‘Dark Skippy’ method can steal Bitcoin hardware wallet keys

Security researchers have discovered a troubling new method that hackers can use to extract private keys from a Bitcoin hardware wallet with only two signed transactions, which they’ve named “Dark Skippy.”

The vulnerability potentially affects all hardware wallet models, but it can only work if the attacker tricks the victim into downloading malicious firmware.

A previous version of the method required the victim to post “dozens” of transactions to the blockchain. But the new “Dark Skippy” version can be performed even if the victim only posts a couple of transactions to the blockchain. In addition, the attack can be executed even if the user relies on a separate device to generate seed words.

The disclosure report was published by Lloyd Fournier, Nick Farrow and Robin Linus on Aug. 5. Fournier and Farrow are co-founders of hardware wallet manufacturer Frostsnap, while Linus is a co-developer of Bitcoin protocols ZeroSync and BitVM.

According to the report, a hardware wallet’s firmware can be programmed to embed portions of the user’s seed words into “low entropy secret nonces,” which are then used to sign transactions. The resulting signatures get posted to the blockchain when transactions are confirmed. The attacker can then scan the blockchain to find and record these signatures.

The resulting signatures contain only “public nonces,” not the portions of seed words themselves. However, the attacker can enter these public nonces into Pollard’s Kangaroo Algorithm to successfully compute the secret nonces from their public versions.

Pollard’s Kangaroo Algorithm, discovered by mathematician John Pollard, is an algorithm in computational algebra that can be used to solve the discrete logarithm problem.

According to the researchers, a user’s full set of seed words can be derived using this method, even if the user only produces two signatures from their compromised device and even if the seed words were produced on a separate device.