This is for the website- not for the code on github which RC said he used.
One of the main reasons this vulnerability was found was by comparing the two code bases, which revealed the addition of the malicious code.
From that medium article you posted in (2019):
'At this time, the code on GitHub is not malicious nor vulnerable, nor has it been malicious or vulnerable previously.'
Last checkin for that code on github appears to be 7 years ago.
Even if that code was compromised, if it was on an air gapped system theres no way it could have communicated the keys back to the malicious actors.
Something doesnt smell right here.
Okay I was about to remove my negative trust for this incident considering the refunds and finally revealing the software, but it still doesn't add up. If the github repo that raritycheck cited is not vulnerable, then there is more to the story. Surely after 7 years someone would have reported an issue on github.
It was pure luck. We wanted to try creating vanity addresses (1O) for VIBGYOR coins so we looked at multiple options.
In the end we didn’t end up creating vanity addresses
But still went with the software we trying to generate vanity addresses
We are currently trying to help every impacted customer.
Please note that we aim to reach out to every single one by Sunday evening.
Additionally, you stated that you used this software to generate vanity addresses, but it does not support generating vanity addresses. From what I can tell it offers no functionality above what bitaddress.org does except for supporting dead shitcoins.
I don't want to seem like we are being overly critical, and I want to commend you for refunding people, but the fact you waited this long to even give us the name of the software tells me you are still not sharing the full story.
Perhaps because it said vanitygen, they assumed it would do such but maybe they changed their mind or figured after the fact it didn't, but decided to stick with it for whatvever reason(s). Not sure, but maybe that's possible. The addresses that were sweeping seemed to be collecting coins from a few, if not many sources. Seems things will come to light sooner than later.
Hybridsole's point, is that nowhere on either the website or on github does it say that it supports generating vanity addresses. RC said that this was the impetus for switching to this keygen method, which makes zero sense given that its not listed as a feature. There's a whole bunch of things here that do not line up or make sense, which is worrying.
My bet, is that for whatever reason they didnt have the original systems that they used to create keys for the vigilante coins. They then, to shortcut, decided to generate keys using walletgenerator.net, but not by using the code from github on an air gapped system- but directly from the webpage.
That medium article came out in late 2019: we know the webpage was vulnerable around that timeframe. In looking at a lot of the funding transactions that were swept the other day (both the VIGBYOR coins and other unfortunate souls), the ones i looked at appeared to be in the timeframe of 2020 to 2022. My guess is that the malicious code was removed from the webpage in 2019 right after the article came out, then added back in, in 2020. It collected keys throughout 2020 to 2022, catching the VIGBYOR coins that were done through the webpage, and then are now being swept in 2024.
There is nothing more important than key generation and preservation on these collectables, and these coins (and the lost coins it seem), fail spectacularly in this regard. Not only was the key generation done with little to no care or research, but then the preservation medium (paper, ink, legibility), was done with little regard to redeeming in the future.
Most worrying of all, is that this maker has been dodging questions, not sharing information in a timely fashion that would help other scam victims, and then when they do share information- none of it makes logical sense. You guys really want to give a pass to that? Say everything is 100% in order and RC should be trusted? More than likely they didnt want to share that they used the website because it is extremely negligent and would shatter trust.
We are not hiding anything.
We are sorry if something doesn’t make sense. When we were creating keys for VIBGYOR we were (don’t remember what other soft gen) but we were looking to generate 1O (1Orange) for the first coins in the series. That’s all we remember the real reason For change of key gen solution.
And moved from bitaddess to walletgenerator. That’s what we meant that we unluckily changed software.
We took. Sometime because it was 1 am last night until we were responding to messages.
Then we woke and went to work(day job) Then we came back and checked as much history as possible and we researched as much as possible and researched only to realized that walletgenerator is compromised.
But we are not hiding anything.
We didn’t answer because weren’t sure how this happened but as soon as possible we had time we responded.
Seavodin you have bough few coins from
Is, what does your heart say? Did we really do something intentionally ?
What does your interactions with us say? Will we hide somehting or makeup somehting ?
Do you not think we are always helpful and caring as much as possible
We are humans and yes a mistake is made for VIBGYOR series.