An anonymous Pastebin user claimed to have discovered evidence that some Bitcoin wallet software can generate private keys that can be easily identified and hacked.
The reveal comes after another person has made a Reddit post describing how they lost nine BTC due to a transaction error on the Blockchain.info wallet service.
The Pastebin user, however, didn’t reveal the specific wallet software that can be possibly affected and whether the software vulnerability is intentional or just a simple coding error.
According to the anonymous user, several users of Blockchain.info platform are already aware of the vulnerability and have ‘played’ with the chain by sending small amounts of Bitcoins to the addresses corresponding to the private keys generated by the malicious software.
“If you peer into the Blockchain, you will find that people have ‘played’ with the chain by sending small amounts of Bitcoins to addresses corresponding to private keys generated using Sha256… It’s quite obvious these were _meant_ to be found. It turns out there are a lot of these addresses. (Keep looking and you will easily find some.) This is nothing new and has been known to the Bitcoin community for a while.”
How the user discovered the malicious software
According to the Pastebin user, he used several pieces of publicly available data on the Blockchain to determine if they could have been used to create wallets. He utilized block hashes for every block since the Genesis Block, Merkle roots from every block, common words and phrases that have been hashed a number of times, and eventually started testing all the Bitcoin addresses.
He also downloaded a complete index of all Bitcoin addresses that were listed publicly on Blockchain and began to discover keys that could have a few bits associated with them. In his experiments, he discovered more than 40 Bitcoin addresses that were used at certain points over the past seven years as of November 2017 to send Bitcoin.
The Pastebin user has also suspected that some third-party wallet custodial service like gambling site, mining pool or a straight-up web wallet could have malicious code in their backend that can generate private keys based on public addresses.
As of press time, the Blockchain.info user has confirmed that the funds have been returned:
“The nine BTC have been returned, the person found my Reddit post & reached out to me this morning. He wants to remain anonymous however he has found an issue with Blockchain.info and is currently working with them to resolve the issue.”