Of course they can. And in many cases they will, if users don't protect their addresses. This is why we have implemented a lot of double factor authentication methods :

Frozen Addresses - You can freeze an address for a period. From a frozen address one cannot spend funds.

Restricted Recipients - By activating this option you will be able to send funds from the address only to a group of up to five other addresses. If an attacker takes control of the address, he/she can only send funds to a specified group of addresses.

Multisignatures - A multi-signature address is an address that is associated with more than one private key. Spending funds from a multisig address requires signatures from up to 5 other addresses.

One Time Passwords - A one-time password (OTP) is a password that is valid for only one transaction, on a computer system or other digital device. Spending funds from an OTP address requires an unique password.


For example, you have a wallet with hiddenwallet.org and you want your coins safe. You follow the steps :

- You open an account to maskplace.net
- Attach your main address on  hiddenwallet a security option like Restricted Recipients pointing to your maskplace address.

An that's it. Even if the owner of hiddenwallet web node OWNS your private keys he / she will be able to send funds only to your address at maskplace.

And of course you could attach the same security option to your maskplace address to point to even another address on another wallet and so on...

It's trivial for a user to setup a really complex security scheme for his / her addresses.