I've just re-read the pastebin more thoroughly and this stuck out to me:
> At some point between then and Nov 12, the compromised 15ZwrzrRj9x4XpnocEGbLuPakzsY2S4Mit got into his online wallet as an 'imported' address.
The 15ZwrzrRj9x4XpnocEGbLuPakzsY2S4Mit address is generated by using sha256() of his previously-imported address 1Ca15MELG5DzYpUgeXkkJ2Lt7iMa17SwAo.
The other confusing part is:
> fitwear's 15Z address sat unused until Nov 12 when fitwear transferred his 9 BTC into it using blockchain.info.
Why did he send money to a random address in his "imported" addresses list in the first place? The usual wallet workflow would surely send change to an address derived from the wallet's actual seed, not an "imported" address. And fitwear would presumably have no reason to send money to himself on purpose, and even if he did why would he choose an "imported" address instead of one derived from the wallet seed?
So what exactly was fitwear trying to do here? The more I think about it, the more I think fitwear messed this up, and it's nothing to do with generating keys from uninitialised memory.
Possibly it's a combination of malware importing addresses into his blockchain.info wallet and him doing weird transactions that ended up losing him money, or possibly it's just FUD designed to discredit blockchain.info.
> it sounds like maybe some bit of code decided "hmm, that's not a well formatted WIF private key, it must be a brainwallet" without very clearly explaining what was going on
That sounds plausible. Possibly fitwear tried to import the same private key in 2 different ways and ended up getting burnt.
> At some point between then and Nov 12, the compromised 15ZwrzrRj9x4XpnocEGbLuPakzsY2S4Mit got into his online wallet as an 'imported' address.
The 15ZwrzrRj9x4XpnocEGbLuPakzsY2S4Mit address is generated by using sha256() of his previously-imported address 1Ca15MELG5DzYpUgeXkkJ2Lt7iMa17SwAo.
The other confusing part is:
> fitwear's 15Z address sat unused until Nov 12 when fitwear transferred his 9 BTC into it using blockchain.info.
Why did he send money to a random address in his "imported" addresses list in the first place? The usual wallet workflow would surely send change to an address derived from the wallet's actual seed, not an "imported" address. And fitwear would presumably have no reason to send money to himself on purpose, and even if he did why would he choose an "imported" address instead of one derived from the wallet seed?
So what exactly was fitwear trying to do here? The more I think about it, the more I think fitwear messed this up, and it's nothing to do with generating keys from uninitialised memory.
Possibly it's a combination of malware importing addresses into his blockchain.info wallet and him doing weird transactions that ended up losing him money, or possibly it's just FUD designed to discredit blockchain.info.
EDIT: https://twitter.com/ryancdotorg/status/936087458223149057
> it sounds like maybe some bit of code decided "hmm, that's not a well formatted WIF private key, it must be a brainwallet" without very clearly explaining what was going on
That sounds plausible. Possibly fitwear tried to import the same private key in 2 different ways and ended up getting burnt.