Millions of Cryptocurrency Wallets Found Affected by Randstorm Flaw | Cyware Hacker News

Millions of browser-based cryptocurrency wallets are affected by an open-source software vulnerability that can be abused by attackers to steal over $1 billion worth of cryptocurrency. The vulnerability, dubbed as Randstorm, affects the 0.13 version of Bitcoin JS, a popular JavaScript library used to generate cryptocurrency wallets.

More in detail

The vulnerability primarily affects multiple crypto projects and blockchains generated using BitcoinJS between 2011 and 2015.

  • According to advanced cryptocurrency recovery company Unciphered, the Randstorm vulnerability can be abused by gaining access to the 32 to 64-bit GUID wallet number generated during the wallet creation.
  • Since these numbers are available one in several thousand instead of one in a trillion, they make wallets susceptible to brute-force attacks.
  • While the vulnerability is exploitable, the amount of effort required to exploit vulnerable wallets varies, and that considerably increases over time.
  • Researchers found that it was more difficult to launch an attack against impacted wallets generated in 2014 as compared to those generated in 2012.

Affected wallets

  • At least 15 vendors are affected by the vulnerability and these include the names (renamed,, Bitgo, Bitcore by BitPay, and BitPay. 
  • Litecoin and Zcash wallets are also possibly affected by the flaw. 
  • Many GitHub projects that incorporated BitcoinJS during the affected time frame could also be vulnerable to cyberattacks.


Individuals with assets in the affected wallets are suggested to move to a newly generated wallet created with better-trusted software. Besides, vendors are recommended to audit the GitHub library and BitcoinJS ecosystem to determine that the sensitive information and financial assets of users are secure.