Key Highlights:
- U.S. enforcement has seized 120,000 Bitcoins (worth $15 billion) that are linked to key generation flaws in more than 220,000 compromised addresses.
- The flawed pseudorandom number generator was exploited and the private keys were obtained by the U.S. authorities.
- Public disclosure has been issued but users are still transferring funds to these compromised addresses as reported by Cobo co-founder Shenyu.
Cobo Co-founder Shenyu has revealed through social media platform X (formerly known as Twitter), that the U.S. authorities have now gained control of about 120,000 Bitcoins (worth $15 billion). According to Shenyu’s post, these coins were moved mysteriously in 2020, and their seizure by the U.S. authorities indicates one of the biggest cryptocurrency forfeitures ever. It is noteworthy that these keys were acquired not via hacking but through uncovering a critical flaw in the cryptographic key generation process affecting these wallets.
Flawed Pseudorandom Number Generator (PRGN) and Key Predictability
The weakness is in a flawed pseudorandom number generator (PRGN) that created private keys for more than 220,000 Bitcoin addresses. The PRGN had inherited design issues, which included fixed offsets and predictable patterns during the key generation process.
This predictability compromised the randomness of the keys, which made them vulnerable to prediction and allowed the authorities to get hold of these Bitcoins. As a result, law enforcement got the private keys by studying and exploiting the PRNG’s flaw, not by brute-force cracking.
Scope and Impact of the Vulnerability
This issue is said to impact more than 220,000 Bitcoin addresses, which raises significant concern across the crypto ecosystem. A full list of these vulnerable addresses has been made public so that transparency can be maintained, and the wallet holders can be alerted.
Bitcoins in wallets generated with this compromised PRNG are at risk of seizure of theft, since anyone aware of the vulnerability can potentially predict the private keys controlling these funds.
Ongoing Risks Highlighted by Continuing Transactions
Even though a public disclosure has been made, Shenyu also pointed out that some of the users are still sending funds to these vulnerable addresses, unaware they remain at risk of theft or seizure. Users and custodians holding these assets tied to these keys are advised to move their funds immediately to wallets that have securely generated keys using proven cryptographic standards.
Historical Context and Forfeiture by U.S. Authorities
All of this can be traced back to a Bitcoin mining operation that was run by a criminal network known as the Prince Group (this group is said to be connected to mining businesses in China and Iran). In 2020, around 127,000 Bitcoins were lost because of this flaw in the key generation algorithm used by the mining company LuBian.
Later investigation allowed the U.S. authorities to seize these assets, which is the largest confiscation of Bitcoin (worth 15 billion). The seized Bitcoins are now under the control of the U.S. government, with ongoing efforts to manage and potentially auction portions of the recovered funds.
Technical Explanation of PRNG Weakness
Private keys are meant to be generated with true randomness so that they can stay secure. The flaw in PRNG, however, that it used fixed offsets and created patterns that were predictable which reduced the randomness and made it easier to predict their keys. Using deterministic pseudo randomness in security-critical processes violates best practices for cryptographic key generation. This case highlights an important risk that persists in blockchain security. This case highlights that in blockchain security, poor implementation can lead to huge losses.
Also Read: CoinGecko Report Highlights ETH, BNB, & Stablecoins Run
