A 17-year-old from Ohio used indexof wallet.dat on a public library computer. He found a directory on a university research server containing wallet.dat and a text file named password.txt . The password was password123 . He drained 15 BTC (then ~$45,000; today ~$1.2M). The university never noticed.
“Closing the IndexOf Loophole: A Review of the wallet.dat Patch” Summary: The patch addresses CVE-style unsafe string search patterns. Prior to this, indexof calls could inadvertently return wallet file paths through debug logs or unchecked parameters. Post-patch, all file operations require explicit path validation. Testing confirms no false positives. Recommended for all users running nodes or hot wallets. indexofwalletdat patched
Shodan, the search engine for IoT devices, initially prided itself on exposing everything. But after legal threats from affected users (and direct outreach from exchanges like Binance and Coinbase), Shodan implemented a filter for wallet.dat in its free tier. As of 2025, a free Shodan search for wallet.dat returns only HTTP headers, not file contents. A 17-year-old from Ohio used indexof wallet
IndexOfWallet.dat Patched — What It Means and What to Do He drained 15 BTC (then ~$45,000; today ~$1