OneKey Wallet Flaw Exposes 120K Bitcoin Keys to Hackers

OneKey Wallet Vulnerability Affects Bitcoin Private Keys

OneKey, a cryptocurrency self-custody wallet, revealed a security flaw affecting up to 120,000 Bitcoin private keys. The issue comes from the Libbitcoin Explorer (bx) 3.x library. Several wallets used this library to generate private keys. The flaw was found after the Milk Sad incident. It exposes wallets to brute-force attacks due to a weak random-number algorithm.

OneKey’s report states the problem is linked to bx’s use of the Mersenne Twister-32 algorithm. This algorithm generated random numbers using only the system time as a seed. This limited randomness to 2³² possible values. Attackers could predict wallet keys by testing all seeds within days.

OneKey confirmed on X that the vulnerability does not affect the mnemonic or private key security of any OneKey hardware or software wallet.

OneKey’s Security Testing and Recommendations

OneKey tested its mnemonic generation on macOS, Windows, Android, and iOS. All platforms use cryptographically secure random number generators. These generators meet NIST SP 800-22 and FIPS 140-2 standards. The browser version uses Chrome’s built-in security tool for randomness. Android and iOS apps rely on secure systems within each phone’s operating system.

Each OneKey hardware wallet has a dedicated chip that generates random numbers inside the device. This reduces tampering risks. Older models also use secure systems that meet global standards. OneKey advises users not to transfer recovery phrases from software wallets to hardware wallets. Weaker randomness in software wallets could make private keys easier to guess.

Malware Hidden in Blockchain Smart Contracts

Security experts from Cisco Talos and Google discovered a North Korean hacking group called Famous Chollima hiding malware in blockchain smart contracts. The group uses a method called “EtherHiding” to embed harmful code. They mainly target job seekers with fake interviews to steal crypto and personal data.

This case highlights the importance of true randomness when creating wallet keys. Hardware wallets that generate keys internally make it harder for hackers to guess them.