If you created a bitcoin wallet before 2016, your money may be at risk

Many wallets were created with code containing profound flaws, and the companies that used that code can disappear.

SAN FRANCISCO - After a tech entrepreneur and investor lost his password for retrieving $600,000 in bitcoin and hired experts to break open the wallet where he kept it, they failed to help him. But in the process, they discovered a way to crack enough other software wallets to steal $1 billion or more.

On Tuesday, the team released information about how they did it. They hope it's enough data that the owners of millions of wallets will realize they are at risk and move their money, but not so much data that criminals can figure out how to pull off what would be one of the largest heists of all time.

Subscribe to The Post Most newsletter for the most important and interesting stories from The Washington Post.

Their start-up, Unciphered, has worked for months to alert more than a million people that their wallets are at risk. Millions more haven't been told, often because their wallets were created at cryptocurrency websites that have gone out of business.

The story of those wallets' vulnerabilities underscores the enormous risk in experimental currencies, beyond their wild fluctuations in value and fast-changing regulations. Many wallets were created with code containing profound flaws, and the companies that used that code can disappear. Beyond that, it is a sobering reminder that underneath software infrastructure of all kinds, even ones explicitly dedicated to securing funds, are open-source programs that few or no people oversee.

"Open-source ages like milk. It will eventually go bad," said Chris Wysopal, a co-founder of security company Veracode who advised Unciphered as it sorted through the problem.

The company shared its process and conclusions with The Washington Post before going public.

The risk of bad open-source code was laid bare in 2021 when it was discovered that Log4j, a ubiquitous tool used by software servicers that few consumers were even aware of, could be used to execute malicious code. The revelation panicked companies worldwide and made open-source security a top priority for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, which is now pushing companies to map out all the programs they depend on.

"Every man-made technology contains flaws that originate within its creators," Unciphered co-founder Eric Michaud said.

Stefan Thomas, the technologist who created the software used to create the wallets, told The Post that he had done so as a hobby and had taken the key part of the code from a program published on a Stanford University student's page, not checking to see if it was sound.

"Instead, I was obsessed about making sure that I didn't make any mistakes in my own code," Thomas said. "I'm sorry to anyone affected by this bug."

Unciphered is calling the flaw "Randstorm," because it stems from wallet programs that created cryptographic keys that weren't random enough. Instead of crafting electronic keys that were one in a trillion and therefore very hard for an outsider to forge, they made keys that were one in some number of thousands - a randomness factor easily hacked.

The person who set the ball in motion is investor Nick Sullivan, an early bitcoin believer who used the site Blockchain.info, since renamed Blockchain.com, to make a wallet in 2014. Not long after, he wiped his computer's memory without realizing that he had not saved to his password manager the blob of letters and numbers that would give him access to his crypto account.

"It was a pretty frustrating set of circumstances," Sullivan told The Post. At the time, he was out around $18,000. That amount is now worth more than $600,000 - enough to make it worthwhile for him to hire the hackers and National Security Agency veterans at Unciphered to try to recover it.

Unciphered, one of a handful of outfits dedicated to recovering trapped electronic funds for a fee, began searching for Sullivan's money in January 2022.

It turned out that the information Sullivan had about how he had created the account wasn't enough to let Unciphered's experts crack the wallet. But in studying the problem, the Unciphered team uncovered a bigger issue: Thomas's code, known as BitcoinJS, which was supposed to create wallets with random keys, didn't always make them random enough.

Compounding the problem, Thomas's BitcoinJS was used not only by Blockchain.info, but also by many other sites from 2011 on, including the main source of wallets for the former joke currency dogecoin, Dogechain.info. An executive at that site's owner, Block.io, did not respond to an email from The Post seeking comment.

"BitcoinJS is terribly broken up till March 2014," Michaud said. "Anyone directly using it is on the very high end of risk to attack."

Cryptographers discovered weaknesses in how most of the major browsers created randomness in 2014, and they improved afterward. Blockchain.info and some other sites also added more randomness, making wallets harder to crack. Unciphered has not found any wallets created after 2016 that are vulnerable because of weak randomness.

But that still leaves millions of wallets vulnerable.

The easiest to crack would be wallets made before March 2012, which hold about $100 million and could be hacked by a home computer user, Michaud said.

Another $50 billion worth of bitcoin is stored in wallets created between then and the end of 2015. Most of those are not vulnerable, but at least 2 percent of them are, for about another $500 million, Unciphered said. Then there are other currencies with wallet services that borrowed from BitcoinJS, including dogecoin and litecoin.

Discovering the vulnerability was only half the challenge. Unciphered still had to figure out how to tell millions of people to move their funds, without giving away the existence of a huge vulnerability.

Unfortunately, many of the crypto sites that had used the flawed program were out of the business, as was Thomas.

Unciphered legal adviser Stewart Baker, a former general counsel at the National Security Agency, trying to determine the right thing to do, even broached the idea in a column a year ago of having a "white knight" steal everything that was vulnerable to a hypothetical crypto flaw and hold onto it while sorting through who truly owned what.

He noted that a precedent of sorts had been established in 2021, when a hacker stole a whopping $600 million in virtual currency from lending platform Poly Network and returned it for a fee of $500,000 and a promise that he would not be prosecuted.

But no one wanted to risk prosecution or civil liability by stealing from many people at once, and in the end "what we decided to do," Baker recalled, "was find the company that was in a position to fix or notify as many people as possible, in the hope we could get a lot of this fixed before the exact nature of the problem leaks."

Eventually, Michaud realized that the biggest old user of the wallet program still around was the one Sullivan had used, Blockchain.com.

The first interaction between the two companies was fraught with suspicion. Each wanted the other side to sign a nondisclosure agreement, but neither would themselves.

"In crypto, you need to be pretty skeptical of people who call with something that sounds dramatic, because there are so many scammers," Blockchain.com President Lane Kasselman recalled. "It was unclear who they were and what the scope of it was."

But their references checked out, and Baker joined a group call to explain that the Unciphered hackers were well-meaning security whizzes, not extortionists. Blockchain.com agreed to help. It worked out a way to automatically update wallets of those who visited its site, changed its app, and sent out emails to the holders of more than 1.1 million affected wallets beginning Oct. 10, less than 2 percent of the 90 million wallets it has created.

Of course, many of those who were notified were suspicious too. One of them posted the notice in a chat for crypto enthusiasts and asked for guesses about what was going on. Security expert Dan Guido saw that and posted on X, and someone responded by pointing to a notice on Unciphered's site saying that it would have something wallet-related to announce in the future.

Guido then asked the people at his security engineering company, Trail of Bits, to see what Unciphered might have been referring to. They figured out the issue in days, but they agreed to keep quiet at Unciphered's request.

"They've been able to keep this under wraps for 20 months, which is insane, and that's what's required," Guido said. "The ability for people to take advantage of it is extremely high."

Consumers can check whether their wallets are vulnerable at www.keybleed.com.

Unfortunately, Sullivan's wallet wasn't among those that suffered from the security flaw - mainly because he created his wallet in 2014, after Blockchain.info had improved the randomness of its wallets. If the security had been worse, he would have been able to get his money back when Blockchain.info notified clients with vulnerable accounts.

He is done with crypto anyway, after starting three companies in the industry and winding up a bit poorer than when he began. Now he is working on artificial intelligence.

"Crypto is a pretty hostile place, to be honest, full of people attacking what you're building, whether they are trying to hack it, or challenges from regulators, or other people interested in seeing bitcoin being taken down," the former true believer said.

But he said he was happy that he ended up helping a large number of strangers who are still invested emotionally as well as financially: "I honor those still fighting that fight."

Related Content

Panda diplomacy to live on? China's Xi hints U.S. may get more bears.

What does the Kennedy name mean now?

How CDC's new director is trying to regain trust shattered by covid