Author

Topic: Why has my newly created Bitcoin address already been used? (Read 1359 times)

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
After that paste this into your browser developer console.
Thanks, I'll play with it when I have a bit more time.

Quote
I cannot reproduce this ATM, so website owner took the phishing version down, or is targetting only specific IP addresses, or found a less stupid way of stealing bitcoins :-)
It could also be the site owner reset or increased his pool of private keys. If he reuses many keys, you won't quickly find one that's funded already. The addresses may not have been funded yet, but it could still be the owner keep track of them.
newbie
Activity: 16
Merit: 58
Can you share how you did this? I'd like to reproduce this. I have a crazy idea, but that's for another topic.
Go through (or skip) seed generation process on that page. This will generate first wallet. After that paste this into your browser developer console. Increase 100 to larger sample if needed. You can also go offline and change console logging level to only INFO, this will make the process faster. Increase 10*i to 100*i or larger, if you see in console many duplicate keys in row. You may need to change element ids, if is your intention to audit different website.

Code:
for (i = 0; i < 100; i++) {
    window.setTimeout(
        function () {
            document.getElementById("papergenerate1").click();
            console.log(document.getElementById("btcaddressprivkey").textContent)
        }, 10*i) // 10 is OK for offline mode, for online mode better use 100, to give a time for loading of images. If you se many duplicates in row, increase value depending on your network connection.
}

Then get console output (right click, save As in Chrome) and import all to wallet, I have used Electrum (New wallet -> Import private keys -> paste all keys).

I cannot reproduce this ATM, so website owner took the phishing version down, or is targetting only specific IP addresses, or found a less stupid way of stealing bitcoins :-)
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I have done simple script to generate 100 addresses bitcoinpaperwallet.com. From these 100 addresses were 24 already used (tx count > 0)
Can you share how you did this? I'd like to reproduce this. I have a crazy idea, but that's for another topic.

Quote
Last test, 10000 addresses generated, just to find, who lost potentionally the most because of this scammy website. It was 18zSTXqo1PrPLY3v53LaCqdd6WiXPBaw2c, with almost 4 BTC in february this year. To prove this, I have signed message with the private key of this address.
That guy had been funding his address for a while before it got emptied, and even after it got emptied, he continued funding it (after which it got emptied instantly).
legendary
Activity: 2268
Merit: 18711
Interesting. I did not remember reading that at Bitcoin wiki, my only takeaway was that paper wallets do not last long and can get easily damaged without right storage conditions.
This is true, but it is also true of other storage mediums as well. Electronic storage is also susceptible to fire, flooding, moisture, etc., and electronic storage will also slowly degrade over time even in perfect storage conditions, as well as having a limited number of write cycles. A laminated piece of paper in a fireproof and waterproof safe would likely outlast you or I.

A paper wallet also doesn't actually have to use paper. You can also make a "paper" wallet in the fashion described above by inscribing the resulting seed phrase on a piece of metal, or by buying one of the devices manufactured for this purpose.
legendary
Activity: 2674
Merit: 1226
Livecasino, 20% cashback, no fuss payouts.
Never generated my own wallets but I always thought this paper wallets are not recommended anymore?
They aren't recommended for newbies or casual users, because they are difficult to set up securely and difficult to use safely, and there are a lot more things that can go wrong than using a software or hardware wallet. If you know what you are doing, though, then they are one of the safest methods for long term bitcoin storage.

How do you mean turn resulting number? Coinflip is Heads or Tails only right?
You would assign heads the value of "1" and tails the value of "0" (or vice versa). Flipping the coin 11 times will give you an 11 digit number in binary. Convert that to base 10 and you get a number between 0 and 2047, which will correspond to a word from the BIP39 wordlist which contains 2048 words.

Interesting. I did not remember reading that at Bitcoin wiki, my only takeaway was that paper wallets do not last long and can get easily damaged without right storage conditions.

Thanks very much for the tip on random conversion, and to bedla for explaining it more. I actually understood that, but only after referencing a few sites. IT is definitely not for newbies and not even for a regular user if you do not understand these technical terms!
legendary
Activity: 1624
Merit: 2481
I liked the idea of creating PrivKeys myself, with dices or any other kind of entropy because that way I am totally sure I am the only one that knows it, but at the end I don't know what to do with it, how do I get an Address from an HEX Priv Key?? What about downloading several paper wallets sites, running them offline in a Live OS and comparing their results to make sure they are giving me the same WIF and Address?? does anyone have a better suggestion??

It is easy.

Download and verify a live linux distribution.
Install it onto an USB stick.
Boot it.
Use /dev/random to gather 256 bit of entropy.
Use openssl to generate your private key, public key and address.


If you don't trust a linux distribution like debian or arch or don't trust your hardware, you will never be able to use bitcoin securely.
In the end, you do need a computer to send a transaction. You need to trust your hardware.


Just don't use use shit like online paper wallet generators. Not even offline. And not from github.
Just don't use them at all.

newbie
Activity: 16
Merit: 58
How do you mean turn resulting number? Coinflip is Heads or Tails only right?
With 11 flips you have nice 11 bit number, which you can then convert from binary to decimal representation and then use word on the corresponding line - https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Eg you can think about head as 1, tail as 0.

For example:
Flips:            H T H H H T H H T H T
Binary:         1 0 1 1 1 0 1 1 0 1 0
Decimal:       1498 -> Increment by one (because lines are numbered from 1, not from 0) -> 1499
BIP-39 word: robust - https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt#L1499
legendary
Activity: 2268
Merit: 18711
Never generated my own wallets but I always thought this paper wallets are not recommended anymore?
They aren't recommended for newbies or casual users, because they are difficult to set up securely and difficult to use safely, and there are a lot more things that can go wrong than using a software or hardware wallet. If you know what you are doing, though, then they are one of the safest methods for long term bitcoin storage.

How do you mean turn resulting number? Coinflip is Heads or Tails only right?
You would assign heads the value of "1" and tails the value of "0" (or vice versa). Flipping the coin 11 times will give you an 11 digit number in binary. Convert that to base 10 and you get a number between 0 and 2047, which will correspond to a word from the BIP39 wordlist which contains 2048 words.
legendary
Activity: 2674
Merit: 1226
Livecasino, 20% cashback, no fuss payouts.
The things people can learn about just by reading this section every now and then! Never generated my own wallets but I always thought this paper wallets are not recommended anymore? Or is Bitcoin wiki wrong now?

Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.
Flip a coin 3 times, calculate the checksum using a permanently airgapped computer, pick the last word.

How do you mean turn resulting number? Coinflip is Heads or Tails only right?
legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
Sorry if my question is a bit off topic, I'm quite new here and I would really appreciate someone pointing me out to the right direction.
If your problem is just generating a paper wallet, then you shouldn't use a random online generator.
You can use any well-known client like Bitcoin Core, Electrum, Armory, etc.  to create the address and private key.
You can use them to create a key pair on an Air-Gap Machine; ofcourse, the steps differ per client.

When it comes with trust, those mentioned wallets are "open-source", means that their source code is open for the public to check if there are malicious codes in it.
If you can't review it yourself, you can ask someone who's an expert on the programming language of the wallet's source code.

For hardware wallets, most are closed-source because if they aren't, then it will be easier to find a vulnerability to hack their firmware/hardware.
People are trusting them (the famous ones) because they "stand the test of time".

BTW, this topic has been derailed too far, it won't be an issue to create your own thread.
newbie
Activity: 2
Merit: 2
Downloading those sites, running them offline, and only using the "Wallet Details" to enter your dice made HEX PrivKey to get your address, should be ok, right?
Not necessarily. A site could quite easily just show you a pre-generated address from a list of pre-generated addresses which all belong to a malicious attacker, regardless of what private key you enter. Downloading the site and running it offline won't protect against that at all.

If you are going to go down that route, then you should use multiple sources to make sure that they generate the same address, and the sources you use should be open source. If you are unable to audit the code yourself, then find someone trusted to do it for you, or look for community consensus that the site or service is trusted. Ideally, the computer you enter your private key to should be permanently airgapped rather than just temporarily offline. If you don't have an airgapped computer, then a run a live OS from a USB stick. You could download and verify Electrum from electrum.org, as well as an open source site such as bitaddress.org from their GitHub, and ensure the address generated by each service matches.

Sorry if my question is a bit off topic, I'm quite new here and I would really appreciate someone pointing me out to the right direction.

So... What would be the best way to create your address? sadly, at the end you will end up trusting someone else... many people say "just buy a hardware wallet" but then ppl are just trusting that company...

I liked the idea of creating PrivKeys myself, with dices or any other kind of entropy because that way I am totally sure I am the only one that knows it, but at the end I don't know what to do with it, how do I get an Address from an HEX Priv Key?? What about downloading several paper wallets sites, running them offline in a Live OS and comparing their results to make sure they are giving me the same WIF and Address?? does anyone have a better suggestion??

At the end, what is what most people do to have their OWN wallets? most people download the Bitcoin Core or what?? or they just thrust on someone else's code?? What does most people here do?? (Own nodes I suppose??)

Thanks in advance!
member
Activity: 88
Merit: 13
Cheers!
Sorry if my question is a little dense; what was the wallet address(es) the OP created and where did the funds that were in those wallets end up going?  (Follow the money)
newbie
Activity: 16
Merit: 58
I have done simple script to generate 100 addresses bitcoinpaperwallet.com. From these 100 addresses were 24 already used (tx count > 0)

Code:
1KGNd5VeZtuznXkNykoJMF3x17LjNQDq3D
13uH54xDLpGFq4uFbAb6tJpG2ReSxpuza3
18AHh2tPonmQSrHPzAJ6RD2KMSG2WRt4in
19VYwcfjpmbN7NoYDJjRhCziK6pRMhhSb
19xbLFGJU8QkXvxzW2bbs8ANABNBfLkZPm
1BZHQanTxNyfbPnxHec72dG3mPvgDHKhRg
1529n4injHqVQLeC9gjtaG5xMmrJKYiFcn
16oLbqAuKCE6GpD1sB5pJ6VwxNh1Pa1YhK
17XJvVkQJ9TL9WRXk8g2tb3APS6vyXJJV6
18kQ7b8cvfvDaioFnncTffPK6rxfW2Ht2j
18o1NmcfKpTAiR1pZsPk3yPD4xV6subG18
19HX43m1W6eaxhT7qD8BmxPEDLU549ZYHX
19jnChYpb6GweNdjTvycZv3Lf8daytPtFd
1AjgxUANuB44ZsZ9qot12bjy2kmhmVJ6Zd
1B8YcYjJnpsapVRgGt5upGCHma9DbC4ADo
1BgK8t4YQkSvg9tnmeaCcKKqUuVFpPVmSX
1Ckzbj7yHgtbKRtxT5JZDrrtRLBGsaWWyr
1EimBpXgYqKP3twh5QPmgjpAVeGjCpbVgJ
1G2tcYNxgbndxvqaBCHDt4JLsXnCYnGxLz
1GDmoqDc4X51iBe4cpvHRwJTDuc3je8JKk
1JnuFETZRMcuJTJDj7xLs4qFjm7DMpcpKV
1KeAfFjH84v3Mg7uNbi66MZAMZMJKbA1wp
1PhW4HGRsn4DTZr2AWVZAviSgGnayN6Vhw
1QBUL6ddarYbqWSzHDKjMeNBQci59vZmNN



If anyone thinks this site is safe in offline mode, it is not. Another test, new seed, computer disconnected from internet. From 100 addresses, 27 were used.

Code:
1KGNd5VeZtuznXkNykoJMF3x17LjNQDq3D
13mFSZheed2VQgbEWGerxyrGqTnKk5ZUXT
13uH54xDLpGFq4uFbAb6tJpG2ReSxpuza3
19VYwcfjpmbN7NoYDJjRhCziK6pRMhhSb
14ZWc1YdsCT2bCRdxthyypzxrSnbaFN6Lm
112n8MsV55HQ5ibwjp1psFmtXHedpb4YTL
13o9YDygRaYeSsZuky9rhhwnzEcRLFywWi
1529n4injHqVQLeC9gjtaG5xMmrJKYiFcn
16oLbqAuKCE6GpD1sB5pJ6VwxNh1Pa1YhK
17XJvVkQJ9TL9WRXk8g2tb3APS6vyXJJV6
18kQ7b8cvfvDaioFnncTffPK6rxfW2Ht2j
18o1NmcfKpTAiR1pZsPk3yPD4xV6subG18
19HX43m1W6eaxhT7qD8BmxPEDLU549ZYHX
19jnChYpb6GweNdjTvycZv3Lf8daytPtFd
1AjgxUANuB44ZsZ9qot12bjy2kmhmVJ6Zd
1BgK8t4YQkSvg9tnmeaCcKKqUuVFpPVmSX
1Ckzbj7yHgtbKRtxT5JZDrrtRLBGsaWWyr
1EimBpXgYqKP3twh5QPmgjpAVeGjCpbVgJ
1G2tcYNxgbndxvqaBCHDt4JLsXnCYnGxLz
1GDmoqDc4X51iBe4cpvHRwJTDuc3je8JKk
1KZ4QS51KgmpE52m9NXp8rUCxUuYAK1FnN
1KeAfFjH84v3Mg7uNbi66MZAMZMJKbA1wp
1LYd9EdQdfQrwPn2Qx8CvwL8JHLr2Erot4
1MnG9KumACRJP158xntCb1i28TiT83Rxho
1NudbExzDo4xjGZZFmaxy7zzCd3J6NsXUW
1PhW4HGRsn4DTZr2AWVZAviSgGnayN6Vhw
1QBUL6ddarYbqWSzHDKjMeNBQci59vZmNN



Last test, 10000 addresses generated, just to find, who lost potentionally the most because of this scammy website. It was 18zSTXqo1PrPLY3v53LaCqdd6WiXPBaw2c, with almost 4 BTC in february this year. To prove this, I have signed message with the private key of this address.

Code:
Message: bitcoinpaperwallet.com is SCAM!
Address: 18zSTXqo1PrPLY3v53LaCqdd6WiXPBaw2c
Signature: G6GKC3l+xjd19Bzh63mkL4qSNu65OGeSPgFTaN98a1KDE3n93h3+JO9CZvqQN6ejUGGReg1x8bk85JkDHRvFMPU=
legendary
Activity: 2268
Merit: 18711
Downloading those sites, running them offline, and only using the "Wallet Details" to enter your dice made HEX PrivKey to get your address, should be ok, right?
Not necessarily. A site could quite easily just show you a pre-generated address from a list of pre-generated addresses which all belong to a malicious attacker, regardless of what private key you enter. Downloading the site and running it offline won't protect against that at all.

If you are going to go down that route, then you should use multiple sources to make sure that they generate the same address, and the sources you use should be open source. If you are unable to audit the code yourself, then find someone trusted to do it for you, or look for community consensus that the site or service is trusted. Ideally, the computer you enter your private key to should be permanently airgapped rather than just temporarily offline. If you don't have an airgapped computer, then a run a live OS from a USB stick. You could download and verify Electrum from electrum.org, as well as an open source site such as bitaddress.org from their GitHub, and ensure the address generated by each service matches.
newbie
Activity: 2
Merit: 2
It's obviously scam, person who bought walletgenerator, has also bitcoinpaperwallet.

After some research, please look at this:
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

and then you can find directory listing is enabled:
https://bitcoinpaperwallet.com/bitcoinpaperwallet/

and finally this modified website:
https://bitcoinpaperwallet.com/bitcoinpaperwallet/generate-walletfe23t9u2fhjnj3f32.html

random generator is broken in same way as in the article:
Code:
        var coinImgUrl = "https://bitcoinpaperwallet.com/bitcoinpaperwallet/images/logo-" + whichDesign + ".png";
...
        var base64 = "data:image/png;base64," + btoa([].reduce.call(new Uint8Array(this.response),function(p,c){return p+String.fromCharCode(c)},''));
                for(var i = 0; i < base64.length; i++)
                {
                    if(i+3 < base64.length)
                    {
                        if(base64.charCodeAt(i) != 0 && base64.charCodeAt(i+1) != 0 && base64.charCodeAt(i+2) != 0 && base64.charCodeAt(i) != 1 && base64.charCodeAt(i+1) != 1 && base64.charCodeAt(i+2) != 1)
                        {
                            SecureRandom.seedInt((base64.charCodeAt(i) * base64.charCodeAt(i+1) * base64.charCodeAt(i+2))*(i+1));
                        }
                    }
                }
                SecureRandom.loaded = 1;
            };

So, beware of bitcoinpaperwallet.com and walletgenerator.net, they will steal your coins !!!



Question Good Sirs!

Downloading those sites, running them offline, and only using the "Wallet Details" to enter your dice made HEX PrivKey to get your address, should be ok, right?

Or what would be the best option to get an address from an HEX PrivKey?

Awesome work discovering this! much thanks!
newbie
Activity: 53
Merit: 0
Be cautious with services generating your addresses, you should look into bitcore.io it's easy to use


Here is how you can install it and run it
https://github.com/bitpay/bitcore#bitcore



Please, don't. Bitcore wallet / Copay is unmaintained, at least on the Bitcoin side (they focused mostly on Bcash).

Electrum has easy multisig and it is also cross-platform.
newbie
Activity: 4
Merit: 35
It's obviously scam, person who bought walletgenerator, has also bitcoinpaperwallet.

After some research, please look at this:
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

and then you can find directory listing is enabled:
https://bitcoinpaperwallet.com/bitcoinpaperwallet/

and finally this modified website:
https://bitcoinpaperwallet.com/bitcoinpaperwallet/generate-walletfe23t9u2fhjnj3f32.html

random generator is broken in same way as in the article:
Code:
        var coinImgUrl = "https://bitcoinpaperwallet.com/bitcoinpaperwallet/images/logo-" + whichDesign + ".png";
...
        var base64 = "data:image/png;base64," + btoa([].reduce.call(new Uint8Array(this.response),function(p,c){return p+String.fromCharCode(c)},''));
                for(var i = 0; i < base64.length; i++)
                {
                    if(i+3 < base64.length)
                    {
                        if(base64.charCodeAt(i) != 0 && base64.charCodeAt(i+1) != 0 && base64.charCodeAt(i+2) != 0 && base64.charCodeAt(i) != 1 && base64.charCodeAt(i+1) != 1 && base64.charCodeAt(i+2) != 1)
                        {
                            SecureRandom.seedInt((base64.charCodeAt(i) * base64.charCodeAt(i+1) * base64.charCodeAt(i+2))*(i+1));
                        }
                    }
                }
                SecureRandom.loaded = 1;
            };

So, beware of bitcoinpaperwallet.com and walletgenerator.net, they will steal your coins !!!

legendary
Activity: 2268
Merit: 18711
-snip-
Ooft. Having a closer read of the text on their website, it is fully of shady implications like this.

Quote
This generator is based on BitAddress, the well established and most trustworthy open-source engine for generating addresses using your own browser's JavaScript engine.
This is utterly meaningless. "Based on a trusted open-source engine"? All the scam versions of Electrum which were downloaded were "based on a trusted open-source engine".

Quote
To be more secure, you should download this wallet generator from GitHub and run it offline
Can anyone find a GitHub repository? I can't find a single link anywhere on the site. The original is here: https://github.com/cantonbecker/bitcoinpaperwallet, but obviously hasn't been updated in 2 years.

Their "endorsement" by Andreas Antonopoulos was from before the site was sold.

Worth noting that the Bitcoin Wiki still says it is open-source and links to the now defunct GitHub. This needs updated. I'll make a post in the Wiki board.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
It seems indeed that there have been some shenanigans of some sort, since the site was sold: https://www.reddit.com/r/btc/comments/942435/bitcoinpaperwalletcom_is_under_new_ownership/
I especially don't like the part on bitcoin paper wallet dot com where it says:
Quote
Why trust this site?
~snip~
We—started this service in 2013
They don't mention the fact that the current owner bought the site. I wonder why
HCP
legendary
Activity: 2086
Merit: 4361
Not to mention the ones mentioned earlier on reddit and then this one on stackexchange:
https://bitcoin.stackexchange.com/questions/85038/what-did-i-do-wrong-that-caused-me-to-lose-bitcoin


It seems indeed that there have been some shenanigans of some sort, since the site was sold: https://www.reddit.com/r/btc/comments/942435/bitcoinpaperwalletcom_is_under_new_ownership/

Hopefully it's just a weak RNG... but you'd have thought that if that was the case, that more people would have been caught up in this. bitcoinpaperwallet was a VERY popular site... Undecided

I guess for now, the recommendation is: AVOID bitcoinpaperwallet.com!
legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
On the service https: // bitcoinpaperwall ... on the second attempt, the address 1MfPqSDiraPRBVyYASNkF8oc5Ja1ZkdsZn was "generated". I even made a screenshot for memory.
You're the third person that reported the same issue here so far, there's something really "fishy" on that site.
It's either the code is flawed or there's a number of pre-generated keys that's being monitored by the owner.
newbie
Activity: 5
Merit: 0
On the service https: // bitcoinpaperwall ... on the second attempt, the address 1MfPqSDiraPRBVyYASNkF8oc5Ja1ZkdsZn was "generated". I even made a screenshot for memory.
legendary
Activity: 2394
Merit: 2223
Signature space for rent
The case is interesting, that's the reason why I always discouraged newbies to use paper wallet. Because a newbie couldn't determine which is scam or phishing website and they might get scam eventually. We should do good practice always, if you use Electrum original software and verify Signature then you may use it as a paper wallet as well since you are allowed to export private keys. Otherwise I will encourage to buy hardware wallet instead of paper wallet if you can afford small investment. Your fund alt least will be safe. But don't forget to write your seed or private keys on multiple paper and keep them safe on multiple places. Don't save into any online machine.
member
Activity: 84
Merit: 22
Be cautious with services generating your addresses, you should look into bitcore.io it's easy to use


Here is how you can install it and run it
https://github.com/bitpay/bitcore#bitcore

legendary
Activity: 2268
Merit: 18711
My described scenario would not necessarily reuse a k value. It could possibly use one of thousands of k values that would appear "random" unless you produced and inspected thousands of transactions that you ultimately did not broadcast.
Or unless you read the source code to see how the k values were being generated, as I said above.

There are additional things that could happen that could cause your private key to become compromised while you are transferring the private key from a paper wallet to your computer, and these things are not possible if your private key was stored on your hard drive.
Provided you are importing your paper wallet to an airgapped computer in the privacy of your own house, and you don't have a camera pointed at you while you are doing it or something equally stupid, what kind of things are you referring to that make a paper wallet more risky than an airgapped wallet?
copper member
Activity: 1652
Merit: 1901
Amazon Prime Member #7
This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.
Perhaps I didn't explain myself clearly. My point wasn't "There is no method by which it could leak information", but rather "There is no method by which it could leak information that I can't detect before I choose to broadcast my transaction". If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values. The amount of trust you need to place in an airgapped wallet is much lower than the trust you place in any "live" software or mobile wallet, which could steal all your coins immediately upon you importing your seed phrase.
My described scenario would not necessarily reuse a k value. It could possibly use one of thousands of k values that would appear "random" unless you produced and inspected thousands of transactions that you ultimately did not broadcast.

You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.
You have to trust software to spend your coin when you spend it. When you sign a message or transaction, you combine what should be a random value with your private key to generate the signature. If you know one, it is trivial to calculate the other with a given signature. Malicious software could possibly leak information via this random value.
That can't be a problem as long as you use the address only once, right?
No. The point of my hypothetical attack is to leak information that is more valuable than a single private key, such as a seed list. Your seed list might be able to calculate many private keys that hold a lot of coin, but each private key only contains a small amount of coin.

In my hypothetical example, there might be 12 combinations in the yyzzzzz portion of the k value that are produced at random, plus one additional message that indicates to an attacker that messages are being "sent", similar to a "ping". Once a single message hidden in the k value is detected, the hacker could look at change addresses for additional hidden messages in the k value.



Quote
The scope of possible attacks is also greater when using a paper wallet than using an encrypted wallet.
So encrypt the paper wallet Smiley
I was actually referring to a wallet encrypted on a hard drive or computer. A paper wallet encrypted with the passphrase "LoyceV123" has less security than a private key encrypted on a hard drive/computer encrypted with the same passphrase. When you want to spend coin on a paper wallet, you need to load the private key, temporarily onto a computer to sign a transaction, and there are some things that could cause the private key to become compromised. Your private key could become compromised via your computer, and any of these things could happen regardless of if the private key is on a paper wallet or stored on a hard drive. There are additional things that could happen that could cause your private key to become compromised while you are transferring the private key from a paper wallet to your computer, and these things are not possible if your private key was stored on your hard drive.
HCP
legendary
Activity: 2086
Merit: 4361
Yeah, there's no good reason to settle for an invalid checksum. If you input a 24 word phrase in to iancoleman which has an invalid checksum and then click "Show entropy details", it will automatically change the final word to the correct checksum, maintaining the same 3 bits of initial entropy.
That's actually a pretty neat feature of that BIP39 tool... Just need to pick a word that uses the same initial entropy as the N bits of entropy leftover (7 for 12 words, 3 for 24 words) and then pad it out to 11 bits, then click "entropy details" and it'll correct it automagically!

So, basically, an offline copy of the BIP39 tool and a coin... and one can randomly generate mnemonics to their hearts content, knowing that they don't need to worry about "bad" RNGs (assuming their coin isn't biased! Wink)
legendary
Activity: 2268
Merit: 18711
If you are going to use something like Electrum on your airgapped device to import your hand-generated seed phrase to give you an address to send to, then you could skip manually calculating the hash for the checksum altogether and just brute force it, as Electrum will tell you when you are using an invalid checksum. With the first 3 bits of entropy already known, there will only be 256 possible words.

everything else can still be done with a computer after the number was physically generated using a coin or something like that.
You still need to be sure that the software you are using isn't just spitting out pre-generated addresses regardless of what seed phrase you enter. You could go through the process of performing each operation from seed to address manually, or more simply (as Loyce has said above) you could import your seed phrase in to multiple different wallets (all airgapped of course) and ensure the generated addresses match up.

It'll complain that it's not a valid BIP39 mnemonic. I know Electrum will let you bypass that and go ahead and use it anyway... but surely for max compatibility you'd want a "valid" mnemonic!
Yeah, there's no good reason to settle for an invalid checksum. If you input a 24 word phrase in to iancoleman which has an invalid checksum and then click "Show entropy details", it will automatically change the final word to the correct checksum, maintaining the same 3 bits of initial entropy. Doing so will obviously then lead to a different wallet with different addresses, so can only lead to more confusion down the line.
legendary
Activity: 3472
Merit: 10611
Won't padding out the checksum cause issues down stream when you attempt to restore this in a wallet tho?

that's true but when someone is going around the conventional methods of creating a mnemonic then the assumption is that they are already using unconventional methods and codes that should take all of this into consideration.
HCP
legendary
Activity: 2086
Merit: 4361
Won't padding out the checksum cause issues down stream when you attempt to restore this in a wallet tho? Huh

It'll complain that it's not a valid BIP39 mnemonic. I know Electrum will let you bypass that and go ahead and use it anyway... but surely for max compatibility you'd want a "valid" mnemonic!

But yes, I was being facetious about manually calculating the SHA256 hash Tongue... the setup you are using has a really good mix of "randomness", security and convenience. I like it.
legendary
Activity: 3472
Merit: 10611
Now all you need to do is do your SHA256 hash by hand to generate the checksum and you've got the complete no computer solution to generating a seed mnemonic Tongue
It would however blow out your 15-20 minute time frame to probably closer to a day... having to do 64 rounds of SHA256 to get your final hash at a rough speed of 1 round per 15 minutes or so Tongue
There are just some things that are better left to computers Wink

well you don't have to have a checksum since it is not mandatory. you can just pad the entropy with zeros and then derive the mnemonic from that.
besides the problem is never with checksum and things like that. the problem that makes people want to flip coins is the Random Number Generators, everything else can still be done with a computer after the number was physically generated using a coin or something like that.
HCP
legendary
Activity: 2086
Merit: 4361
Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.
Flip a coin 3 times, calculate the checksum using a permanently airgapped computer, pick the last word.
Write down on paper, import in to a wallet or iancoleman on your permanently airgapped computer to generate a receiving address (Optional: add in a passphrase and write that down on a separate piece of paper).
Whole thing can be done in 15-20 minutes.
Now all you need to do is do your SHA256 hash by hand to generate the checksum and you've got the complete no computer solution to generating a seed mnemonic Tongue

It would however blow out your 15-20 minute time frame to probably closer to a day... having to do 64 rounds of SHA256 to get your final hash at a rough speed of 1 round per 15 minutes or so Tongue


There are just some things that are better left to computers Wink
legendary
Activity: 2268
Merit: 18711
-snip-
To be fair, if an attacker is able to install probes on my power supply or a camera in my house, I've got far bigger problems than the safety of my cold storage. Tongue

This guys shows in this video how to do it
It's a nice video, but he is only generating a single private key and not an entire seed phrase, which is far more straightforward. Once you've flipped a coin 256 times, all you have to do is convert the result to Base58Check and you've got yourself a private key. You don't need to worry about word lists or checksums as you would if you were generating a seed phrase.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.

This guys shows in this video how to do it
Very interesting, and if you want to do it it worth checking it out.
https://www.youtube.com/watch?v=ieHoQ4sGuEY
legendary
Activity: 1624
Merit: 2481
Is it by chance possible to change the private key to that address?

No.
The address is basically the hash of the public key. And the public key is derived from the private key.
hero member
Activity: 2464
Merit: 519
Is it by chance possible to change the private key to that address?
legendary
Activity: 1624
Merit: 2481
Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins.

Technically, this isn't completely true  Tongue

There are quite a few paper about how to exfiltrate data from air-gapped computers.
Those techniques are highly sophisticated and the chances of happening to are close to zero. But some would include:

  • AirHopper: Malware to encode data into FM signals transmitted from a screen cable. This signal can be received by any smartphone with an FM receiver
  • PowerHammer: Exfiltration via Powerline: With probes on the computer and the power control box, malware on the air-gapped computer can increase/decrease the cpu load by doing useless (but ressource heavy) calculations to transmit data via the power line.
  • Another option requires a camers to be installed close to the computer: Using the hard disk led's to transmit data.

Those are not just theories, but they have been proven to work.
There are a few more extremely fascinating (and highly unlikely) attacks which could extract data from such an air-gapped setup.
Quite a few paper have been published which cover exactly that: Exfiltrating data from air-gapped computers. They are quite exciting to read.

It is obvious that no typical crypto holder will face such an attack, altough its interesting to know which techniques exist  Smiley
legendary
Activity: 2268
Merit: 18711
That can't be a problem as long as you use the address only once, right?
It could also be a problem if you have exposed your master public key to anyone. The combination of knowing a master public key and one of the child private keys allows you to derive all the other child private keys.

Have you ever checked this much before broadcasting a transaction?
Once or twice, but mostly as a learning exercise for myself rather than any genuine concern that the software I am using is using a non-random k value. However, I generally use Electrum as my interface for accessing paper wallets or other cold storage, which has used RFC 6979 for generating k values since version 1.9, so this isn't an attack vector I am particularly concerned about.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.
You have to trust software to spend your coin when you spend it. When you sign a message or transaction, you combine what should be a random value with your private key to generate the signature. If you know one, it is trivial to calculate the other with a given signature. Malicious software could possibly leak information via this random value.
That can't be a problem as long as you use the address only once, right?

Whenever I sign a message offline, I use different software to decode the raw transaction and see if it still does what I want. I've never seen a problem there, but it doesn't hurt to be sure.

Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins. If it signs a transaction to the wrong address, for example, I can easily pick that up before moving the transaction to my live computer to be broadcast.
This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.
I've seen the scenario before, and you're right. I've consolidated a paper wallet before, sending the funds back to the same wallet.

If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values.
Have you ever checked this much before broadcasting a transaction?
legendary
Activity: 2268
Merit: 18711
Creating a 7 of 7 multi-sig private key should be less risky than creating a private key that requires one signature to spend coin (assuming you can easily replicate the procedure to keep each private key secure).
I mean, sure, but that is completely irrelevant to what we are discussing here. Paper wallets which are generated via flipping a coin and paper wallets which are generated via third party code/software will be exactly as easy or difficult to spend from as each other, and exactly as secure or not to spend from as each other, depending on how and where you opt to import the seed/private key. Generating entropy by hand decreases your risk from malicious or flawed code generating non-random entropy. It is irrelevant to the spending process.

This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.
Perhaps I didn't explain myself clearly. My point wasn't "There is no method by which it could leak information", but rather "There is no method by which it could leak information that I can't detect before I choose to broadcast my transaction". If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values. The amount of trust you need to place in an airgapped wallet is much lower than the trust you place in any "live" software or mobile wallet, which could steal all your coins immediately upon you importing your seed phrase.
copper member
Activity: 1652
Merit: 1901
Amazon Prime Member #7
You have to trust software to spend your coin when you spend it.
Risk and trust can never be zero, but it is all about reducing your risk to a minimum.
You need to weigh the risk with the cost of mitigating the risk. Creating a 7 of 7 multi-sig private key should be less risky than creating a private key that requires one signature to spend coin (assuming you can easily replicate the procedure to keep each private key secure). At a minimum, this would increase the time it takes you to sign transactions and would increase the cost you pay to get each transaction confirmed. You could further reduce your risk by storing each of the 7 private keys in different countries, each located in a different continent; assuming you are acting as an individual, it would cost you thousands of dollars each time you want to spend coin because you would have to travel to 7 different countries to do so.

Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins. If it signs a transaction to the wrong address, for example, I can easily pick that up before moving the transaction to my live computer to be broadcast.
This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.

In a simplistic example, the k value could be 20 digits, the malicious software could always have a value of xxxxxxxxxxxxxx[13 digits that is known to the author of the malicious software]yy[the index of a list]zzzzz[the actual message]. The x values would be one of a set of known values allowing the attacker to easily filter possible k values. The y values would be the index in a list, with the entire list being the entire message, such as your seed.

I just generated a seed: [concert, eyebrow, peasant, exile, fold, gather, sense, drastic, twice, clip, orchard, defy]

The y and z values could be 02peasa to correspond to the 2 index of the above list and the first 5 digits of the seed word. After this happens many times, the attacker would have enough information to easily brute force your entire seed.

Or malicious software could simply use a k value known to the attacker, the attacker could check all unconfirmed transactions for that k value, and create a double-spend transaction with a high transaction fee before your transaction is confirmed.
legendary
Activity: 2268
Merit: 18711
You have to trust software to spend your coin when you spend it.
Risk and trust can never be zero, but it is all about reducing your risk to a minimum. If I want to spend from my paper wallet, then I will be importing my seed to my permanently airgapped computer, using it to sign a transaction, and then moving my signed transaction to an internet connected computer to broadcast it. Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins. If it signs a transaction to the wrong address, for example, I can easily pick that up before moving the transaction to my live computer to be broadcast.

Creating a kay "by hand" also has a greater potential to make mistakes.
I don't disagree with you here, and as I said above I wouldn't recommend this technique to new users by any means. But if someone knows what they are doing, and double checks everything, then it's a more secure method to generate entropy than relying on third party code which you almost certainly haven't audited.
copper member
Activity: 1652
Merit: 1901
Amazon Prime Member #7
Is there a specific reason to not gather the entropy from an electronic device?
You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.
You have to trust software to spend your coin when you spend it. When you sign a message or transaction, you combine what should be a random value with your private key to generate the signature. If you know one, it is trivial to calculate the other with a given signature. Malicious software could possibly leak information via this random value.

Creating a kay "by hand" also has a greater potential to make mistakes.

The scope of possible attacks is also greater when using a paper wallet than using an encrypted wallet.
legendary
Activity: 1876
Merit: 3132
It is even not possible to enter this page if you use Antivirus! Bitdefender blocks it

It depends on the anti-virus software you use. I use Malwarebytes Premium and it doesn't block the website.
member
Activity: 170
Merit: 58
Hello o_e_l_e_o, thanks for answering.

Excuse me I did not generate the key on Bitaddress.org, but on https://bitcoinpaperwallet.com/bitcoinpaperwallet/generate-wallet.html#, and I did not download it, I ran it directly on the web.


It is even not possible to enter this page if you use Antivirus! Bitdefender blocks it
legendary
Activity: 2268
Merit: 18711
If you are calculating the checksum on an airgapped computer and generating the address on it, why not simply create the seed/private key on it as well ?
Because there is far less trust involved in performing a single SHA256 hash than there is generating your entire 256 bits of entropy from a piece of software, unless you've written the software yourself or read the entire code, but 99.99% of people can't or won't do that.

Is there a specific reason to not gather the entropy from an electronic device? Or do you just like generating it from scratch ?
As Loyce says, provided I am using a fair coin (or even better, a variety of coins), there is essentially zero chance that my output isn't truly random.
legendary
Activity: 1624
Merit: 2481
You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.

That's why i said the following:
Don't ever use websites to create a paper wallet (neither online nor offline).

Trust required towards the software is true. But i'd say you can pretty much trust an officially signed open source linux distribution and openssl (or electrum).
Because that's basically all you need (or even less when generating it with coinflips). And that's what i was talking about.

But i was curious regarding the coinflips from o_e_l_e_o, and why he chose to use them instead of the other possibilities (openssl / electrum / core) on an airgapped computer (which has to be used anyway).
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Is there a specific reason to not gather the entropy from an electronic device?
You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.
legendary
Activity: 1624
Merit: 2481
Am I the only one who generates my paper wallets manually?

Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.
Flip a coin 3 times, calculate the checksum using a permanently airgapped computer, pick the last word.
Write down on paper, import in to a wallet or iancoleman on your permanently airgapped computer to generate a receiving address (Optional: add in a passphrase and write that down on a separate piece of paper).
Whole thing can be done in 15-20 minutes.

If you are calculating the checksum on an airgapped computer and generating the address on it, why not simply create the seed/private key on it as well ?
That would be my approach.

I'd rather spend 2 minutes typing commands than 15 minutes flipping coins  Cheesy

Is there a specific reason to not gather the entropy from an electronic device? Or do you just like generating it from scratch ?
legendary
Activity: 2268
Merit: 18711
As others have said, there are multiple scam reports against bitcoinpaperwallet.com since the site was sold.
https://www.reddit.com/r/btc/comments/ea6bxg/warning_bitcoinpaperwalletcom_is_compromised/
https://www.reddit.com/r/CryptoCurrency/comments/cyd6uj/bitcoinpaperwalletcom_scam_or_not_4_btc_stolen/
https://np.reddit.com/r/Bitcoin/comments/cs68ri/my_paper_wallet_generated_on/



Am I the only one who generates my paper wallets manually?

Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.
Flip a coin 3 times, calculate the checksum using a permanently airgapped computer, pick the last word.
Write down on paper, import in to a wallet or iancoleman on your permanently airgapped computer to generate a receiving address (Optional: add in a passphrase and write that down on a separate piece of paper).
Whole thing can be done in 15-20 minutes.

If your are using paper wallets for long term storage of the majority of your funds, then why not take the time to remove the trust for a third party generating your seed/keys entirely?

I do accept that this is outwith the scope of casual users, but if you have the knowledge to do it safely this way, then why rely on someone else's code?
legendary
Activity: 1624
Merit: 2481
here is a better thought: instead of using websites or even their source code you can use a popular wallet to create a paper wallet. wallets such as bitcoin core or electrum.
just download them, verify their signature and then go offline on an airgapped machine. run the wallet and create a new key or better yet create a mnemonic with an HD wallet such as electrum. then write that down on a piece of paper as your paper wallet.
if you like the design that those sites offer you can always find their source code (or even through the HTML in the site that is open) and save the picture which is usually a jpg file and print your key on that.

This is the way to go.


Don't ever use websites to create a paper wallet (neither online nor offline).

The most secure way to generate a paper wallet is to use a live linux distribution on an offline computer.
Either use electrum or any other reputable open source software (signature verified) to generate a private key / mnemonic code or just use openssl from the command line. Both works.

Just don't ever use a website. The risk is way higher and not worth it.
legendary
Activity: 1134
Merit: 1598
here is a better thought: instead of using websites or even their source code you can use a popular wallet to create a paper wallet. wallets such as bitcoin core or electrum.
just download them, verify their signature and then go offline on an airgapped machine. run the wallet and create a new key or better yet create a mnemonic with an HD wallet such as electrum. then write that down on a piece of paper as your paper wallet.
if you like the design that those sites offer you can always find their source code (or even through the HTML in the site that is open) and save the picture which is usually a jpg file and print your key on that.
+1. Cheesy I never felt secure when using paper wallets generated by a website.

If you are not new to PCs and like trying out new stuff, there is one more thing you can do: securely flash Tails (a Linux distro) on a 8GB+ USB stick and use Electrum over there offline (or online, your choice).

Plug out your Ethernet cable, optional step: physically disconnect all hard drives from your PC, insert the bootable USB, boot Tails from it and there you have an offline, airgapped PC to safely use Electrum with (Electrum is preinstalled on this distro). And as far as I know, you could use Tails even online with Electrum safely - as long as you've verified the flashed ISO signatures correctly, risks should be minimum. Smiley

Just make sure you store the seed correctly when generating the wallet and you should be good to go. Once you shut down or reboot your PC, everything on the stick will be reset and any new change/file will be deleted.

The advantage of this is that afterwards you can just shut down your PC, plug out the USB stick and use it again whenever you like. Moreover, your bootable Tails will run on Tor all the time.
legendary
Activity: 2128
Merit: 1293
There is trouble abrewing
here is a better thought: instead of using websites or even their source code you can use a popular wallet to create a paper wallet. wallets such as bitcoin core or electrum.
just download them, verify their signature and then go offline on an airgapped machine. run the wallet and create a new key or better yet create a mnemonic with an HD wallet such as electrum. then write that down on a piece of paper as your paper wallet.
if you like the design that those sites offer you can always find their source code (or even through the HTML in the site that is open) and save the picture which is usually a jpg file and print your key on that.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Excuse me I did not generate the key on Bitaddress.org, but on https://bitcoinpaperwallet.com/bitcoinpaperwallet/generate-wallet.html#
I've used that site several times, but never since it changed ownership. I still have it's source from years ago, and that's what I use. I do the same with bitaddress.org: I don't trust newer versions, even though I have no reason not to trust them, there's also no need to "upgrade".
If bitcoinpaperwallet.com really turned into a scam, it would be very nice if someone can find hard evidence in the (open) source.

* Download and use offline. Use for example Ubuntu or Knoppix from a LIVE DVD without ethernet/Wi-Fi

It's even better not to trust any site's random generator. You can for instance create a private key throwing a dice (read up how to properly do this!), or combine 2 random generators by creating a split key vanity address on a different system, then combining it with the original. This is a lot more work and prone to failure if you're not sure what you're doing.
Another option would be to get a private key from Bitcoin Core and use that as a paper wallet.

One last suggestion: test your paper wallet (again: on an offline system) before funding it. Make sure you have the correct private key to access the address.
legendary
Activity: 3682
Merit: 1580
there have been scam accusations against that site on this forum as well. it's definitely a scam operation.
newbie
Activity: 3
Merit: 19
Hi nc50lc, thank you for clarifying this points for me.

legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
There are couple of off-site scam accusations for that paper wallet generator after the change of ownership, but nothing in this forum.
Just do not use that site (or any online address generator in general);
if you really want to, use bitaddress's source offline instead since bitcoinpaperwallet claims to be a fork of bitaddress.

And there's this guy with the same issue:
I've recommended this website to my friend. He just got back to me saying, that the wallet he just generated had previous in and out transactions starting in Jan 2019 and ending last month - March 2020. I spoke with him extensively, and I can't find any reasonable explanation. This is the address he "generated" two days ago: https://www.blockchain.com/btc/address/1PoZHV4rrftuv8YuoDgRqji1syuSw141q8
newbie
Activity: 3
Merit: 19
Hello o_e_l_e_o, thanks for answering.

Excuse me I did not generate the key on Bitaddress.org, but on https://bitcoinpaperwallet.com/bitcoinpaperwallet/generate-wallet.html#, and I did not download it, I ran it directly on the web.

legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
The Bitcoin Cash in turn is shown with another address. -snip-
It's the same address in "cash address" format, every BCH sent to the '1' address will also reflect to the 'q' address, they are interchangeable for compatibility reasons.

The main issue is: you might have clicked a fake bitaddress URL just like o_e_l_e_o said.
legendary
Activity: 2268
Merit: 18711
If the address you have generated has previous outgoing transactions visible on a blockchain explorer, then yes, someone else has access to one of the private keys that controls that address.

The chance that you have completely randomly generated the same address as someone else is astronomically small. Far more likely is that you have used a malicious version of bitaddress which is generating pre-defined addresses, or you have clipboard malware which has changed your generated address to something different, or potentially an error on your part.

Can you confirm the URL of the Bitaddress site you used. Did you download the site and run it offline?
newbie
Activity: 3
Merit: 19
Saludes

A few days ago I created a paper wallet on the bitcoinpaperwallet portal; then I checked it on the Blockchain page, and this one tells me that such address has two blockchain; one for Bitcoin and other for Bitcoin Cash. The Bitcoin Cash in turn is shown with another address. I'm just learning about this topic, and I suppose that up to here everything is normal, but then it happens that when I enter the Bitcoin chain, it appears to me that two transactions have already been made, one in and one out with differences of one minute, as of May 2019, but in the check-in there is a history of transactions to different addresses including this one, whose total sum is the one that is withdrawn in the second transaction, leaving the account at 0, which in my Ignorance this seems to me an inconsistency since the system tells me "total transfers 2". To all this what worries me the most is the following: If each created key is supposed to be random and unique in the Blockchain, at least Bitcoin, why has my newly created Bitcoin wallet already been used? Does this mean that now at least two users have access to the same wallet without our consent?

I would greatly appreciate whoever can answer me.



Jump to: