Beware! This Malware Can Steal Private Keys From Bitcoin Hardware Wallets

A group of Bitcoin researchers have uncovered a new malware that can extract private keys from Bitcoin hardware wallets. Although the attack, dubbed Dark Skippy, was discovered within the context of Bitcoin devices, it may apply to contexts outside the leading digital asset.

Robin Linus, author of the Bitcoin Virtual Machine (BitVM) white paper and core contributor to the Bitcoin zero-knowledge proofs developer, ZeroSync, discovered the attack vector during an X discussion in mid-December 2023.

Since then, the BitVM author and other Bitcoin contributors have been investigating the malware as part of a security workshop, finding that it was more effective than previously expected; an attacker can steal a 12-word seed phrase using a decent laptop with minor computational resources.

How Does Dark Skippy Work?

Dark Skippy requires an attacker to corrupt a signing device with malicious firmware. To do this, the attacker could tamper with the target device, trick a user into installing malicious firmware onto their device, or build and sell malicious devices.

Corrupting a device would alter its signing firmware from the regular Schnorr signing. Hence, the wallet would deliberately use a weak and low entropy secret nonce, which constitutes a part of the seed to be stolen, instead of sampling random secret nonces from 32 bytes. The signer would also use the first eight bytes of a 12-word phrase for the first input signature’s nonce and the remaining eight for the second nonce.

The attacker can detect transactions executed by the corrupted signing device in several ways. One is scanning the Bitcoin mempool for affected transactions and running an algorithm on the signature’s public nonces to produce the needed 16 bytes of entropy and the seed phrase. Another is blinding the nonces, watermarking the affected transactions for easy identification on-chain, and extracting the seeds.

Possible Mitigations

Linus and his teammates deemed Dark Skippy the “best-in-class attack” for malicious signing devices because it is impractical to detect, requires no additional communication channels except the Bitcoin network, and works against stateless devices.

Possible mitigations for the attack include anti-exfiltrating signing protocols offered by some signing devices. The team said new mitigation ideas would require developer review and input. While the malware is not in the crypto space yet, they intend to release a demonstrating code providing functionality for building and decoding the malicious signatures in September.