Are paper wallets safe?

Research on malicious paper private key generation techniques

Posted on Jun 10, 2020 | ブログ

Bitcoin Paper Wallet

In cryptocurrency, the “private key” of a wallet is equivalent to the assets stored in the wallet. It is the only token that can be used to operate the funds in the wallet. If the private key is generated or managed without considering a series of basic requirements, it might cause great security flaws. Almost all cryptocurrency theft incidents that have occurred during the last years are related to improper private key generation or management.

Besides being used for trading, Bitcoin wallets are usually also responsible for the generation of private keys. Some users with high security awareness will choose to generate their private keys using an offline generation method, importing the private key into the wallet only at the moment of making a transaction.

Paper wallet generation is one of the most popular methods of generating private keys offline. Users only need to prepare a clean and safe computer, connect to a paper wallet generation website, disconnect from the network, and directly use the function of generating a private key to obtain a new set of private keys and the corresponding wallet address.

Taking a deeper look at how paper wallets work, there is no need to connect to the Internet to generate the private key book. The private key itself is a string of random numbers, and its generation process only needs a random number seed that is “random enough” to meet the criteria.

Paper wallet generation websites usually provide a JavaScript program that can work offline. When the user’s computer is disconnected from the network, and the user clicks on Generate Private Key, the program will use some randomness factors such as mouse track, keyboard input, system time, etc. as parameters to get a random number that meets the standard from the system random number pool, to finally generate the private key.

But is it completely safe to generate the private key by this method?

In the following analysis you will find that, even in a clean and safe computer, kept offline during the process of generating the private key, and even with no driver interception in the printer service used to print out the paper wallet, generating a private key through paper wallet generation websites might still be a compromised process which could lead to funds theft.

Po Wei Chen is a former security researcher at CYBAVO, and still a regular collaborator. After conducting research on the matter, Po Wei - who is also founder of Cypherpunks Taiwan - found out that some users who created their paper wallets on specific paper wallet generation websites, suffered private key thefts. After further tracking by our company, we found that most paper wallet generation sites take the original JavaScript source code from, and modify it to introduce changes, and in some occasions, backdoors or mechanisms to be able to retrieve the user generated private keys.

Such backdoors have been already detected in some very well-known paper wallet generation websites, like and Some of these modifications are more obvious and harsh, while others are much more subtle.

A very obvious modification of the code, simply allows the hacker to get a copy of the generated private key: if the user does not disconnect from the network when generating the private key, the website will upload the randomly generated private key to the hacker.

A slightly more subtle method tries to avoid the users’ suspicion that some information is being sent to the network, and also works if the computer is disconnected from the Internet. This method consists of limiting the range of random numbers. By limiting the number of input random numbers, the private keys will also be repeatedly generated within a limited range. This means that regardless how many times the user performs the private key generation, the generated private keys will always result in an address from a group of a few hundred values.

The author of original code, provided feedback on the numerous claims about the source code, stating that since the code was publicly available, there was no way to effectively stop hackers to modify the code for malicious purposes.

Although some of these paper wallet generation websites have already been flagged as suspicious or dangerous, many of them have changed their appearance and addresses and are already back online, like the site Users need to pay special attention and avoid generating private keys on these malicious paper wallet generation sites.

Our company has successfully generated duplicated private keys following the same method. The associated wallet addresses of the duplicated private keys presented a series of Bitcoin transaction records. We have identified a list of risk addresses, which are listed below. If your wallet is generated through a paper wallet generation website, and the generated address is in the list, please transfer your funds immediately to a safe address, and discard the wallet.


Currently quite a large number of these addresses present transaction records. The hackers exploiting this vulnerability monitor these addresses constantly, and they immediately transfer away any funds deposited to these addresses. If you are a victim of these paper wallets, please contact our company, and we will provide an assessment.

Our strategic partner UnblockAnalysis has successfully tracked the relevant fund flows, and some of the stolen assets have been deposited to exchanges. Most bitcoins from stolen addresses were sent to certain addresses for accumulation, then transferred after reaching a certain amount, and finally sold through different mixed coins. The following image shows the funds flow resulting from the analysis from Unblock Analysis of one of the addresses:

Stolen funds flow example

Target Address:1RnLLGiXWkHFGRGmdraDb9rUUGtLeLrV9


(B) 1BSZ6QW3kr2Cz8noutJo1hoa8sNybT4n25

(C) 34wvFXLBe55BKV1YiKNQz1m2Fk2maJ4TZo

(D) bc1qkr8gy0edcwwp2d3zdhtcf3gam42s9uvm4yx6sj

As detailed above, (A) is the target address; (B), (C) and (D) are transactional addresses,

On December 6, 2019, funds were transferred from (A) to (B), (B) to (C), and then (C) to (D), and all the transfers were completed within 90 minutes. This type of fund flow is classified as “peeling chain” behind the transfer behavior. Having the certainty that the hacker has the private key of the target address, as soon as any funds go into the wallet, those funds are transferred away.

If your personal or company’s wallet system uses the above mentioned code to generate the private key, please check the process of random number generation immediately, paying special attention to the following three points:

  1. The method to obtain random numbers when generating private keys. The random number generation process must stick to the NIST random number generation recommendation.
  2. The length of the seed to generate the private key must be at least 256 bits.
  3. If any error occurs during the process of the private key generation, it must be aborted immediately to avoid the generation of a “compromised” private key generated by a default value.

    CYBAVO is a cybersecurity technology provider offering digital asset custody and management solutions for enterprises. We conduct our own research and cooperate with industry leaders to get the most up to date risk intelligence to detect money laundering and other high-risk related addresses. Our complete solution for cryptocurrency exchanges includes a blocking list feature to alert service providers whenever there is a risk of making transactions to a flagged address.

Get more information about CYBAVO digital asset custody products for enterprise, or ask us for a free trial now.