$434,000 gone. The safety of your BTC is paramount. However, in some cases the use of third-party software can harm it. This is what a series of users recently learned during a surprising hack of Bitcoin accounts.
1,000 Bitcoin addresses victims of a massive hack
On July 24, a user of the Reddit platform, nicknamed 0n0t0leturned to the community after having discovered a suspicious movement on his Bitcoin wallet.
Indeed, he identified a 0.25 BTC transaction to an unknown address. Obviously, this transfer had in no way been initiated by 0n0t0le.
Looking more closely at the transaction, he discovered that it involved a withdrawal from 1207 different addressesfor a total amount of 14.84 BTCi.e. more than $434,000.
Subsequently, 0n0t0le explains using a Bitcoin Core wallet on its own server. The wallet mnemonic was generated in 2020 via the bitcore-mnemonic and bitcore-lib libraries. The user also used several other libraries on this server, including bip39, bitcoin-core or even bitcoinjs-lib.
Surprisingly, the attacker did not withdraw all the funds. Indeed, it only targeted bech32 (segwit) addresses, while manually created addresses remained untouched.
Avenues for community response
The Reddit community quickly took up the subject and several hypotheses emerged.
Initially, an internet user points out the fact that the library bitcore-mnemonic is a third-party tool whose development was discontinued several years ago. So it could come from that.
On August 9, another Internet user provided an interesting response. Indeed, it declares that this transaction is part of an attack identified on the milksad.info site.
In practice, a security flaw has been discovered in the Libbitcoin Explorer wallet tool. Specifically, this is the command bx seeds which is impacted. This is used to generate the entropy needed to generate the private key. Unfortunately, this function is flawed and produces insecure results.
Thus, the security of the wallet is reduced to only 32 bits. As explained by the site Milksad, a average gaming computer is able to test all possible combinations in less than a day.
Finally, another Internet user considers that this could be linked to an attack carried out by North Korean hackers last June. In this case, NPM libraries would be impacted and present a backdoor.
Either way, this mishap is a reminder of the importance of using wallets that are off-network. For example, the hardware wallets have so far proven to be reliable and secure solutions for storing your cryptocurrencies.