Potentially Malicious Vulnerability Found on Cryptocurrency Paper Wallet Generator

Francisco Memoria

It has recently been revealed that WalletGenerator.net, a cryptocurrency paper wallet generator, might have been compromised , and users are being advised to switch funs from wallets created through it to new ones.

According to a Medium post published by cryptocurrency wallet platform MyCrypto, a potentially malicious vulnerability was introduced in the paper wallet generator’s code back in August of last year, and has been there for months. The code was removed shortly after the website’s owner was contacted.

While WalletGenerator.net has supposedly open-sourced code that’s available on GitHub, MyCrypto found that the code on the website and the code on GitHub didn’t match. The potentially malicious vulnerability on the website caused it to produce duplicate keys.

Moreover, generate keypairs could have been stored on servers. MyCrypto noted that between the time it was concluding its investigation and the time it received a response from the website’s owner, the code on the website was modified, and the malicious code was removed.

Taking this into account, the firm noted it still has “no idea whether the current site owner is the malicious party, if the server is insecure, or both.” Nevertheless, the suspicious behavior from the website’s owner, which claimed they saw no malicious code and MyCrypto could be looking at a phishing website, saw them advise users who generate keypairs on WalletGenerator after August 17, 2018 to move their funds.

The firm’s post reads:

We do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable.

It’s worth pointing out one can never be too safe in the crypto space. As recently covered, a BitGo engineering manager recently saw hackers take over $100,000 from his Coinbase account using a SIM swap attack.

Blackmailing porn viewers, hackers have reportedly made nearly $1 million worth of bitcoin. While security researchers point out they’re issuing empty threats, some victims seemingly just pay up instead of ignoring them.