Are paper wallets safe?

Research on malicious paper private key generation techniques

发布于 Jun 10, 2020 | 博客

Bitcoin Paper Wallet

In cryptocurrency, the “private key” of a wallet is equivalent to the assets stored in the wallet. It is the only token that can be used to operate the funds in the wallet. If the private key is generated or managed without considering a series of basic requirements, it might cause great security flaws. Almost all cryptocurrency theft incidents that have occurred during the last years are related to improper private key generation or management.

Besides being used for trading, Bitcoin wallets are usually also responsible for the generation of private keys. Some users with high security awareness will choose to generate their private keys using an offline generation method, importing the private key into the wallet only at the moment of making a transaction.

Paper wallet generation is one of the most popular methods of generating private keys offline. Users only need to prepare a clean and safe computer, connect to a paper wallet generation website, disconnect from the network, and directly use the function of generating a private key to obtain a new set of private keys and the corresponding wallet address.

Taking a deeper look at how paper wallets work, there is no need to connect to the Internet to generate the private key book. The private key itself is a string of random numbers, and its generation process only needs a random number seed that is “random enough” to meet the criteria.

Paper wallet generation websites usually provide a JavaScript program that can work offline. When the user’s computer is disconnected from the network, and the user clicks on Generate Private Key, the program will use some randomness factors such as mouse track, keyboard input, system time, etc. as parameters to get a random number that meets the standard from the system random number pool, to finally generate the private key.

But is it completely safe to generate the private key by this method?

In the following analysis you will find that, even in a clean and safe computer, kept offline during the process of generating the private key, and even with no driver interception in the printer service used to print out the paper wallet, generating a private key through paper wallet generation websites might still be a compromised process which could lead to funds theft.

Po Wei Chen is a former security researcher at CYBAVO, and still a regular collaborator. After conducting research on the matter, Po Wei - who is also founder of Cypherpunks Taiwan - found out that some users who created their paper wallets on specific paper wallet generation websites, suffered private key thefts. After further tracking by our company, we found that most paper wallet generation sites take the original JavaScript source code from BitAddress.org, and modify it to introduce changes, and in some occasions, backdoors or mechanisms to be able to retrieve the user generated private keys.

Such backdoors have been already detected in some very well-known paper wallet generation websites, like WalletGenerator.net and BitcoinPaperWallet.com. Some of these modifications are more obvious and harsh, while others are much more subtle.

A very obvious modification of the code, simply allows the hacker to get a copy of the generated private key: if the user does not disconnect from the network when generating the private key, the website will upload the randomly generated private key to the hacker.

A slightly more subtle method tries to avoid the users’ suspicion that some information is being sent to the network, and also works if the computer is disconnected from the Internet. This method consists of limiting the range of random numbers. By limiting the number of input random numbers, the private keys will also be repeatedly generated within a limited range. This means that regardless how many times the user performs the private key generation, the generated private keys will always result in an address from a group of a few hundred values.

The author of BitAddress.org original code, provided feedback on the numerous claims about the source code, stating that since the code was publicly available, there was no way to effectively stop hackers to modify the code for malicious purposes.

Although some of these paper wallet generation websites have already been flagged as suspicious or dangerous, many of them have changed their appearance and addresses and are already back online, like the site AmazonPowers.com. Users need to pay special attention and avoid generating private keys on these malicious paper wallet generation sites.

Our company has successfully generated duplicated private keys following the same method. The associated wallet addresses of the duplicated private keys presented a series of Bitcoin transaction records. We have identified a list of risk addresses, which are listed below. If your wallet is generated through a paper wallet generation website, and the generated address is in the list, please transfer your funds immediately to a safe address, and discard the wallet.

1KGabGv4xwZCo6ebbFykKFPmdqNkYMmG4F
154SXM9EFqvxbvmuK87MYY6aAa3CNDcjFg
1BVaQaUHk46nXf1z7kBfgGG5pfPigUKU25
1L9xH7xU9YQ6p39pvNCnjM8A2Xjj1m8ZBS
1LswadF991seb6vYqWorGQd2dVvx6P2nAu
172bGAVUD7ZtJHEDLbBGCiG8uhSD9t7aPD
14rARDAY9UKY7TdgkWW9ULcZbj6u1bd4Vn
16WRqQsZQSWp7uD4Jhb1CrPvJq8D6ETuZA
1BQHKBxCeyMt7CJMSTiWXB74etuKhkDRpt
1CtF6gmdByQmxQ7JT43W63yt5taUgF4UVi
12ziu6dsjdZ7poY5LNxC8nDn1x7kKcQexv
1A8JZzxheW8mx1HbQKyJddbrECwPTXTQtk
133Bx5yWRgYHBv8YJVwVaR7TmsUHZmFSJa
1HGJEdzNHq89S96nJvkLdbj4NyPJM9qw3f
1MfPqSDiraPRBVyYASNkF8oc5Ja1ZkdsZn
16fUUF7GSF2GbVJig1KQrD4ksNMnUBX7Dq
1LjCLg4qU1X1Bd8xnaouNQthCAJpwqMZni
1LjiyXuYGYRs2Z8UKwTnLmomfJTsTBqwRh
1KzF87otzAW8FeVrWyiP5NA6dz39e6eaQ1
1EXG94GYR63F3ij8XKXpm2iGac2JFGTksp
14kFGdncu8NrVfPkWiK2TukYNEzPmQ2b3k
14rARDAY9UKY7TdgkWW9ULcZbj6u1bd4Vn
1NSyCbfGibf1mahXCKaiiGNEvmgsfntdq3
133Bx5yWRgYHBv8YJVwVaR7TmsUHZmFSJa
13qW3UrhTirJELFoXyjeeCZCPtTd3LYzt4
1RnLLGiXWkHFGRGmdraDb9rUUGtLeLrV9
1KYTAnNPoo2YtMVcywHsATR3mgffMwVphj
1GiQvuabtcNYSphXCQYH3dUCX88xnEifdA
1MNk9m9xuUYrvfdJLG8zxqPG7tfKBTn9Wx
1ECiYkHpgGyRJrs1aWW7bS6iyckubutSVZ
18cTBu3JhC7bBWrmEoT548TqLyKBkXnaT6
18JxFDL4oFFDVVHMXQvqJTDM73bQe1c2Vq
1P518UYVz6VbuPKgLPQjRUc2DYcaM6dQCf
1KkHiBAhkk3ZxoNiYZnTFLF4mTc5EnKDBb
1HdreMMZXY21U3ynoJqe4uE4J66q84c6oP
15DUoApHf5yq9kzHUekRzTNxhJWok9ZfG5
15uxEk954TSW3f7pSPSNdvDeEeTCPDHxip
14kFGdncu8NrVfPkWiK2TukYNEzPmQ2b3k
1DSRUf7PbvckdaB7YHakPUfBuwt22Zboyu
1F5vVpwfdDNNVbPZmQguNJqsdrkWpU7gFE
12TnGq99e18gFwT1svkhNsUVAReEC6ARoJ
16ZBadgmztS92Sas1CFSTfhnyfE1mRwjaz
15bKRPVGSqS5njS9WjZPPFDKbDSY2NTTDf
13TujBeyeVh8E8amvamsDdNszw5FSD19qz
16QumJh6hE3d5W4hX87BbxKs1aBGDbSaKs
13TvhrFK4X7Y84jEyzDMvXKmbjPg4Y6evT
1PAD114RCjcMcfBHzCQEBe7BvzL2J9FpiB
17vDMhe1Ym9XQMyaa6ahW4fvU5ibVCniBi
184WrJZa5A8K2KxiZdpdrBHaj63FdfAAjC
18372nnAvma9VGduvREHzovGdiiptnrrw5
127i4e35gL11pNRsZnr7QeajU8bvY4ZkqR
1E6VqRpH3X9zCLFSJyu2BJmyELRxGNzB1S
1HJmAumP6T9SXuNmaUm8z36KFLPPZ499z2
15L6yf28VH8bxP2Pmwgwuud5pbvYysPsPr
1PJKrag4e41LP691iNDgGKELLRcDdzN2FD
1GRnLqV31mNxUahSTwzmQ13sTzeZ82rEQz
16yx9juHqYtLruTRXDPmfDJENiqaMhWSCW
13TujBeyeVh8E8amvamsDdNszw5FSD19qz
13qW3UrhTirJELFoXyjeeCZCPtTd3LYzt4
1Gkat5DVDD8SBShdBytwekyfQqyEp5ES8K
1QAF2Mb5kmj1WhgBx1nQC5C8CiWyTqyak4


Currently quite a large number of these addresses present transaction records. The hackers exploiting this vulnerability monitor these addresses constantly, and they immediately transfer away any funds deposited to these addresses. If you are a victim of these paper wallets, please contact our company, and we will provide an assessment.

Our strategic partner UnblockAnalysis has successfully tracked the relevant fund flows, and some of the stolen assets have been deposited to exchanges. Most bitcoins from stolen addresses were sent to certain addresses for accumulation, then transferred after reaching a certain amount, and finally sold through different mixed coins. The following image shows the funds flow resulting from the analysis from Unblock Analysis of one of the addresses:

Stolen funds flow example


Target Address:1RnLLGiXWkHFGRGmdraDb9rUUGtLeLrV9

(A) 1RnLLGiXWkHFGRGmdraDb9rUUGtLeLrV9

(B) 1BSZ6QW3kr2Cz8noutJo1hoa8sNybT4n25

(C) 34wvFXLBe55BKV1YiKNQz1m2Fk2maJ4TZo

(D) bc1qkr8gy0edcwwp2d3zdhtcf3gam42s9uvm4yx6sj

As detailed above, (A) is the target address; (B), (C) and (D) are transactional addresses,

On December 6, 2019, funds were transferred from (A) to (B), (B) to (C), and then (C) to (D), and all the transfers were completed within 90 minutes. This type of fund flow is classified as “peeling chain” behind the transfer behavior. Having the certainty that the hacker has the private key of the target address, as soon as any funds go into the wallet, those funds are transferred away.

If your personal or company’s wallet system uses the above mentioned code to generate the private key, please check the process of random number generation immediately, paying special attention to the following three points:

  1. The method to obtain random numbers when generating private keys. The random number generation process must stick to the NIST random number generation recommendation.
  2. The length of the seed to generate the private key must be at least 256 bits.
  3. If any error occurs during the process of the private key generation, it must be aborted immediately to avoid the generation of a “compromised” private key generated by a default value.

    CYBAVO is a cybersecurity technology provider offering digital asset custody and management solutions for enterprises. We conduct our own research and cooperate with industry leaders to get the most up to date risk intelligence to detect money laundering and other high-risk related addresses. Our complete solution for cryptocurrency exchanges includes a blacklist feature to alert service providers whenever there is a risk of making transactions to a flagged address.

Get more information about CYBAVO digital asset custody products for enterprise, or ask us for a free trial now.