A significant security flaw has emerged, posing a threat to holders of cryptocurrencies and allowing cybercriminals to compromise specific digital wallets, leading to the pilfering of more than $900,000 worth of Bitcoin, according to SlowMist, a cybersecurity firm focused on blockchain.
This breach, identified as “Milk Sad,” has been exploited by cybercriminals, enabling them to abscond with substantial sums from investors during August 2023.
Impacted Wallets
The vulnerability is centered within Libbitcoin Explorer, a tool widely used for Bitcoin blockchain exploration by cryptocurrency industry developers. Libbitcoin Explorer is integrated into various digital wallets, thereby making them susceptible to potential attacks. Among the services affected, beyond wallets, are Airbitz, Bitprim, Cancoin, Chip-Chap, Darkleaks, Darkwallet, Darkmarket, Mastering_Bitcoin, OpenBazaar, and Teechan.
Operation of Bitcoin Wallet Flaw
This vulnerability revolves around the mechanism of private key generation. During the creation of an address, the tool generates keys randomly to secure wallet access and its contents, comprising a sequence of words. These keys are essential for transactions, and without them, hackers cannot access the wallet. Regrettably, Libbitcoin Explorer employs a 32-bit version of the Mersenne Twister algorithm, which “enables attackers to deduce users’ private keys within days.”
Distrust likened this situation to a scenario where a mass word generator consistently generates the same passwords for each user, putting their accounts at risk. Hackers have recognized these recurring private keys, enabling them to deduce the corresponding word sequence promptly. If a wallet was created using Libbitcoin, the cryptocurrencies contained therein could be vulnerable to theft through a brute-force attack. Hackers can use specialized software to test all potential combinations until the correct one is identified.
Importantly, not only Bitcoin holders are at risk. Distrust’s inquiry disclosed that hackers have “uncovered and actively exploited this flaw to pilfer funds from impacted wallets across multiple blockchains.” Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash networks are also affected.
The Assault and Safeguarding Strategies
Initial attacks commenced in May, as estimated by researchers who notified U.S. federal authorities. These attacks are ongoing, with SlowMist revealing that an early August operation involving MilkSad resulted in the theft of over $250,000. The list of victims continues to grow.
At present, no apparent remedy addresses this vulnerability. Eric Voskuil, a member of the non-profit Institute Libbitcoin behind the tool, acknowledged that the command responsible for the vulnerability was not designed for this use. Changes are anticipated to enhance the warning or eliminate the command in the coming days.
In the interim, SlowMist strongly urges “all users of Libbitcoin Explorer 3.x versions to immediately cease using the affected wallets and transfer funds to secure wallets.” Distrust researchers advise considering a hardware wallet, such as those from Ledger or Trezor, to provide an additional layer of security. For added caution, it is recommended to include a passphrase as an extra security measure alongside the word sequence, offering heightened protection for assets, as stated by Ledger.