We made a mistake. We have been doing lots of digging since morning on how this could have happened. We knew this isn't a hardware issue as we never connect any of our hardware to internet. Plus, we have no backups so this isn't a personnel issue.
Issue is with the keygen software we used.
In full transparency, for the first version of vigilante series, and for the hole coins we have used
https://github.com/bitaddress/bitaddress.org to create keys on an airgap computer.
For VIBGYOR orange we used
https://github.com/walletgeneratornet/WalletGenerator.net again on an airgap computer.
Unfortunately, since morning we started digging into looks like walletgeneratornet is actually compromised.
We have learned from our mistake and we can only look forward from here. We have been refunding the clients (still few to go).
For next generation of our coins, we will use better keygens + also, print and post sample private keys before using those for the coins.
We appreciate all support from the forum members.
Thank you for sharing the software. However, this does raise more questions, and it would be very helpful to have as many answers as possible.
1. Were the keys generated using the code from this specific GitHub repository on an offline computer (i.e. are you certain it was this repo and not a fork/similar looking clone?)
2. If the repo wasn't directly used and you used the website instead, are you certain it was "walletgenerator.
net"? .org has been known to be a phishing site for a long time, and .net presently redirects to .com
3. Are you able to provide the exact date (or narrowest date range) when the generation was done? In the event that there is a malicious site or repo, knowing the exact time frame will assist in scouring sources such as archive.org to find more details
4. You mentioned previously that you still had the original hardware used - I would suggest quarantining it and not using it any further. On that hardware, do you still have a copy of the source code used/website listed in the browser history?
For anyone to look into this in more detail, it is imperative that we have as much information as possilbe.
We know you are trying to help and we will answer your questions.
But please note that most of the team are software engineers in their day job and the only mistake in this whole process is that we truly blindly trusted a compromised software.
We think the wallet generator either has a back door or someone has done an RNG attack
How we created the keys were we connected the computer via lab cable to the internet to download the client side side site from walletgenerator and the disconnected the cable
No hardware (printer) was connected to wifi.
All hardware is wiped (windows uninstalled and hard disk wiped) after usage.
About dates that is the main reason why we took sometime. After i reached home after my day job I started looking at my personal device to check historically when was the first time i was researching on key gen software and looking at all sales thread and when exactly it could be that we created the keys.
But unfortunately as we have no back up of any kind it is impossible to tel exactly. But we feel it might be between July and November 2022.