Two out of the top three paper wallet generation sites are dodgy ( &
post-template-default,single,single-post,postid-3846,single-format-standard,bridge-core-2.3.7,ajax_fade,page_not_loaded,,qode_grid_1300,footer_responsive_adv,qode-content-sidebar-responsive,qode-theme-ver-22.3,qode-theme-bridge,disabled_footer_bottom,qode_header_in_grid,wpb-js-composer js-comp-ver-6.2.0,vc_responsive,elementor-default,elementor-kit-199

Two out of the top three paper wallet generation sites are dodgy ( &

Two out of the top three paper wallet generation sites are dodgy ( &

So… I had look at and sites’ javascript code and did some interesting findings. They are concerning to say the least. Both of the sites use the exact same javascript code and are thus likely operated by the same person/persons.

When paper wallets are generated on these sites (online or offline), their public addresses are not created using the seed or private key provided by the user. Instead there is a list of 60 pregenerated (base64 encoded) public addresses embedded in the javascript code which is loaded with the site. The list’s contents change with every reload of the page so the public addresses are apparently generated by the server before the page is sent over. If the user saves the page and goes offline, the list of public addresses is also saved and used offline as well.

What does this mean? I believe there is a high risk that any paper wallet created using these sites have public addresses printed on them which belong to wallets controlled by whoever controls the servers of these sites. There is a generated private key on the paper wallet as well, but it simply does not match with the public address. Anyone sending bitcoin to the public address will be sending money to someone else only to find that his/her wallet is empty (and always was) once trying to use the wallet.

I would appreciate if someone else technically minded would check whether I’m right about this. Save the html and the search for ‘eckey_test’ (you might wan’t to prettify the javascript code though, This is the list of suspicious pregenerated public keys.

submitted by /u/ayeaye
[link] [comments]

No Comments

Post A Comment