Millions Of Old Bitcoin Wallets Have Critical Security Flaws, Experts Say

Bitcoin wallets older than 2016 could have a vulnerability that puts over $1 billion worth of cryptocurrency at risk, according to a report in the Washington Post.

According to Unciphered, a cryptocurrency recovery company, an untold number of crypto wallets were designed with baked-in flaws that leave a backdoor in the code that hackers could easily break open. Encrypted software systems like crypto wallets often rely on random number generators, but the company found that a significant number of wallets were built on open-source software that used numbers that aren’t nearly random enough. These vulnerable wallets use keys with numbers that are one in several thousand instead of one in a trillion, making them susceptible to brute-force attacks.

Unciphered told the Post its staff has contacted over a million people to let them know about the issue, nicknamed “Randstorm,” but millions more are likely affected. You can check whether your wallet is affected at the website keybleed.com.

The issue reportedly stems from a piece of software called BitcoinJS used to create wallets from a number of popular crypto outlets, including Blockchain.info (renamed Blockchain.com), Dogechain.info (the main source of wallets used for Dogecoin), and many other websites.

Anyone using a wallet built with BitcoinJS “is on the very high end of risk to attack,” Unciphered co-founder Eric Michaud told the Post.

Wallets created before March 2012 are particularly unsafe, according to Unciphered. Most wallets created between then and the tail end of 2015 are fine, but at least two percent could be vulnerable. The random number generators used in the crypto community have since improved, and any new wallets should be safe—at least from this particular issue. Unciphered hasn’t found any wallets created after 2016 that contain the Randstorm flaw.

Blockchain.com, which is the most popular site that’s still in business that harnessed the flawed software, found a way to automatically update users’ wallets when they visit the platform and sent emails to 1.1 million affected customers. The company says the problem was only present in two percent of the 90 million wallets it created over the years. But millions of other people out there may still be open to the vulnerability, and if they got their wallets from companies that since shut down, there may be no way to notify them directly.

Correction 2:41 PM: A previous version of this article identified the wrong piece of software responsible for the flaw. The software is called BitcoinJS. We regret the error.