are really creating an airgapped secure setup for that?

Agreed. Bitaddress should update to Segwit. There are some other sites that offer it, but I don't trust them.

Don't you think you should do proper research before using these external sites for crypto transactions instead of asking later when the damage is done ?

Hello guys,

I will tell the story how I lost 0.4 BTC. I want to ask you advices.

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.
Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?
Any other ideas about how that happened?

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
- generate the wallets
- restore the windows, erasing everything
- take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
- return the HD to the previous notebook and install Windows again
Only now, turn on the internet.

Any risk in this procedure?

Thank you.

I wouldn't include any raw private keys, though. This simply encourages people to import them individually

But the paper wallets created by such websites are outdated and should really no longer be used at all.

Now that you mention it: Electrum should have a PDF-feature for that. If the user has to manually copy/paste the addresses, keys and QR-codes to be able to print one page, chances are they mess up.

The only reason websites are still in use for paper wallets, is because it's the most easiest way to create them.

Far better to back up a seed phrase and the first couple of addresses, generated by a secure piece of airgapped wallet software.

There is no known bitaddress compromisations as far as I'm concerned.

Maybe.
Maybe.
Maybe.

OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.

However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.

Maybe. But that wouldn't make sense, it's bad for the bad guy's privacy (and extra work).

You screwed it up in the process, and you didn't notice.

Isn't it possible a hacker just spent his other money along with OP's in one transaction?

Or that their office had malware all across the computers and there were more than 1 employee who used bitaddress?

Yes, but doesn't the administrator announce compromisation afterwards?

Isn't that what had happened with BitcoinPaperWallet?

This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.[/list]

This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.

Could this indicate something larger, that Bitaddress itself could be compromised?

I mean, that's exactly what happened to BitcoinPaperWallet several years ago.

(of course, if you downloaded the webpage, inspected the Javascript, and opened the offline page before generating private keys, you shouldn't be at risk of theft).

1) Many corporate printers will generate a copy of everything you print for management /

2) Same with company owned machines, they know & see everything you do. In this case it's not even 'I went to a bad site and got malware installed' but the company PC came with it to report on you.

Could this indicate something larger, that Bitaddress itself could be compromised?

Your address was emptied after 3 months, some of the other addresses after a year or almost 2 years.

If someone somehow compromised your paper wallet from outside your office, that means they've patiently been waiting for people to make multiple deposits to those paper wallets before robbing them. That may also mean it will happen to more people.

This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.[/list]

A Bitcoin wallet is as simple as a single pairing of a Bitcoin address with its corresponding Bitcoin private key. Such a wallet has been generated for you in your web browser and is displayed above.

To safeguard this wallet you must print or otherwise record the Bitcoin address and private key. It is important to make a backup copy of the private key and store it in a safe location. This site does not have knowledge of your private key. If you are familiar with PGP you can download this all-in-one HTML page and check that you have an authentic version from the author of this site by matching the SHA256 hash of this HTML with the SHA256 hash available in the signed version history document linked on the footer of this site. If you leave/refresh the site or press the "Generate New Address" button then a new private key will be generated and the previously displayed private key will not be retrievable. Your Bitcoin private key should be kept a secret. Whomever you share the private key with has access to spend all the bitcoins associated with that address. If you print your wallet then store it in a zip lock bag to keep it safe from water. Treat a paper wallet like cash.

Add funds to this wallet by instructing others to send bitcoins to your Bitcoin address.

Check your balance by going to blockchain.info or blockexplorer.com and entering your Bitcoin address.

Spend your bitcoins by going to blockchain.info and sweep the full balance of your private key into your account at their website. You can also spend your funds by downloading one of the popular bitcoin p2p clients and importing your private key to the p2p client wallet. Keep in mind when you import your single key to a bitcoin p2p client and spend funds your key will be bundled with other private keys in the p2p client wallet. When you perform a transaction your change will be sent to another bitcoin address within the p2p client wallet. You must then backup the p2p client wallet and keep it safe as your remaining bitcoins will be stored there. Satoshi advised that one should never delete a wallet.

Here's what might have happened:

• bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).

Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?

I forgot to show the wallet:
https://www.blockchain.com/explorer/addresses/btc/14AKAd16AEZZoW3dp4KEyANMJ3G5bPCrwE

It looks like someone stole from several wallets, mine was just one of that.

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?

I generated it online, in my work.

The system is protected by firewall and VPN.

Then I printed it in the printer connected in the network.

The network is very safe - I will not tell the name of company for privacy.

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?

The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:

Any other ideas about how that happened?

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
- generate the wallets
- restore the windows, erasing everything
- take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
- return the HD to the previous notebook and install Windows again
Only now, turn on the internet.

Any risk in this procedure?

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.

Online:
Install Electrum on your PC.
Import your address to create a watch-only wallet.
Preview the transaction, Copy the unsigned transaction. Put it on a USB stick.

Offline and running without hard drive storage:
Get a Linux LIVE DVD. Use Knoppix or Tails for instance, or any other distribution that comes with Electrum pre-installed.
Unplug your internet cable. Close the curtains. Reboot your computer and start up from that DVD. Don't enter any wireless connection password. Keep it offline.
Start Electrum. Import your private key.
Copy your unsigned transaction from the USB stick, load it into Electrum.
CHECK the transaction in Electrum. Check the fees, check the amount, check all destination addresses (character by character).
If all is okay, sign the transaction. Copy it back to your USB stick.
Turn off the computer. That wipes the Live LINUX from memory and all traces are gone.

Online:
Use your normal online Electrum to (check again and) broadcast the transaction.

I will tell the story how I lost 0.4 BTC.

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work