In the early 2010s, many online cryptocurrency wallets were created using a popular JavaScript library known as BitcoinJS. A set of vulnerabilities, now collectively referred to as Randstorm, has since been discovered, revealing that wallets generated during this period may be at significant risk. The core issue lies in the insufficient randomness used during private key generation, making these wallets far more predictable—and thus easier to compromise—than originally intended.
What Is the Randstorm Vulnerability?
Researchers from Unciphered, a firm specializing in cryptocurrency wallet recovery, identified multiple security flaws within the BitcoinJS library. These vulnerabilities stem from weaknesses in how cryptographic keys were generated, specifically due to inadequate entropy—or randomness—during the process.
Although the issues in BitcoinJS were patched in 2014, any wallets created before this update remain vulnerable. The researchers estimate that several million wallets holding approximately 1.4 million BTC may be affected. Of these, an estimated 3–5% are practically exploitable, representing a potential financial risk of $1.5–2.5 billion.
What makes Randstorm particularly alarming is that it is not merely a theoretical risk. The Unciphered team successfully demonstrated its exploitability by ethically regaining access to several wallets created on Blockchain.info prior to March 2012.
How Did Randstorm Happen?
Modern cryptographic systems, including Bitcoin, rely on highly random private keys to ensure security. Generating true randomness is challenging for computers, which are inherently deterministic. Therefore, cryptographers use pseudo-random number generators (PRNGs) designed specifically for security purposes.
The BitcoinJS library used a function called SecureRandom from the JSBN library to generate these critical random values. SecureRandom was intended to use the browser’s window.crypto.random method to increase entropy. However, most browsers in the early 2010s—including Chrome, Firefox, Safari, and Internet Explorer—did not support this function.
As a result, the JSBN library silently defaulted to using the standard Math.random() function, which is not cryptographically secure. Compounding the issue, Math.random() in browsers like Chrome had known bugs during that period, further reducing randomness and predictability.
This cascade of failures meant that many wallets ended up with private keys that were generated with low entropy, making them susceptible to brute-force attacks.
Which Wallets Are at Risk?
Wallets created between 2011 and 2015 using online services that relied on vulnerable versions of BitcoinJS are most likely to be affected. The researchers identified several platforms that used the library during this period. Some are still active, while others are no longer operational:
- BitAddress
- BitCore (by BitPay)
- Bitgo
- Blockchain.info (now Blockchain.com)
- Blocktrail
- BrainWallet (inactive)
- CoinKite
- CoinPunk (inactive)
It is not only Bitcoin wallets that may be vulnerable. Other cryptocurrencies that used BitcoinJS-derived libraries—such as Litecoin, Dogecoin, and Zcash—could also be impacted.
Since a comprehensive list of all affected services is nearly impossible to compile, users who created wallets online during this timeframe should assume potential risk, especially if they are unsure which service or library was used.
How to Protect Your Assets
The Randstorm vulnerability cannot be “patched” in existing wallets because the weakness lies in the private keys themselves. Therefore, users must take proactive steps to secure their funds. The only reliable solution is to migrate assets to a new, securely generated wallet.
Below is a step-by-step guide to moving your crypto holdings safely:
- Create a New Wallet: Use a modern, reputable wallet provider. Ensure it uses strong, up-to-date cryptographic standards.
- Transfer Funds: Move all cryptocurrencies from the old wallet to the new address.
- Verify Security Settings: Double-check that the new wallet uses sufficient entropy and follows industry best practices for key generation.
For those looking to enhance their security further, consider these best practices:
- Use a hardware wallet for long-term storage.
- Never share private keys or seed phrases.
- Avoid storing sensitive information digitally or in the cloud.
- Use multi-signature setups for added security.
👉 Explore secure wallet migration strategies
Frequently Asked Questions
What is the Randstorm vulnerability?
Randstorm refers to a set of flaws in the BitcoinJS library that caused poor randomness in private key generation. This impacts wallets created between 2011 and 2015, making them easier to hack.
How do I know if my wallet is vulnerable?
If you created a Bitcoin or other cryptocurrency wallet online between 2011 and 2015, it may be at risk. This is especially true if you used platforms like Blockchain.info, BitAddress, or similar services.
Can I update my existing wallet to fix this?
No. The vulnerability is in the private key itself. The only solution is to create a new wallet and transfer all funds.
Are other cryptocurrencies affected?
Yes. Any cryptocurrency that used a derivative of the BitcoinJS library—such as Litecoin or Dogecoin—could be vulnerable.
What’s the worst-case scenario if I don’t migrate my funds?
A malicious actor could brute-force your private key and steal your funds. The risk is higher for wallets with larger balances.
How can I generate a more secure wallet this time?
Choose a modern wallet provider with a strong reputation. Use hardware wallets for significant amounts and enable all available security features.
Conclusion
The Randstorm vulnerability highlights the long-term risks associated with relying on outdated cryptographic libraries. For users who created online wallets in the early 2010s, taking swift action to move funds is essential. By understanding the nature of the flaw and adopting stronger security practices today, you can better protect your digital assets against future threats.
Staying informed and proactive is your best defense in the rapidly evolving world of cryptocurrency.