A security researcher from MyCrypto.com, Harry Denley, has posted a detailed – and damning – analysis of paper wallet site WalletGenerator.net.

The core of the analysis hinges on WalletGenerator’s original open-source code, available here. Until August 17, 2018 the online code matched the open-source code and the entire project generated wallets using a client-side technique that took in real random entropy and produced a unique wallet. But sometime after that date the two sets of code stopped matching.

The result? The very real possibility that WalletGenerator is giving the same keys to multiple users. To test this, MyCrypto’s researcher ran the generator in bulk and got some odd results.

“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected. However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”

While the odd behavior was not found as of last Friday (May 24), it could be return at any time.

“We’re still considering this highly suspect and still recommending users who generated public / private keypairs after August 17, 2018, to move their funds,” the researcher says. “We do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable.”

You can read the entire report here, but Denley recommends moving funds off of your WalletGenerator-based paper wallets. As there is no clear way to contact the “two random guy [sic] having fun with a side project” who apparently run the site, we can safely recommend you avoid the site altogether.

Code image via Shutterstock