2 comments

[ 2.8 ms ] story [ 13.1 ms ] thread
The wallet address was a bunch of leading zero's, indicating it was probably generated from a vanity address - likely Profanity. Which was recently discovered to have a fault in the private key generation resulting in a 2^32 key space.

The way profanity works is from its (very small) private keyspace, it chooses a key at random. It generates a public key using secp256k1.

Then it repeatedly (embarrassingly parallel) adds the point 'P' (as defined in the spec) to the public key coordinate, and hashing to check the address is a desirable vanity address. Repeat. Once a desirable vanity address is found, the private key for the vanity address is the original private key plus the number of 'P' additions required.

So to crack these, all the attacker needs to do is find a target address (eg Wintermute), a transaction it has done before exposing its public key.

Using a previously generated dictionary of private:public key pairs for the 2^32 compromised address space (only a few hundred gb), it repeatedly subtracts 'P' from the publicKey and checks if it's a known pubkey in the dict. Repeat until you find a known Private:Public keypair. The private key of the target address is this private key plus the number of subtractions required. Trivial to brute force an 8 digit vanity address.