Bitcoin Wallets Created b/w 2011-2015 vulnerable to Hacking

Nov 20, 2023NewsroomCryptocurrency / Blockchain

Bitcoin wallets

Bitcoin wallets created between 2011 and 2015 are vulnerable to a new type of exploit called Randstorm which makes it possible to recover passwords and gain unauthorized access to multiple wallets spanning multiple blockchain platforms.

“Randstorm() is a term we coined to describe a collection of bugs, design decisions, and API changes that, when in contact with each other, combine to reduce the quality of random number created by web browsers in a certain period ( 2011-2015),” No miss exposed in a report published last week.

It is estimated that approximately 1.4 million bitcoins are parked in wallets created with potentially weak cryptographic keys. Customers can check if their wallets are vulnerable at www.keybleed(.)com.


The cryptocurrency recovery company said it found the problem again in January 2022 while it working for an unnamed customer who is locked in its wallet. The issue is first emphasized back in 2018 by a security researcher with the alias “ketamine.”

The main weakness comes from the use of BitcoinJSis an open-source JavaScript package used for developing browser-based cryptocurrency wallet applications.

In particular, Randstorm relies on the package’s SecureRandom() function JSBN javascript library coupled with cryptographic weaknesses that existed at the time in web browsers’ implementation of the Math.random() function, which allowed for weak pseudorandom number generation. BitcoinJS maintainers stopped using JSBN in March 2014.


As a result, the lack of sufficient entropy can be exploited to perform brute-force attacks and recover wallet private keys generated with the BitcoinJS library (or projects that depend on it). The easiest wallets to open are those created before March 2012.

The findings once again shed new light on the open source dependencies that power the software infrastructure and how vulnerabilities in such foundational libraries can pose risks to the chain of supply, as previously revealed in the case of Apache Log4j in late 2021.

“The error has already been committed in the wallets created with the software, and it will remain there forever unless the funds are transferred to a new wallet created with the new software,” Unciphered said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment