A private key in most blockchains is a 256-bit string: brute-forcing such a password for a given address would take millions of years of computing power.
However, crypto wallets remain vulnerable to hacker attacks—due to bugs in applications and user errors. We outline six methods of intrusion and explain how to safeguard funds from theft.
1. Weak Address — Vulnerable keys
Due to a flaw in the random number generator (RNG), a wallet can generate a private key with only a few random bytes. Ideally, the application would operate as follows:
- It generates a random number of the specified length.
- It converts it to the short-format key for the corresponding blockchain.
- It generates the public address from the key.
In this case, the number fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364110 is transformed into the key 5Km2kuu7vtFDPpxywn4u3NLpbr5jKpTB3jsuDU2KYEqeoQJAair, which controls the address 1CaZUpjd7VmsyWDFrk9WG9nTYMLcLLvvCw.
But occasionally the RNG makes a mistake and generates a string with a lot of zeros like 0000000000000000000000000000000000000000ffa3cafff0000000000000000 instead of a truly random number. Hackers call such wallets Weak Addresses.
Attackers create bots. Their algorithms regularly check the balances of weak addresses on Bitcoin and Ethereum networks. If a user generates such an address and sends cryptocurrency to it, the bot immediately steals it.
How to protect yourself: after creating a wallet, verify that the characters are indeed random. Use open-source tools such as Swippcore to convert the short-format key to the long format on your local machine.
2. Random Vulnerability — Extracting private keys from transactions
Bitcoin exists as UTXOs—the unspent transaction outputs. When sending funds, the wallet aggregates them to the desired amount and signs the transaction with a combination of the private key and a nonce.
Due to a RNG flaw, the app can sign different operations with the same nonce. If attackers correlate and decrypt signatures of such transactions, they can derive private keys.
This method is called Random Vulnerability. Using it, hackers cracked more than two thousand wallets for a total of 484 BTC.
According to a Kudelski Security study, the vulnerability also occurs in Ethereum and EVM-compatible networks.
How to protect yourself: keep wallet applications updated, including Bitcoin Core and its equivalents for other blockchains.
3. Weak Brainwallet — Generating keys from non-random data
A brainwallet is a method of creating a private key from a user-supplied phrase instead of a random number. It is easy to remember, and thus to “store in the head.”
Users often generate keys from single words, obvious combinations like 12341234, phone numbers, or quotes from films. Hackers exploit human predictability: they create keys from popular or leaked passwords and then drain the corresponding wallets. In doing so since 2009, criminals have hacked more than 19,000 Bitcoin wallets and stolen at least 4,000 BTC.
How to protect yourself: do not use Brainwallet; if you must, come up with a truly strong password using lowercase and uppercase letters, digits and special characters.
4. Phishing — the user hands over the key
From a technical standpoint, the simplest way to gain access to a wallet is to persuade the owner to send you the key. Attackers impersonate exchange and wallet support staff, well-known figures, or security experts.
For instance, in February 2023, hackers sent users of Trezor fake emails from the company claiming a software wallet breach and asking them to provide the seed phrase for “verification.”
In addition, attackers use on-chain analytics tools to target Bitcoin whales—prominent individuals, project managers, and crypto-influencers. They write personalized letters and contact victims through private channels.
How to protect yourself: never send your private key or seed phrase to anyone.
5. Keys in public view — monitoring GitHub
Developers of blockchain applications and smart contracts sometimes use personal wallets to test code. They may accidentally leave keys in files when publishing projects on hosting services.
Hackers monitor updates and uploads to GitHub, Pastebin and other platforms for storing text notes. They look for strings that start with “5” (Bitcoin keys in WIF format), contain words from the seed phrase dictionary, or match the length of the private key.
How to protect yourself: do not store passwords on your computer in unencrypted files, and do not use your personal wallet for work purposes.
6. Scam sites — generating compromised keys
Since 2019, hackers have used online wallet generators as a tool for theft. Such services may issue the same keys to different users or contain vulnerabilities that allow interception.
Thus, in July 2023, user r/jdmcnair stated that $3,000 in Bitcoin was stolen from a paper wallet that he generated on an online service.
How to protect yourself: do not use websites—generate addresses only on hardware devices or wallet apps.
How to create a secure wallet
Private keys are safer than most passwords, but they can still be vulnerable due to application bugs and human factors.
To avoid a breach, follow these steps for creating a secure Bitcoin wallet:
- Do not use websites to generate addresses—use hardware wallets and apps only.
- Do not generate keys from passphrases and passwords that you can remember: they are more vulnerable than randomly generated combinations.
- After generating a wallet, verify that the characters are indeed random. If more than half of the key’s characters are zeros, it is vulnerable to brute force.
Additionally, it is important not to use personal cryptocurrency addresses for developing Web3 applications and to keep the wallet regularly updated.
Remember: private keys should never be shared with third parties, no matter what they say.