Researchers Successfully Cracked the Password on an Old Crypto-Wallet. Their Reward: $3 Million

  • Experts discovered that the random number generator used to generate the password wasn’t so random.

  • Losing the password was the best thing that could have happened: the owner would have sold the bitcoins early and lost money.

Joe Grand, better known as the "Kingpin," is good at cracking devices protected by strong passwords. He did it in 2022 with a Trezor crypto wallet, recovering $2 million for its owner. Now he’s done it again in another crazy story of a hacker capable of the seemingly impossible.

Joe, I can’t access my crypto wallet. Two years ago, “Michael”—a pseudonym to protect his identity—contacted Grand for help. He had lost access to a crypto wallet containing approximately $2 million in Bitcoin. The Kingpin refused.

An 11-year-old password. Michael created his wallet password 11 years ago using RoboForm, an old password manager. He stored this password in an encrypted file using the TrueCrypt tool. Even so, the file was corrupted at some point, and Michael lost access to the 20-character password and, thus, to his crypto wallet. It contained 43.6 BTC, which cost him about $4,340 in 2013. Today, its value has grown to nearly $3 million.

The Kingpin accepts the challenge. Grand, an electrical engineer, has developed a reputation for hacking passwords. He now consults companies that need an expert to fight against malicious hackers trying to breach their hardware defenses. The problem is that Michael’s crypto wallet came from a software application rather than hardware. After consulting with some experts, they all told him it was impossible to access the money. However, this time, Grand decided to try.

This random number generator has a trick. Grand worked with a friend named Bruno, also a hacker specializing in digital wallets. They spent months reverse-engineering the version of RoboForm that Michael was using and discovered something important: the random number generator in the app wasn’t so random. It used the date and time of the user’s computer to generate those numbers and, therefore, provided predictable passwords.

But Michael couldn’t remember the date. Knowing the date range when the wallet owner created the password or some details about it—such as how many characters he used and whether he used uppercase or lowercase letters, digits, or symbols—was crucial for Grand to hack the password successfully. However, Michael couldn’t remember the exact date. Grand and Bruno tested with different date ranges close to one of Michael’s first Bitcoin moves, April 14, 2013.

They finally got it. Grand and Bruno asked Michael to meet them to tell him the good news: They had cracked the password. He generated it on May 15, 2013, at 4:10:40 p.m. (GMT), and it was 20 characters long, with no special characters. Grand told Wired: “We ultimately got lucky that our parameters and time range were right. If either of those were wrong, we would have… continued to take guesses/shots in the dark.”

Losing the password was for the best, in the end. As Michael explained, he was lucky to lose the password for crypto-wallet because if he hadn't, he’d have sold the Bitcoins when the price reached $40,000. Michael would have lost a small fortune. Today, the price of Bitcoin is around $68,000. In his own words: “Losing the password was a good thing financially.”

Related | How to View Saved Wi-Fi Passwords on Your Phone

See all comments on https://www.xatakaon.com

SEE 0 Comment

Cover of Xataka On