We made a mistake. We have been doing lots of digging since morning on how this could have happened. We knew this isn't a hardware issue as we never connect any of our hardware to internet. Plus, we have no backups so this isn't a personnel issue.
Issue is with the keygen software we used.
In full transparency, for the first version of vigilante series, and for the hole coins we have used
https://github.com/bitaddress/bitaddress.org to create keys on an airgap computer.
For VIBGYOR orange we used
https://github.com/walletgeneratornet/WalletGenerator.net again on an airgap computer.
Unfortunately, since morning we started digging into looks like walletgeneratornet is actually compromised.
We have learned from our mistake and we can only look forward from here. We have been refunding the clients (still few to go).
For next generation of our coins, we will use better keygens + also, print and post sample private keys before using those for the coins.
We appreciate all support from the forum members.
Thank you for sharing the software. However, this does raise more questions, and it would be very helpful to have as many answers as possible.
1. Were the keys generated using the code from this specific GitHub repository on an offline computer (i.e. are you certain it was this repo and not a fork/similar looking clone?)
2. If the repo wasn't directly used and you used the website instead, are you certain it was "walletgenerator.
net"? .org has been known to be a phishing site for a long time, and .net presently redirects to .com
3. Are you able to provide the exact date (or narrowest date range) when the generation was done? In the event that there is a malicious site or repo, knowing the exact time frame will assist in scouring sources such as archive.org to find more details
4. You mentioned previously that you still had the original hardware used - I would suggest quarantining it and not using it any further. On that hardware, do you still have a copy of the source code used/website listed in the browser history?
For anyone to look into this in more detail, it is imperative that we have as much information as possilbe.