Crypto cybersecurity firm Unciphered has discovered a decade-old crypto wallet bug affecting browser-based wallets generated between 2011 and 2015.

The bug could allow nefarious actors to steal up to $2.1 billion from wallets on various networks, including Bitcoin (BTC), Dogecoin (DOGE), Litecoin (LTC), and Zcash (ZEC).

Discovery of an ancient bug

in an interview with wall street journalThe Unciphered team reported that they accidentally discovered the bug during an early investor’s unsuccessful attempt to recover $600,000 in lost Bitcoin (BTC).

Entrepreneur, Nick Sullivan, created his own Bitcoin wallet in 2014 using the Blockchain.info website (since renamed to Blockchain.com). Later, he accidentally lost access to his coins after wiping his computer’s memory without remembering to record his wallet’s private key.

At Sullivan’s request, Unsifred began searching for Sullivan’s coins in January 2022. Although he ultimately lacked enough information to get them back, he realized in the process that Blockchain.info’s code for generating random wallet keys – BitcoinJS – could not generate all of his wallets. Random enough.

“BitcoinJS was badly broken as of March 2014,” said Eric Michaud, co-founder of Unciphered. “Anyone who is using it directly is at very high risk of being attacked.”

Another wallet site, Dogecoin.info, also used BitcoinJS, leaving many old Dogecoin users exposed to the same vulnerability.

Unciphered claims that wallets created before March 2012 hold $100 million in assets that can be easily hacked by a home computer user. Another $50 billion is held in wallets created between then and 2015, of which at least $500 million is unsecured.

Cryptographers discovered flaws in wallet generation randomness in 2014 and have since improved their methods. Unciphered said it has not found any wallet suffering from weak randomness since 2016.

How to tell victims?

Unciphered went public with its vulnerability this week, but has been quietly warning affected users for months that their assets were at risk.

The challenge was convincing millions of victims to transfer their funds without revealing their vulnerability to thieves, who could otherwise take advantage of it to steal the coins.

Unciphered ultimately decided to go after the largest site responsible for creating such wallets which may have been in a position to secretly notify the affected users. That site eventually became the site used by Sullivan – Blockchain.com.

The site sent emails to more than 1.1 million affected wallet holders and found a way to automatically update the wallets of anyone who visits its site.

Len Castleman, president of Blockchain.com, said of Unciphered’s warning, “In crypto, you need to be quite skeptical of people who call with something that sounds dramatic, because there are a lot of scammers out there. ” “It was unclear who they were and what the scope of it was.”

Many affected users have still not been directly warned as the sites they used to create their wallets are now out of business.

