Research . Vulnerability

The 2013 Android SecureRandom flaw

In 2013, Android’s random-number generator wasn’t as random as it should have been — and Bitcoin wallets that trusted it leaked their private keys through the very transactions they signed.

2026년 7월 업데이트 · KeychainX — 2017년부터 지갑 복구 서비스 제공

This is a landmark example of a platform-level randomness failure with direct financial consequences. In August 2013 a weakness in Android’s SecureRandom implementation meant that values assumed to be unpredictable weren’t, and Bitcoin wallets on affected devices exposed their keys. This page documents what happened and why it still matters for old Android wallets.

Why signatures need randomness

Every time a Bitcoin wallet spends, it signs the transaction with ECDSA, and each signature requires a fresh, unpredictable random number — the “nonce”, or k value. The security of ECDSA depends absolutely on that number being unique and secret for each signature. Reuse the same k across two signatures, and the mathematics allows anyone to compute the private key from the two public signatures. It is one of the sharpest “small mistake, total loss” edges in cryptography.

The SecureRandom flaw

Android apps drew that randomness from the system SecureRandom. In 2013 it emerged that, under certain conditions, Android’s implementation was not properly seeded — it could return predictable or repeated output. For Bitcoin wallets, that meant the critical k value in signatures was sometimes repeated. Two transactions from the same wallet that reused a k value handed an observer everything needed to derive the private key straight off the public blockchain.

The impact

Because Bitcoin transactions are public, attackers could scan the chain for the tell-tale repeated nonces and sweep the exposed wallets. A number of Android Bitcoin wallets were affected, and funds were stolen before the ecosystem responded. The official response urged affected users to generate new keys and move their coins, and wallet apps issued fixes — but any transaction already signed with a repeated nonce had exposed its key permanently.

Recognising an affected wallet

The fingerprint lives on-chain: two or more signatures from the same address sharing a nonce. An old Android Bitcoin wallet from the 2013 era that signed multiple transactions is the classic risk profile. Even a wallet that was never obviously drained may have signed a vulnerable transaction, and if it still holds funds, those funds may be reachable by anyone who spots the pattern — which makes assessment worthwhile rather than assuming safety.

What it means for recovery

For an owner, the flaw cuts both ways. If your own old Android wallet exposed its key through a repeated nonce, the private key is derivable from your own public transactions — which, with proof of ownership, is a legitimate route to recover funds you can no longer otherwise access. We treat this strictly as owner recovery: reconstructing a key from the signatures of a wallet the client demonstrably owns, to move funds they’d lost access to.

The broader lesson

The Android SecureRandom incident is the canonical reminder that a wallet is only as secure as the randomness beneath it. It sits in the same family as Randstorm and MilkSad: sound cryptography undermined by a predictable or faulty random source. The difference here is that the failure leaked keys through signing rather than key generation — but the principle, and the recovery logic for owners, is the same.

If you had a 2013-era Android wallet

If you held Bitcoin in an Android wallet around 2013 and still have any of that key material or transaction history, treat the wallet as potentially compromised: any funds remaining should be moved to a wallet built on sound randomness. If you’ve lost access to such a wallet, the nonce weakness may actually be the route back in for you as the owner — worth assessing before writing the funds off.

Why it still matters years later

It is tempting to treat a 2013 flaw as ancient history, but Bitcoin’s permanence changes that. Every vulnerable signature ever broadcast is still on the chain, exactly as it was, so a key exposed by a repeated nonce a decade ago is exposed forever — the blockchain does not forget. That means old Android wallets from that era remain a live consideration today: any that still hold a balance are reachable by anyone who scans for the pattern, and any whose owner lost access can potentially be recovered through the very same weakness. A flaw in permanent, public data never fully expires, which is precisely why it belongs in a reference like this rather than a footnote to 2013.

Our documentation

KeychainX documents this as part of our weak-randomness research alongside Randstorm and MilkSad. The original 2013 advisories from the Bitcoin community carry the full disclosure; our focus is the recovery of affected wallets for their rightful owners. If you have an old Android Bitcoin wallet you can no longer access, it’s worth a look.

자주 묻는 질문

How do I know if my signatures reused a nonce?

It shows on-chain as two signatures from one address sharing the same nonce value. We can check an address’s transaction history for the pattern as part of an assessment.

What was the 2013 Android SecureRandom flaw?

A weakness in Android’s SecureRandom that produced predictable or repeated output. Bitcoin wallets that used it could reuse the ECDSA nonce across signatures, which lets anyone derive the private key from public transactions.

How were funds stolen?

Attackers scanned the blockchain for signatures reusing the same nonce and computed the private keys from them, then swept the wallets — all from public data.

Could my old Android wallet be affected?

If it’s from around 2013 and signed multiple transactions, possibly. The risk shows up as repeated signature nonces on-chain. Any remaining funds should be moved.

Can this help me recover my own wallet?

If your own wallet exposed its key through a repeated nonce, the key is derivable from your public transactions — a legitimate recovery route for you as the proven owner.

회복 비용은 얼마인가요?

Success-based: a percentage of the recovered value only if we recover the wallet, and nothing upfront.

Old Android Bitcoin wallet you can’t access?

A 2013-era Android wallet may be recoverable through the nonce weakness — for you as the owner. Tell us what you have, honest assessment within 24 hours.

KeychainX에 문의하기 →