Author

Topic: Stolen BTCs from paper wallet (Read 891 times)

legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
May 16, 2023, 06:40:07 AM
#43
I just remembered that my case, cause OP also could face with the same fake clone web address while generating his paper wallet - fake clone in global WWW (with the similar spelling) or fake clone provided through DNS spoofing (OP saw bitaddress.org in his web browser, but actually visited completely different IP address).

Somebody should do a write up on how DNS spoofing works and how to protect ourselves from it.

This is going to hit s lot of inexperienced people who don't know how to avoid that kind of thing.

The typosquatting is easier to spot though.

The problem with a write up on DNS spoofing is there are a lot of people that have no idea what DNS is never mind spoofing.

https://www.proofpoint.com/us/threat-reference/dns-spoofing

Drifting OT a bit, but still within the I typed in www.some-internet-site.com and wound up at www.some-other-internet-site.com but it still showed www.some-internet-site.com is probably one of the biggest issue of free public Wi-Fi.

Going back to a comment I made here:

They block port 8333. Or a lot of times it's the other way, they only allow traffic on ports 80 (http) and 443 (https) and everything else is blocked. They may allow certain mail RECEIVING ports (110,143,993,995) and perhaps 587 for authenticated mail send but that's it. It's free, but they don't want to deal with the hassle of people doing anything other then browsing the web. So it's all blocked. I do that for a lot of my customers who want to offer public Wi-Fi. It really is more of free web browsing, for anything else get your own internet.

Although it's about downloading the blockchain I can put a lot of rules  nto the routes that you are connecting to (so can any ISP) and hard code just about anything into the DHCP DNS serves you are connecting to (so can any ISP) so you sit down at your local coffee shop and connect to their Wi-Fi if the people operating the back end are trying to steal, it's not going to be impossible to do.

Even more so if you don't pay attentin and make sure you are going to HTTPS:// whatever instead of HTTP:// since faking SSL certificates is not as easy. Although it's not impossible.

-Dave
newbie
Activity: 1
Merit: 0
May 15, 2023, 07:50:20 AM
#42
I lost 0.6 BTC at the same time as you (dec 10 -22), and when I googled the addresses involved it took me to this forum. And there are six other addresses that was emptied in the same transaction. And following the transfer of the BTC on and on between several addresses and tracing backwards on other "branches" you find a LOT of addresses emptied at the same time the same day. So there is no doubt the theft was made possible by monitoring the creation of the keys. It was not done on your end.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
January 19, 2023, 02:39:45 PM
#41
I just remembered that my case, cause OP also could face with the same fake clone web address while generating his paper wallet - fake clone in global WWW (with the similar spelling) or fake clone provided through DNS spoofing (OP saw bitaddress.org in his web browser, but actually visited completely different IP address).

Somebody should do a write up on how DNS spoofing works and how to protect ourselves from it.

This is going to hit s lot of inexperienced people who don't know how to avoid that kind of thing.

The typosquatting is easier to spot though.
sr. member
Activity: 443
Merit: 350
January 19, 2023, 12:41:09 PM
#40
I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

....

I remembered that 3+ years ago was confused why bitaddress.org generated wrong wallets. Here is my post: https://bitcointalksearch.org/topic/m.52190779

The issue was I used wrong web address: "Everybody should be very careful. The addresses above were actually generated not by bitaddress.org, but by biladdress.org ("l" instead of "t"). I do not know how did I go there... probably some fake link :-("

That time fake clone was working and provided wrong public addresses (so, users received incorrect public btc addresses, and actually they did not have private keys to btc addresses showed on their "paper wallets").

I just remembered that my case, cause OP also could face with the same fake clone web address while generating his paper wallet - fake clone in global WWW (with the similar spelling) or fake clone provided through DNS spoofing (OP saw bitaddress.org in his web browser, but actually visited completely different IP address).
legendary
Activity: 2268
Merit: 18771
January 10, 2023, 11:24:22 AM
#39
That doesn't mean that I didn't make many other mistakes in that day.
You should obviously be moving any other coins on wallets from that scam site to a more secure wallet if you haven't already. But as you say and as discussed above, you made a lot of mistakes in your whole process, so I wouldn't trust any wallet you made that day (or any other day in which you followed the same steps).

It's fair to say at this point that it is not a bug but rather it is actively malicious. The owner was made aware of the issue, apparently removed it temporarily, and then reintroduced it. The malicious code is also years old at this point with hundreds of reports of people losing their coins. There is simply no way the owner is unaware of it. It continues to exist because he is actively scamming people.

This is part of the reason that I don't think anyone should use any website to generate wallets or private keys.

legendary
Activity: 952
Merit: 1386
January 10, 2023, 11:10:11 AM
#38
I don't have the historic of the day I generated the wallets, but I made many of them, some in walletgenerator and others in bitaddress. The one stoled was generated in walletgenerator according to the image of it that I printed in that day. So, one more mistake made by me.

Sorry for the mistake, I forgot that I generate some wallets in walletgenerator.net. That doesn't mean that I didn't make many other mistakes in that day.

Nooo do not tell me they still have that bug:
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

Sometimes you go too far, you suspect your colleagues, your network admin, you suspect MITM attack... and at the end you see that the most probably you were cheated by the wallet itself.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
January 10, 2023, 06:32:30 AM
#37
The one stoled was generated in walletgenerator according to the image of it that I printed in that day.
That website has been scamming users for many years.
copper member
Activity: 10
Merit: 12
January 10, 2023, 05:55:19 AM
#36
I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.



Thanks for replying.

I was reading many topics here in bitcointalk and saw a topic telling that walletgenerator.net should not be used. I don't have the historic of the day I generated the wallets, but I made many of them, some in walletgenerator and others in bitaddress. The one stoled was generated in walletgenerator according to the image of it that I printed in that day. So, one more mistake made by me.

Sorry for the mistake, I forgot that I generate some wallets in walletgenerator.net. That doesn't mean that I didn't make many other mistakes in that day.

legendary
Activity: 2268
Merit: 18771
December 25, 2022, 06:25:55 AM
#35
For many years it's been hosted on github.com

If the site was compromised then there would be proof in the form of a malicious version of the code.
Thanks for replying. In reference to the above - am I right in saying that the website as it stands redirects to pointbiz.github.io, meaning that the code on Github must be the code that is running on the site? But I am also right in saying that your bitaddress.org hosting could be compromised and lead to bitaddress.org pointing to a different repository or running a different set of code altogether. Given that, we cannot rely on your statement that if the site was compromised there would be proof in the form of malicious code. We would be entirely relying on you telling us, and people could easily be scammed by the compromised site in the meantime.

I don't believe that there were any problems with bitaddress.org which were the cause of OP losing their coins here, but the fact remains that using any live website, be it bitaddress, iancoleman, or anything else, is a risk. The only safe way to use such sites is by downloading and verifying the code from Github and running it offline.
hero member
Activity: 1439
Merit: 513
December 24, 2022, 03:10:38 PM
#34
I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.


Thank you for clarifying Merry Christmas!
sr. member
Activity: 437
Merit: 415
1ninja
December 24, 2022, 03:06:22 PM
#33
I received a DM about this thread.

bitaddress.org has never been hacked.
For many years it's been hosted on github.com
I have no indication that my github has been compromised.
I have no indication that my domain registrar account or DNSSEC has been compromised.
I have a script that monitors the checksum of bitaddress.org and received no alerts of any issue.

If the site was compromised then there would be proof in the form of a malicious version of the code. As people saw with BitcoinPaperWallet.com when it was sold to a scammer.

I've been offered $2000 for my domain but I'm not selling for any price.

It's always better to use the code from github because they'll be faster to react to a DNS seizure than I will.

My guess about OP is
1) malicious crypto browser extension
2) IT guy monitoring which PC connects to bitaddress.org and then monitor which printer that PC used and reprint whatever is in the memory of the printer.

hero member
Activity: 1439
Merit: 513
December 24, 2022, 09:38:02 AM
#32
However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.
OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.
Since its outside of a 10 year window there's potential it could have slipped.
I still think DaveF and I are onto something, IT guys don't get enough credit and I feel this post validates that. MSP's can flag too with very simple macros systems.
If pointbiz validates the status of a good-standing bitaddress.org, OP unknowingly got ripped off from a co-worker or used a wrong URL.
Maybe we can talk him into implementing segwit, its a lot of work though. A LOT! I've attempted it and failed miserably.
legendary
Activity: 2268
Merit: 18771
December 24, 2022, 09:30:47 AM
#31
On the other hand, if you have many funded addresses, it's much safer to import one private key than the entire seed phrase. How many people are really creating an airgapped secure setup for that?
Good point. My paper wallets are only ever imported in to live OS on an airgapped device, but yeah, good point that the majority of people don't do that and probably just sweep them using whatever hot wallet they happen to have installed at the time.

Agreed. Bitaddress should update to Segwit. There are some other sites that offer it, but I don't trust them.
It's not so much the Segwit issue, but rather I think single key pair wallets should only by used by those who really understand what they are doing and not by >99% of users.

Don't you think you should do proper research before using these external sites for crypto transactions instead of asking later when the damage is done ?
This is pretty standard across the whole crypto ecosystem. People buy shitcoins with no research and then wonder later how they were scammed, despite the whole thing being a plagiarized money grab from the start. People deposit coins to centralized exchanges and then wonder later why they went bankrupt, when their terms of service clearly state that they are gambling with your money. No different when it comes to using various wallet software. People only care after they have personally been affected.
member
Activity: 150
Merit: 17
December 24, 2022, 08:41:43 AM
#30
Hello guys,

I will tell the story how I lost 0.4 BTC. I want to ask you advices.

It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.
Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?
Any other ideas about how that happened?

Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
- generate the wallets
- restore the windows, erasing everything
- take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
- return the HD to the previous notebook and install Windows again
Only now, turn on the internet.

Any risk in this procedure?

Thank you.


I am curious as to how new you are to crypto ? You are asking us regarding the safety and security of the website "bitaddress" after using it. Don't you think you should do proper research before using these external sites for crypto transactions instead of asking later when the damage is done ?
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 24, 2022, 08:29:42 AM
#29
I wouldn't include any raw private keys, though. This simply encourages people to import them individually
On the other hand, if you have many funded addresses, it's much safer to import one private key than the entire seed phrase. How many people are really creating an airgapped secure setup for that?
By importing just one key into a hot wallet, at least you're not risking all your funds at once.

Quote
But the paper wallets created by such websites are outdated and should really no longer be used at all.
Agreed. Bitaddress should update to Segwit. There are some other sites that offer it, but I don't trust them.
legendary
Activity: 2268
Merit: 18771
December 24, 2022, 08:25:15 AM
#28
Now that you mention it: Electrum should have a PDF-feature for that. If the user has to manually copy/paste the addresses, keys and QR-codes to be able to print one page, chances are they mess up.
That's not a bad idea at all. You could always propose something along those lines on GitHub if you wanted.

I wouldn't include any raw private keys, though. This simply encourages people to import them individually and run in to all the usual problems of importing single keys. All you need is a seed phrase, the first couple of addresses (configurable), and a QR code for those addresses. Perhaps with an option to include the xpub and its QR code at your chosen derivation path so you can easily create a watch-only wallet for the paper wallet and see exactly how much bitcoin you have spread across all the addresses.

The only reason websites are still in use for paper wallets, is because it's the most easiest way to create them.
But the paper wallets created by such websites are outdated and should really no longer be used at all.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 24, 2022, 07:54:38 AM
#27
Far better to back up a seed phrase and the first couple of addresses, generated by a secure piece of airgapped wallet software.
Now that you mention it: Electrum should have a PDF-feature for that. If the user has to manually copy/paste the addresses, keys and QR-codes to be able to print one page, chances are they mess up.
So we need trusted open source software. The only reason websites are still in use for paper wallets, is because it's the most easiest way to create them.
legendary
Activity: 2268
Merit: 18771
December 24, 2022, 05:38:55 AM
#26
There is no known bitaddress compromisations as far as I'm concerned.
That means nothing, and relying on one person telling you something is unsafe is an incredibly unsafe practice anyway. The source code for bitaddress on GitHub has not changed in years, but there is zero guarantee that the source code of the live website hasn't been changed. And since OP simply used the website (while online, no less, and with no guarantee he was actually on the legitimate website at all and not a malicious clone), there is no telling what code he was actually running.

Maybe.
Maybe.
Maybe.
Such is the beauty of such a scam. There are so many potential ways that OP could have lost his coins, that the real method the attacker used is unlikely to be discovered, making tracing him down impossible.

It is probably time the community stopped recommending such websites at all. Single key pair paper wallets come with many other risks and drawbacks that most newbies don't understand anyway. Far better to back up a seed phrase and the first couple of addresses, generated by a secure piece of airgapped wallet software.
hero member
Activity: 504
Merit: 1065
Crypto Swap Exchange
December 24, 2022, 05:23:14 AM
#25
However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.
OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.

Before 2022-10-19, I find :



      "updatedDate": "2022-03-11T00:00:13+00:00",
    },
    {
      "updatedDate": "2021-09-05T18:40:37+00:00",
    },
    {
      "updatedDate": "2021-09-05T18:40:37+00:00",
    },
    {
      "updatedDate": "2021-04-25T00:00:13+00:00",
    },
    {
      "updatedDate": "2020-06-09T00:00:25+00:00",
    },
    {
      "updatedDate": "2019-07-25T00:00:15+00:00",
    },
    {
      "updatedDate": "2018-07-25T00:00:23+00:00",
    },
    {
      "updatedDate": "2018-07-25T00:00:23+00:00",
    },
    {
      "updatedDate": "2018-07-02T18:38:45+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2016-08-20T16:03:22+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2015-09-05T10:17:47+00:00",
    },
    {
      "updatedDate": "2014-09-05T14:13:33+00:00",
    },
    {
      "updatedDate": "2014-09-05T14:13:33+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2012-08-17T00:43:39+00:00",
    },
    {
      "updatedDate": "2011-11-04T03:51:30+00:00",
    }
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 24, 2022, 01:56:16 AM
#24
However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.
OP's address was first funded more than a month before the domain registration update. It is of course possible to update the domain more than once, but I don't know if we can still check that.
hero member
Activity: 1439
Merit: 513
December 23, 2022, 08:21:59 PM
#23
@pointbiz @1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN usually will come around when summoned, maybe they can clarify things on their end?

pointbiz owns bitaddress.org

It's in my best interest to know too since we use the tool for merging keys. tld compromised means more could be as well.

However it appears the whois doesn't look too good with correlation to OP's timestamp claims. hopefully pointbiz renewed and not someone else.

Name: bitaddress.org

Dates
Registry Expiration: 2023-09-04 04:17:42 UTC
Updated: 2022-10-19 04:18:19 UTC
Created: 2011-09-04 04:17:42 UTC
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
December 23, 2022, 05:55:26 PM
#22
Maybe. But that wouldn't make sense, it's bad for the bad guy's privacy (and extra work).
Not all know to use bitcoin properly. There are people who regularly screw it up with their privacy, security, who they don't care, who they use bad software, who they haven't studied it a lot etc. There are a lot of examples of thieves who got caught because of these. From thieves who stole coins and deposited to CEX later on, to two folks who stored the private keys of billions worth of bitcoin in a cloud service.

Also, that's still possible:
You screwed it up in the process, and you didn't notice.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 23, 2022, 11:43:13 AM
#21
Isn't it possible a hacker just spent his other money along with OP's in one transaction?
Maybe. But that wouldn't make sense, it's bad for the bad guy's privacy (and extra work).

Quote
Or that their office had malware all across the computers and there were more than 1 employee who used bitaddress?
Maybe. But that's too much of a coincidence, unless someone convinced several people to do that.

Quote
Yes, but doesn't the administrator announce compromisation afterwards?
Maybe. But not if the site owner is behind the theft.

Quote
Isn't that what had happened with BitcoinPaperWallet?
No, it got sold, and the new owner scammed people. As far as I know, that's still ongoing.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
December 23, 2022, 10:38:38 AM
#20
    Here's what might have happened:

    • bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).
    This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.[/list]


    Actually, look at it this way: keep going with my earlier 'not your PC not your DATA' statement.

    It might not have even been someone at that company. A lot of places use external MSPs for things.
    It's a somewhat simple task for most of the software that is placed on corporate PCs for monitoring / remote service and things to generate an alert when something happens / someone goes to a specific site and so on.

    So if it's an external 3rd party that has access for legitimate reasons, and one of their staff has setup and alert to send an email to them when users go to a specific site and then record all actions done then, they could easily get 5 private keys from 5 people in different parts of the world. Then you delete the alert and data as part of the 'monthly database clean' or whatever and tan you take the BTC and run.

    Now 5 people who never met each other, some of them who do not even know what the name of the MSP their company uses is have missing coins.
    Good luck tracking that down.

    In theory figuring it out is very simple. Since the MSP is the common link. In reality since if they did it with a bit of thought, everyone worked for a different company and every company has a no private work on the work PC it's even better. Do you eat the loss or report it and risk loosing your job.

    -Dave
    legendary
    Activity: 1512
    Merit: 7340
    Farewell, Leo
    December 23, 2022, 10:23:17 AM
    #19
    This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.
    Isn't it possible a hacker just spent his other money along with OP's in one transaction? Or that their office had malware all across the computers and there were more than 1 employee who used bitaddress?

    Could this indicate something larger, that Bitaddress itself could be compromised?

    I mean, that's exactly what happened to BitcoinPaperWallet several years ago.
    Yes, but doesn't the administrator announce compromisation afterwards? Isn't that what had happened with BitcoinPaperWallet? There is no known bitaddress compromisations as far as I'm concerned.
    legendary
    Activity: 3290
    Merit: 16489
    Thick-Skinned Gang Leader and Golden Feather 2021
    December 23, 2022, 08:53:07 AM
    #18
    (of course, if you downloaded the webpage, inspected the Javascript, and opened the offline page before generating private keys, you shouldn't be at risk of theft).
    Note that people still lost their money after downloading the BPW site once it turned into a scam.
    legendary
    Activity: 3346
    Merit: 3130
    December 23, 2022, 08:10:21 AM
    #17
    1) Many corporate printers will generate a copy of everything you print for management /

    2) Same with company owned machines, they know & see everything you do. In this case it's not even 'I went to a bad site and got malware installed' but the company PC came with it to report on you.

    I was thinking the same, for security reasons the printers at work used to save a copy of all the printed files, so, it was a terrible mistake to use the office printer for a paper wallet because even if the network is secure the saved files in the printer are not.

    And the second big mistake was to generate the address online, that's a terrible mistake that no one should do because you don't know if the page saves in a database each generated address.
    legendary
    Activity: 2380
    Merit: 5213
    December 23, 2022, 04:31:42 AM
    #16
    Hey Google, let the owners of 18CxzMfmadEvjwPjW8uzFe5n6xBDeraoJ6 and 1AmwSjzv6H3ujR7rFuVXLNz1yJfnJt2TFA find this topic!
    There's another address in that transaction too.
    1AhgYZ7Js6ytokA4zCD994MJJbpFsCUd61

    And there are probably more victims.
    OP's fund was sent to bc1qtjt2qa2pghrea2xv5fwn0t6a7gmrc4f2238rnr in this transaction and then to bc1qhwppsmswazl9pghsq9k4v7jy502cvlwjqr34hk in this transaction. Therefore, bc1q87jd5xfq6xypy9tx6ssfhynq0e5z99u8whnuvp and bc1ql5cz9yp23ggdz2tjhmj3hkr37wula3u34sa30e are owned by the hacker/thief too.
    If you check the history of these two addresses, you see that the same thing as OP has happened to 1P4o7U7tDsxeHVhRPRMFgmrmaFhGxRmjQx and 19fikpWsuxRnqQqrgnSWvVETvQHRMa9a3k.
    legendary
    Activity: 2268
    Merit: 18771
    December 23, 2022, 04:17:06 AM
    #15
    Could this indicate something larger, that Bitaddress itself could be compromised?
    Certainly it could. Or that there is a malicious clone site out there that several people are stumbling across. I always suggest people should use Core or Electrum over bitaddress or any other website in order to generate wallets.

    There are plenty of other explanations for the pattern of transactions see though. Perhaps several other people at OP's company also generated paper wallets using bitaddress, which were then stored on some server or printer memory bank or similar. This was hacked or otherwise accessed, and therefore the attacker accessed all the wallets at the same time and swept them all at once. Or perhaps OP also uploaded a copy of his paper wallet to his email or cloud storage, and again, a hack or rogue employee or similar then discovered his wallet at the same time as several other wallets, seed phrase back ups, or similar.
    legendary
    Activity: 1568
    Merit: 6660
    bitcoincleanup.com / bitmixlist.org
    December 23, 2022, 12:21:10 AM
    #14
    Quote
    It looks like someone stole from several wallets, mine was just one of that.
    Your address was emptied after 3 months, some of the other addresses after a year or almost 2 years.

    If someone somehow compromised your paper wallet from outside your office, that means they've patiently been waiting for people to make multiple deposits to those paper wallets before robbing them. That may also mean it will happen to more people.

    Could this indicate something larger, that Bitaddress itself could be compromised?

    I mean, that's exactly what happened to BitcoinPaperWallet several years ago.

    (of course, if you downloaded the webpage, inspected the Javascript, and opened the offline page before generating private keys, you shouldn't be at risk of theft).
    hero member
    Activity: 1439
    Merit: 513
    December 22, 2022, 01:35:30 PM
    #13
      Here's what might have happened:

      • bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).
      This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.[/list]


      Or originations are possibly the same. for example, 1 co-worker tells 3?
        "Supposing that there's no one from inside evolved"
      Judging by OP's wording of actions he learned about it at work, and thinks they are smart.
      When he started printing wallets the powers that be educated themselves as well or led OP to a trap.
      I think this scenario more likely than bitaddress.org being compromised I don't rule it out though.
      And to be fair on a newbie's behalf, bitaddress.org doesn't really elaborate that much on security, Air gapping, or anything commonsense really,
      A byproduct singular person coding without UX consultation.
      The information's portrayed to a more advanced person that probably knows how to generate their own wallet as if they can use PGP and checksums and things of this nature.
      They don't tell you anything until after you've made the wallet causing you to react uninformed.
      Not a guy who heard about it on his smoke break at his 8-5.



      A Bitcoin wallet is as simple as a single pairing of a Bitcoin address with its corresponding Bitcoin private key. Such a wallet has been generated for you in your web browser and is displayed above.

      To safeguard this wallet you must print or otherwise record the Bitcoin address and private key. It is important to make a backup copy of the private key and store it in a safe location. This site does not have knowledge of your private key. If you are familiar with PGP you can download this all-in-one HTML page and check that you have an authentic version from the author of this site by matching the SHA256 hash of this HTML with the SHA256 hash available in the signed version history document linked on the footer of this site. If you leave/refresh the site or press the "Generate New Address" button then a new private key will be generated and the previously displayed private key will not be retrievable. Your Bitcoin private key should be kept a secret. Whomever you share the private key with has access to spend all the bitcoins associated with that address. If you print your wallet then store it in a zip lock bag to keep it safe from water. Treat a paper wallet like cash.

      Add funds to this wallet by instructing others to send bitcoins to your Bitcoin address.

      Check your balance by going to blockchain.info or blockexplorer.com and entering your Bitcoin address.

      Spend your bitcoins by going to blockchain.info and sweep the full balance of your private key into your account at their website. You can also spend your funds by downloading one of the popular bitcoin p2p clients and importing your private key to the p2p client wallet. Keep in mind when you import your single key to a bitcoin p2p client and spend funds your key will be bundled with other private keys in the p2p client wallet. When you perform a transaction your change will be sent to another bitcoin address within the p2p client wallet. You must then backup the p2p client wallet and keep it safe as your remaining bitcoins will be stored there. Satoshi advised that one should never delete a wallet.
      legendary
      Activity: 3290
      Merit: 16489
      Thick-Skinned Gang Leader and Golden Feather 2021
      December 22, 2022, 11:19:26 AM
      #12
      Here's what might have happened:

      • bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).
      This is the only option from your list that can explain why different funds were sweeped at the same time with OPs funds.[/list]
      legendary
      Activity: 1512
      Merit: 7340
      Farewell, Leo
      December 22, 2022, 11:03:48 AM
      #11
      Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?
      Yes. Here's what might have happened:

      • Your computer was malware affected.
      • Your computer has been spied (not necessarily from an unintended spyware, lots of offices do spy on purpose).
      • Somebody at work saw you generating a private key, and took a picture.
      • Cameras (if any) caught you generating a private key.
      • bitaddress.org was compromised at the time you used it (quite unlikely, it'd have been announced later).
      • The printer exchanged sensitive information with your computer, private key included, and someone happened to find read access.
      • You screwed it up in the process, and you didn't notice.
      hero member
      Activity: 518
      Merit: 625
      Pizza Maker 2023 | Bitcoinbeer.events
      December 22, 2022, 10:21:36 AM
      #10
      It is possible that there could have been a malicious intermediate between your computer and bitaddress.org that intercepted the communication and accessed your paper wallet information. However, it is also possible that the compromise occurred at some other point, such as through a vulnerability in the system or network that you were using.

      As for the method you are considering for generating a paper wallet on bitaddress.org, it seems like a fairly secure method as long as you take the necessary precautions to ensure that the computer you are using is clean and free of any malware or other vulnerabilities. Disconnecting from the internet and wiping the hard drive before generating the wallet can help to reduce the risk of interception or compromise. However, it is also important to ensure that you are using a trusted computer and operating system, and to keep the computer and all software up to date with the latest security patches.

      legendary
      Activity: 3500
      Merit: 6320
      Crypto Swap Exchange
      December 22, 2022, 07:16:12 AM
      #9
      Some other random thoughts.

      1) Many corporate printers will generate a copy of everything you print for management /

      2) Same with company owned machines, they know & see everything you do. In this case it's not even 'I went to a bad site and got malware installed' but the company PC came with it to report on you.

      3) Eliminating 1 & 2 don't forget the person in the cube or office next to you. Did they see what you were doing?

      Not saying any of that happened here, but adding to 'not your keys not your coins' should also be 'not your PC not your DATA'

      -Dave
      legendary
      Activity: 3290
      Merit: 16489
      Thick-Skinned Gang Leader and Golden Feather 2021
      December 22, 2022, 03:09:51 AM
      #8
      You first funded it on September 15, and it was emptied on December 10. In that same transaction, 76 inputs were used, and a few different addresses had many different inputs.

      Quote
      It looks like someone stole from several wallets, mine was just one of that.
      Your address was emptied after 3 months, some of the other addresses after a year or almost 2 years.

      If someone somehow compromised your paper wallet from outside your office, that means they've patiently been waiting for people to make multiple deposits to those paper wallets before robbing them. That may also mean it will happen to more people.

      Hey Google, let the owners of 18CxzMfmadEvjwPjW8uzFe5n6xBDeraoJ6 and 1AmwSjzv6H3ujR7rFuVXLNz1yJfnJt2TFA find this topic!
      copper member
      Activity: 10
      Merit: 12
      December 21, 2022, 07:58:36 PM
      #7
      Thank you for the answers, guys. Believe me, I keep asking myself how could I be so idiot to trust in that network.

      I forgot to show the wallet:
      https://www.blockchain.com/explorer/addresses/btc/14AKAd16AEZZoW3dp4KEyANMJ3G5bPCrwE

      It looks like someone stole from several wallets, mine was just one of that.

      I will buy a hard wallet now. I suppose I was lucky, I have more BTC in the broker and was about to send them to my wallets - I generate several using the same way. Just this one had BTC, and, of course, I will never use them again.

      A few more infomations: I've never said that my work's network was 100% safe or that I trust 100% in the IT guys (I'm not in the IT team). I just said that I don't think that it was the problem and, for the safe of arguments, try to find other security problems.
      legendary
      Activity: 2212
      Merit: 7064
      December 20, 2022, 05:10:25 PM
      #6
      It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
      You made a big mistake. Who knows what kind of malware and keyloggers you have, that can't be detected easily.
      No matter how ''safu'' you think your computer is, it's still connected to internet and paper wallet should be printed from website that is download and generated offline.
      Nobody knows if your office have hidden cameras or other type of surveillance, but paper wallets should never be used like this.

      Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
      Why are you using paper wallets in the first place, and why the heck are you doing this on your work place??

      legendary
      Activity: 2268
      Merit: 18771
      December 20, 2022, 07:26:45 AM
      #5
      I generated it online, in my work.
      Obviously I don't know your exact set up at work, but chances are that anyone in your IT department could probably have watched what you were doing.

      The system is protected by firewall and VPN.
      Neither of those mean that the system is safe or free from malware.

      Then I printed it in the printer connected in the network.
      Again exposing your wallet to anyone who had network privileges to view it. Additionally, the file would have been saved in the printer's own memory and could be retrieved later, and also potentially saved in your company's servers.

      The network is very safe - I will not tell the name of company for privacy.
      You have absolutely no way to know that, and you are relying on the common sense of every one of your colleagues to not download and expose the network to malware.

      Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
      It is (so far) been as safe as a website can be. But be aware that websites are generally a poor choice to generate private keys in the first place, and other paper wallet websites which were perfectly legitimate for years suddenly turned in to scams and resulted in lots of people having their coins stolen. I would agree with the advice above to generate your keys using Core or Electrum instead.

      The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
      Turning off the internet for 5 minutes on a computer which has had frequent or constant internet access prior to this achieves almost nothing. The process needs to be done on a dedicated airgapped computer - that is one which has never had any internet access since you last formatted it and installed an open source Linux distro, and will never have any internet access again. You also need to connect that airgapped computer directly to an old fashioned dumb printer which does not have any internal memory or WiFi capabilities.
      legendary
      Activity: 3668
      Merit: 6382
      Looking for campaign manager? Contact icopress!
      December 20, 2022, 03:07:04 AM
      #4
      Any other ideas about how that happened?

      The first and easiest possibility would be that the website you've used to generate the paper wallet wasn't only showing it to you, instead it also made a copy of that paper wallet for the website owner.
      And at some point, when he noticed you've funded it, he stole your money since he had too the private key.

      Another discussion is about what you've done with the paper wallet an how you've stored it. If anyone else copied the private key, he could steal your money.
      A paper wallet as you've done it is a private key and an address. Those can be kept on paper, but some keep it (wrongly!) in e-mail or cloud storage, giving others the chance to steal.

      Plus if your computer has malware, for example, it was open to the internet.

      These are the first possibilities coming into my mind.

      Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
      The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
      - generate the wallets
      - restore the windows, erasing everything
      - take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
      - return the HD to the previous notebook and install Windows again
      Only now, turn on the internet.

      Any risk in this procedure?

      I don't know how good is bitaddress. If people say it's OK, fine, but such a tool can easily generate the keys even by a certain rule and make it easy to recover by the site owner. I would use a wallet to generate the private key.
      Apart of the first step and using a paper wallet generator, the rest of the steps look pretty good (although booting from an USB stick with a live OS with no persistence would achieve that easier).

      I would use Bitcoin core (offline, without downloading blockchain) or Electrum (offline) at first step and, as a later step, I would recover the wallet from the private key and make sure the address is the one expected (so you avoid surprises there too).



      Later edit: if you invest into amounts like 0.4 BTC, is it so difficult to invest in a hardware wallet? It would be safer and easier even for making yourself some sort of paper wallets, if you still want those.
      legendary
      Activity: 3290
      Merit: 16489
      Thick-Skinned Gang Leader and Golden Feather 2021
      December 20, 2022, 02:59:53 AM
      #3
      It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
      The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.
      You made all the mistakes in the book Shocked
      The main reason to use a paper wallet, is to create cold storage. Cold storage, by definition, has never touched the internet. That's the only way to make sure nobody can ever hack it.
      By using an online website on an online computer and a network printer, you've added many risk factors.

      Online:
      Install Electrum on your PC.
      Import your address to create a watch-only wallet.
      Preview the transaction, Copy the unsigned transaction. Put it on a USB stick.

      Offline and running without hard drive storage:
      Get a Linux LIVE DVD. Use Knoppix or Tails for instance, or any other distribution that comes with Electrum pre-installed.
      Unplug your internet cable. Close the curtains. Reboot your computer and start up from that DVD. Don't enter any wireless connection password. Keep it offline.
      Start Electrum. Import your private key.
      Copy your unsigned transaction from the USB stick, load it into Electrum.
      CHECK the transaction in Electrum. Check the fees, check the amount, check all destination addresses (character by character).
      If all is okay, sign the transaction. Copy it back to your USB stick.
      Turn off the computer. That wipes the Live LINUX from memory and all traces are gone.

      Online:
      Use your normal online Electrum to (check again and) broadcast the transaction.
      hero member
      Activity: 1050
      Merit: 681
      December 20, 2022, 02:53:44 AM
      #2
      I will tell the story how I lost 0.4 BTC.
      First of all sorry for your loss mate. Thats a really big amount for most of the average working people.
      It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work
      Thats the problem. If you generated it online, you cant say it as a paper wallet. Its an online web-wallet and your keys can be stolen if you have trojen/malware in your pc, as simple as that. Please beware next time, and clean your PC.

      Read this: How To Run The Bitaddress.org Tool In A Secure Offline TAILS Temporary Live Boot Session
      copper member
      Activity: 10
      Merit: 12
      December 20, 2022, 02:42:59 AM
      #1
      Hello guys,

      I will tell the story how I lost 0.4 BTC. I want to ask you advices.

      It is (was) a paper wallet I generated in bitaddress.org. I generated it online, in my work. The system is protected by firewall and VPN. Then I printed it in the printer connected in the network.
      The network is very safe - I will not tell the name of company for privacy. The printer is connected to the system's network.
      Supposing that there's no one from inside evolved, is it possible to have a malicious intermediate between my computer and bitaddress?
      Any other ideas about how that happened?

      Another thing is your opinion about one method I'm thinking for generate a paper wallet in bitaddress.org. Everybody tells that the bitaddress' website is safe. Is that so?
      The idea is to enter in the website and switch off the internet. The next steps will all be done without any internet:
      - generate the wallets
      - restore the windows, erasing everything
      - take out this HD, connect to my other notebook and format it using the program Eraser, which records random information in the drive
      - return the HD to the previous notebook and install Windows again
      Only now, turn on the internet.

      Any risk in this procedure?

      Thank you.
      Jump to: