Hackers Steal $900K Through Newly Discovered Bitcoin Wallet Loophole

Libbitcoin Exploited To Steal $900,000 Worth of Crypto

A recent report from blockchain security firm SlowMist has revealed that over $900,000 worth of crypto has been stolen due to a vulnerability in the Libbitcoin Explorer 3.x library. This vulnerability affects users of Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash who use Libbitcoin to generate accounts.

Libbitcoin is a Bitcoin wallet implementation that developers and validators use to create Bitcoin (BTC) and other crypto currency accounts. It is used by a variety of applications, such as Airbitz (mobile wallet), Bitprim (developer interface), Blockchain Commons (decentralized wallet identity), and Cancoin (decentralized exchange).

The vulnerability, dubbed the “Milk Sad” vulnerability, was first discovered by the Distrust cybersecurity team and reported to the CEV cybersecurity vulnerability database on Aug. 7. It is caused by a faulty key generation mechanism in Libbitcoin that allows private keys to be guessed by attackers.

As of Aug. 10, attackers have already exploited this vulnerability to steal over $900,000 worth of crypto. This highlights the importance of staying vigilant and secure when using Libbitcoin or any other cryptocurrency wallet.

Exploring the Crypto Vulnerability

SlowMist recently reported that an attack had drained over 9.7441 BTC (roughly $278,318). The firm has “blocked” the address and is monitoring it in case funds are transferred to a different location. To explain the vulnerability, four members of the Distrust team and eight freelance security consultants have established an informational website.

The loophole is created when users utilize the “bx seed” command to generate a wallet seed. This command “uses the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time,” which is not random enough and can produce the same seed for multiple people.

The vulnerability was discovered after a Libbitcoin user contacted other users when their crypto suddenly vanished on July 21. Other Libbitcoin users were also experiencing the same issue. Cointelegraph contacted Eric Voskuil, a member of the Libbitcoin Institute, for comment. Voskuil stated that the “bx seed” command is only meant to be used for demonstration and not production wallets. He added that they will likely modify the warning or remove the command completely in the near future.

Crypto users in 2023 still have to be wary of wallet vulnerabilities. On June 22, the Atomic Wallet team confirmed that over $100 million was lost due to a hack. In July, CER released its wallet security rankings and revealed that only six out of 45 wallet brands use penetration testing to identify vulnerabilities.