Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

BitcoinPaperWallet ‘Back Door’ Responsible for Millions in Missing Funds, Research Suggests

BitcoinPaperWallet ‘Back Door’ Responsible for Millions in Missing Funds, Research Suggests

It was just past midnight on Jan. 7, 2021, when “Nick Wendell” (a pseudonym) lost half a million dollars in bitcoin.

Bitcoin’s price was roaring toward $40,000, and Wendell was moving some of his bitcoin to a paper wallet generated by These wallets allow you to store your private key on a pdf that can then be printed out or saved as a computer file.

Within a minute of depositing 14.5 BTC, worth over $500,000 at the time (and now worth over $700,000), it was all gone. Someone had swept the funds from Wendell’s wallet and, after playing blockchain hopscotch across multiple addresses, sent them to the Binance exchange.

The situation sent Wendell’s world spinning.

“Within one minute I realized what happened and it felt like I was falling but [wouldn’t] hit the ground for several minutes. I remember walking in circles around the kitchen as if I were dizzy,” Wendell told CoinDesk.

Wendell is one of at least half a dozen users who claim to have lost dizzying sums to the paper wallet. A quick Google search reveals posts on Reddit, Bitcointalk and elsewhere that tell several individual accounts of a multi-million dollar collective heist: Someone with access to the site appears to be filching user funds through a back door in the code that gives them access to private keys.

In fact, some users of the most popular bitcoin paper wallet generator on Google’s search ranking claim to have collectively lost millions of dollars worth of bitcoin over the past two years, CoinDesk has learned.

Blockchain analysis provided by Blockchain Intelligence Group (BIG) following Wendell’s funds from his wallet to Binance and other wallets ostensibly controlled by the scammer. A report from blockchain analytics firm CipherTrace viewed by CoinDesk matches BIG’s findings.

Also Read: 4 Considerations in the PDPA Singapore Checklist: The Specifics

It’s poetic if tragic that something called a “paper wallet” is so fragile. While it might seem sensible to store your bitcoin offline on a slip of paper or a USB drive to protect it from hackers, doing so can be fraught with risk.Read more: New to Bitcoin? Stay Safe and Avoid These Common Scams

Before loss or degradation, a couple of risks associated with storing bitcoin this way, the primary concern is private key generation – in other words, how you are creating your private keys. If you’re using a third-party software to generate a paper wallet, you’re trusting that the generator creates the private key securely.

If the software isn’t honest, then your wallet is vulnerable at its core.

The back door

According to security researchers, sends a copy of every private key it generates on behalf of its users to the site’s servers. Whoever has access to the BitcoinPaperWallet’s back end can then access these keys and steal the funds associated with wallets generated on the site.

Colin and Bryan Aulds, two brothers who run the PrivacyPros blog, nearly purchased the website last year. But after they were tipped off to the series of heists during the negotiation process, they began investigating it for fraud and published their findings on their blog. 

If you have the MetaMask or MyEtherWallet (MEW) extensions installed on your computer, the app will automatically redirect you to a page warning you that unsafe. According to MetaMask, the site is registered on their “domain warning list” because “it has been explicitly identified as a malicious site.”

In May of last year, Ethereum wallet provider MyCrypto released a video and tweet thread warning about a “vulnerability” in BitcoinPaperWallet which creates “a back door that leaves you at risk of your funds being stolen.”

The Aulds brothers mention that the code for this particular exploit no longer exists in BitcoinPaperWallet’s build. But something new has replaced it and people are still losing money because “someone is actively changing [the back door] once the current exploit is published widely,” Bryan Aulds told CoinDesk.

CoinDesk spoke with some of the wallet’s victims. One, who asked to remain anonymous, had made incremental deposits into his wallet throughout August 2020. On the 21st of the month, his funds were gone, on their way to the Binance exchange.

“I mistook it for another legit website that I had used years ago. Basically, I googled ‘Bitcoin paper wallet’ and this scam comes up first,” they told CoinDesk.

Another victim interviewed by CoinDesk lost 50.1 BTC in December. The person deposited funds into a wallet generated by the website, went to get a COVID-19 test and came back to find an empty wallet address.

Still another, who also asked to remain anonymous, lost 1.8 BTC in May 2019. One user on Reddit reported losing BCH to the site as well.

Blockchain analysis provided by BIG which shows 7.5 BTC flowing from one of BitcoinPaperWallet’s wallets to Binance and Poloniex exchanges.

How does the exploit work?

When you create a bitcoin wallet, you have to generate a private key that gives you access to and control over the wallet. To do this, most wallet softwares use a random number generator that multiplies one really long random number by another to generate a private key.

One Reddit user, Senor_Curioso, diagnosed how BitcoinPaperWallet’s key generation process appears to be used to steal funds in this Reddit thread. Per the explanation, the wallet generator automatically creates the seed for you when you load it up.

“When you load the wallet generator from the server, it dynamically embeds 60 random number seeds which hide in the HTML as ‘test keys,’” Curioso said. 

Curioso told CoinDesk the test key is, in fact, the wallet’s private key. 

When you generate one of BitcoinPaperWallet’s wallets to create the private key yourself, you have to move your mouse across a pop-up window to create the ‘randomness’ needed to generate a cryptographically secure key.

But “when the generator makes your wallets,” Curioso explained, “the cryptographically secure random seed you made by moving your mouse around is ignored. Instead, those ‘test keys’ are used as seeds to generate predictable public and private keys. … The proof: If you eliminate all but one of the ‘test keys’ in the HTML code, the wallet will simply generate the same private and public key over and over. There is no randomness.”

Since these keys are likely saved on BitcoinPaperWallet’s server, anyone who has access to the site’s backend can sweep them at will, he concluded.

A developer for PrivacyPros vetted Curioso’s findings and confirmed the presence of the back door code. He added that the test_key code for generating the private key behind a user’s back “isn’t present in the source code” on the BitcoinPaperWallet’s Github originally authored by its creator; the back door code had been added at a later date.

Dustin Dettmer, an independent Bitcoin developer and researcher, verified the findings as well.

Also Read: The 3 Main Benefits of PDPA For Your Business

Who owns BitcoinPaperWallet?

Up until 2018, BitcoinPaperWallet was owned and operated by Canton Becker, but it was sold to Sarkis Sarkissian in April of that year.

It wasn’t until after the sale that people began reporting losses from wallets generated on the site. Before the shadow play, one source commented, the wallet generator “was a well-known and trusted website used by the Bitcoin community.”

There’s no way to attribute the alleged thefts to any one person with certainty, but that person would have required access to the website’s code in order to sweep the funds. Unlike a phishing scam, where an outsider tricks you into revealing your private key or sending funds to the wrong address, this back door is internal to BitcoinPaperWallet’s design.

One user told CoinDesk he lost 22.5 BTC to the website in mid 2018. By early 2019, others on social media began reporting stolen funds (one of whom lost 22.15 BTC).

When CoinDesk reached out to Sarkissian to request comment on the back door in the wallet’s code, he attributed the losses to “users who never had proper key management in the first place.”

“Indeed, we’ve received complaints from users who claim to have lost their bitcoin using our website. Those complaints are always resolved except for a select few who cannot fathom it was their own fault and must place the blame on us.”

When asked again to clarify if he knew of a back door in his wallet generator’s code, Sarkissian said, “We have searched our source code for the issues present in those documents and we cannot reproduce the same results. Our servers and source code has been verified clean by [our security expert Jonel Richard]. He is still on retainer and continues to investigate, trying to reproduce the issue found by others.”

CoinDesk reached out to Richard to ask for a copy of his analysis but did not hear back by press time.

Both Wendell and another victim have filed police reports with their respective police departments but nothing has come of the investigations thus far. 

BitcoinPaperWallet scams larger holders

BitcoinPaperWallet appears to have featured flawed code since at least the middle of 2018, so how did it go under the radar for so long?

It seems the thief only drained high-value bitcoin wallets or those with at least 1 BTC deposited, not pocket change or smaller sums.  According to social media and first-hand accounts, the culprit has stolen at least 124.85 BTC valued at roughly $6.2 million at today’s prices.

BitcoinPaperWallet’s back door is a reminder that, for small or large amounts, storing your bitcoin on a wallet generated from a website is probably not a good idea. In fact, unless you know what you’re doing and generate the paper wallet yourself from scratch, you should just stick with a hardware wallet from a well-known, verified manufacturer and, if you can, secure your funds with a multisignature wallet.

“It is critical wallet generation be completed by a trusted manufacturer in an entirely offline process,” Dettmer told CoinDesk. “You should think of websites, your computer, and the internet generally as trying to voyeuristically get a peek at your seed. Because sometimes they are — and they can steal your entire balance if they succeed.”



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us