Randstorm' Bug: Millions of Crypto Wallets Open to Theft

Cryptocurrency wallets generated between 2011 and 2015 are vulnerable to an attack that allows threat actors to use brute-force methods to recover passwords for accessing funds. Researchers at Unciphered estimate that millions of wallets — with potentially hundreds of millions of dollars in them — remain vulnerable to attack.

The problem has to do with a no-longer-used randomization function in BitcoinJS, a JavaScript library for building Bitcoin and other cryptocurrency applications for the Web and NodeJS platforms.

Several of the projects that used the vulnerable BitcoinJS library — including BrainWallet, CoinPunk, and QuickCoin — are no longer around. But several others such as Blockchain.com, Bitgo, Dogechain.info, and Blocktrail, are still active.

The "Randstorm" Vulnerability

The vulnerable function — based on open source code — in BitcoinJS, in combination with a weakness that existed during that time in pseudo-random number generators in major browsers, resulted in keys being generated for crypto wallets that were not random enough to withstand guessing attacks.

Researchers at Unciphered, a startup that helps individuals and organizations recover cryptocurrency wallets from which they have been locked out, discovered the issue when helping one such customer in January 2022. The individual had hired Unciphered to help try and restore his access to a Bitcoin wallet he had created in 2014 on Blockchain.info (now Blockchain.com), but to which he had lost the password.

Unciphered's effort to recover the password failed. But in the process of finding a way to retrieve it, researchers at the company discovered the BitcoinJS vulnerability, which they have since dubbed "Randstorm." In the 22 months since the discovery, the researchers have been working with Blockchain.com and others that incorporated the vulnerable BitcoinJS function to notify affected users about the threat.

"We have been coordinating disclosure with multiple entities and, as a result, millions of users have been alerted," Unciphered said in a blog post this week. "In the event that it is possible an individual has assets held in an affected wallet, they should be moved to a newly generated wallet created with trusted software," the company noted.

Cryptowallet Bug Is a Previously Known Issue

According to Unciphered, the company is not the first to uncover the flaw in BitcoinJS that it reported on this week. Back in 2018, a security researcher using the handle "ketamine" had reported finding multiple vulnerabilities in SecureRandom(), the function in BitcoinJS that is at the root of the issue. The researcher had warned of multiple cryptocurrency products being at risk of attack because the SecureRandom() function did not enable the degree of randomization required for cryptographic key material.

"The entropy collection and the [random number generator] itself are both deficient to the degree that key material can be recovered by a third party with medium complexity," the researcher had warned. Compounding the problem was the fact that major Web browsers at the time also did not have a function that is present in all modern browsers today for generating cryptographically strong random numbers.

"Bitcoin private keys should be generated with 256-bits of entropy; unfortunately, affected keys generated with vulnerable BitcoinJS (or dependent projects) often used less entropy than required," Unciphered said. Entropy in this context refers to random bits of information — such as mouse movements and keyboard clicks — that are used for generating cryptographic keys. Generally, the greater the number of entropy bits that are used, the greater the degree of key randomization.

Insufficient Entropy Makes Cryptowallets Vulnerable

Unciphered said that its researchers were able to successfully recover keys to cryptographic wallets that had been generated with considerably less entropy in them — typically 48 bits — because of the vulnerability. The company said the easiest wallets to attack were those that had been generated before March 2012. Between then and 2015, wallets based on the vulnerable BitcoinJS library incorporated more entropy, making them much harder to crack, even if remaining vulnerable.

Nonetheless, users of any of the affected wallets need to transition to new options.

"The flaw was already built into wallets created with the software, and it would stay there forever unless the funds were moved to a new wallet created with new software," Unciphered said. "All we could do was try to identify companies that were active in wallet creation back in the day, alert them to the risk, and ask them to warn any customers for whom they still had contact information."