A recent study has shown that approximately 120K Bitcoin Keys Exposed resulted from a vulnerability in a Bitcoin library employed by some wallets. The issue originated from Libbitcoin Explorer (bx) 3.x, a software which created private keys with a predictable pattern.
Source: X (formerly Twitter)
This allowed hackers and even investigators to guess wallet keys. OneKey, which is cited in the reports, explained that its hardware wallets are secure and unaffected.
How the Vulnerability Happened
The problem resulted from the way the library generated random numbers. It employed an Mersenne Twister-32 algorithm that was based solely on the system time. With the system time seed having only 2³² possible values, it was possible to determine it. The crypto private keys could be reconstructed in days once the pattern was known.
This vulnerability exposed addresses to brute-force attack, where computers randomly try millions of combinations within a short time. Millions of dollars’ worth of Bitcoin might have been lost had someone used this vulnerability.
Which Wallets Were Impacted
The vulnerability impacted a number of popular addresses:
-
Trust Wallet Extension version 0.0.172 to version 0.0.183
-
Trust Wallet Core versions through 3.1.1 (excluding 3.1.1)
-
Any wallet that utilized Libbitcoin Explorer (bx) 3.x
Experts put the number of wallet addresses that may have been generated through this vulnerable system at over 220,000. That left a significant number of key wallet exposed to attacks.
How Law Enforcement Exploited the Weakness
Interestingly, the 120K Bitcoin Keys Exposed issue was not caused by hackers. U.S. law enforcement allegedly found the vulnerability and exploited it in order to gain lawful access to addresses associated with older cases.
The amount seized was approximately 120,000 BTC, which was valued at approximately $3.7 billion in 2020. The value rose with Bitcoin price growth to almost $15 billion by 2025, and it became one of the largest Bitcoin recoveries in history.
The report came out by the research team Milk Sad, who revealed that the poor randomness made the key predictable.
OneKey’s Assurance to Users
Following the news, OneKey has assured that none of their addresses have been compromised. Their hardware wallets employ a Secure Element (SE) chip with a True Random Number Generator (TRNG).
This makes key unreproducible and compliant with the highest standards such as EAL6+, NIST SP800-22, and FIPS-140-2.
Even OneKey’s software wallets desktop, mobile, and browser are secure because they utilize secure random number generators that are incorporated into Android, iOS, and contemporary operating systems.
OneKey recommended that users store long-term in hardware addresses and not import old mnemonics from less secure wallets.
Lessons for Crypto Users
The 120K Bitcoin Keys Exposed event illustrates how technical errors as small as not using a minus sign can cost billions of dollars. Randomness is critical in crypto since predictable keys can compromise even the strongest encryption.
Crypto investors must select wallets with established security and steer clear of shortcuts in code. With digital assets increasing, even a single vulnerable key can expose enormous sums of money to risk. In crypto, the most valuable currencies are trust, transparency, and randomness.
