Assuming that the attacker generated the constants used in Dual EC pseudorandom number generator it has been known for several years that an attacker generating these constants and seeing a long enough stretch of Dual EC output bits can predict all future outputs. This could be a problem since in the very early days of Bitcoin it was common to pay to public keys (P2PK) directly?

References

https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf

https://services.math.duke.edu/~bray/Courses/89s-MOU/2016/Papers/BAS_Paper3_EllipticCurveCryptography.pdf

https://www.youtube.com/watch?v=-UcCMjQab4w