New research on a huge cluster of weak cryptocurrency wallets, which is 85 times bigger than previously known.
Table of Contents
Strange Wallet Cluster in MT19937 256bit
Previously Known Information
During the initial Milk Sad research in 2023, our research group found a large number weak wallets with surprisingly similar creation details and on-chain usage. They were generated from the Mersenne Twister Pseudo Random Number Generator (PRNG) in a way that was consistent with vulnerable libbitcoin-explorer
software versions. We described them in the first writeup:
[…] The majority of these wallets, a group of over 2550, has an oddly similar usage pattern with small deposits around the same dates in 2018. We think this is the result of some automatic tool use of bx, and that these wallets may actually share the same owner. We’re not sure what this experiment was about, but they’re all in the 256 bit seed output range and have a BIP49 address type (‘3’ prefix), which helps distinguishing them a bit from other addresses. […]
As outlined in update #1, this collection of weird wallets made up the majority of the >2600 weak wallet keys we discovered in that sub-range. Considering the pure number of private keys which were used in a short period of time, they were clearly not “normal” wallets of average users. There had to be some automation involved.
Wallets in this cluster have the following properties:
- 256 bit BIP39 key = 24 word mnemonic phrase
- Key generated from Mersenne Twister MT19937-32 output
- Most significant 8 bit used per 32-bit MT19937 output round
- A pattern used by
libbitcoin-explorer
, but not exclusive to it
- A pattern used by
- P2WPKH-nested-in-P2SH address type with
3
-prefix - BIP32 derivation path
m/49'/0'/0'/0/0
exclusively, no other addresses - Bitcoin mainnet usage, no (known) Ethereum usage
- One-time deposits of small Bitcoin sums
- Bitcoin gets spread out to more and more addresses
- Activity around 2018-10-03 to 2018-10-08
Some examples:
- 36BcfU1eM3G5BUaQk8aofgvANzVwcBuzJt
- 36BYNHckzC6K9LxgFi9ufb5CKYDSM9HqxD
- 36ciJQsX3chTs9Nzz2J79E7L23jsNHjTez
Often seen amounts:
- 0.00019555 BTC (initially)
- 0.00000918 BTC (+- some percent)
- 0.00000602 BTC (+- some percent)
The ultimate purpose of these wallets still is a mystery to me. From the outside, the cluster behavior looks like a do-it-yourself attempt at a Bitcoin mixer, but some points speak against this:
- Moving small Bitcoin amounts over many different addresses leads to comparably high transaction fees, spending much of the transferred value in the process.
- If the idea was to have many different addresses, why not use a single wallet with many sub-addresses, instead of many different wallets with a single address?
- Many wallets have suspiciously similar balances, making them stick out among other more heterogeneous address usages on the blockchain.
- For multiple years, the funds remained unused.
Discovering Many New Wallets
After setting aside this mystery for a while, I recently received a crucial hint about these wallets from a white hat security researcher who wants to remain unnamed. As you’ll see, it unlocks a much broader view into this cluster of weak wallets.
The 2630 initial wallets found in 2023 were only the tip of the iceberg. By searching in different regions of PRNG output than before, I can now reconstruct and identify over 227200 distinct wallets in this group (!), all of which have valid on-chain usage on the Bitcoin mainnet. They probably make up the biggest group of publicly reported weak cryptocurrency wallets. The small relative and combined balance of the wallets does limit their overall importance compared to other discoveries, but that’s still a lot of weak keys!
Technical Details
The crucial new trick is that the wallet creator of the P2WPKH-nested-in-P2SH wallets generated more than one private key from a Mersenne Twister PRNG output stream before re-seeding the PRNG. In many cases they generated at least 2 keys, often 18 keys, and in some cases over 100 different keys in sequence from a single continuous PRNG output stream.
With libbitcoin-explorer
, the vulnerable generation logic produces only a single key per seeding position, so that’s what we looked for originally. The new discovery implies that the wallet creator used some other software for key generation (likely a custom one), which made this harder to find.
Fortunately, the sequential nature of the key generation now makes it easier to search for other wallets that belong to this cluster. I’ve probably found the majority of wallets and addresses at this point, but there may be more of them out there.
Current Status
By now, the remaining funds have been drained by unknown actors. This started in May of 2023, but mostly happened between December of 2023 and January of 2025. I suspect that the funds were moved illegitimately by attackers who figured out the PRNG offset calculation, and waited for periods of low bitcoin fees to move them. As usual, it’s hard to say if these transactions were done with permission until the real owner comes forward and declares it a theft, so take this as an unconfirmed theory.
Usage Statistics
Number of wallets | Offset in PRNG rounds | Remarks |
---|---|---|
2630 | 0 | Discovered originally |
47181 | 32 | Full search |
10286 | 64 | Full search |
10079 | 96 | |
.. | .. | |
10000 | 544 | |
7556 | 576 | Full search |
90 | 3200 | |
10 | 3232 | |
227294 | All | Total sum |
Each key requires 32 rounds worth of PRNG output, therefore new keys begin at offsets 1*32, 2*32, …, and so on. There are a few anomalies with skipped key usage or unusual offsets, but they’re rare.
Address Data
The research data repository now has a complete list of known addresses for the wallet cluster, if other researchers are interested.
More research on other wallets to follow, so stay tuned!