NEW DELHI: Security researchers have successfully cracked a password to recover over $3 million worth of Bitcoin that had been stuck in a crypto wallet for 11 years. The wallet contained 43.6 BTC, which had been held there since 2013.
Electrical engineer Joe Grand, also known by his handle ‘Kingpin,’ was hired to hack into the encrypted file containing the Bitcoin.The cryptocurrency was protected by a password created by a random password generator called Roboform, but the password had long since been lost. The lost password comprised a series of 20 upper and lower case letters and numbers, designed to be highly secure.
“I generated the password, I copied it, put it in the passphrase of the wallet, and also in a text file that I then encrypted,” the wallet’s owner, who chose to remain anonymous, explained in a video published by Mr. Grand. The password was lost after the encrypted part of his computer that held it became corrupted. At the time, the Bitcoin was worth a couple of thousand euros, which the owner described as “painful but OK.”
Over the next decade, as the price of Bitcoin rose by more than 20,000 percent, the value of the lost Bitcoin grew into a fortune, prompting the owner to seek help from Mr. Grand. Initially reluctant, Mr. Grand eventually agreed to attempt the recovery, devising a novel method to hack the initial password generator.
Using a reverse engineering tool developed by the US National Security Agency (NSA), Mr Grand disassembled the password generator’s code. “In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output each time that no one else has. [But] in this version of RoboForm, it was not the case,” he noted.
“While RoboForm’s passwords appear to be randomly generated, they’re not. With the older versions of this software, if we can control the time, we can control the password,” Mr Grand added. He discovered that by tricking the system into believing it was the moment in 2013 when the password was generated, it would recreate the same password.
With only a rough idea of when the password was generated, Mr Grand and his colleague Bruno generated millions of potential passwords to eventually crack it. The RoboForm password generator has since updated its platform to improve the randomness of its tool, rendering the time-based hacking approach ineffective for passwords created after 2015.
Mr Grand now aims to help more people locked out of their crypto wallets, though he acknowledges that new approaches may be needed. “If this project required hacking time, what dimension are we going to have to hack next?” he remarked.
Electrical engineer Joe Grand, also known by his handle ‘Kingpin,’ was hired to hack into the encrypted file containing the Bitcoin.The cryptocurrency was protected by a password created by a random password generator called Roboform, but the password had long since been lost. The lost password comprised a series of 20 upper and lower case letters and numbers, designed to be highly secure.
“I generated the password, I copied it, put it in the passphrase of the wallet, and also in a text file that I then encrypted,” the wallet’s owner, who chose to remain anonymous, explained in a video published by Mr. Grand. The password was lost after the encrypted part of his computer that held it became corrupted. At the time, the Bitcoin was worth a couple of thousand euros, which the owner described as “painful but OK.”
Over the next decade, as the price of Bitcoin rose by more than 20,000 percent, the value of the lost Bitcoin grew into a fortune, prompting the owner to seek help from Mr. Grand. Initially reluctant, Mr. Grand eventually agreed to attempt the recovery, devising a novel method to hack the initial password generator.
Using a reverse engineering tool developed by the US National Security Agency (NSA), Mr Grand disassembled the password generator’s code. “In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output each time that no one else has. [But] in this version of RoboForm, it was not the case,” he noted.
“While RoboForm’s passwords appear to be randomly generated, they’re not. With the older versions of this software, if we can control the time, we can control the password,” Mr Grand added. He discovered that by tricking the system into believing it was the moment in 2013 when the password was generated, it would recreate the same password.
With only a rough idea of when the password was generated, Mr Grand and his colleague Bruno generated millions of potential passwords to eventually crack it. The RoboForm password generator has since updated its platform to improve the randomness of its tool, rendering the time-based hacking approach ineffective for passwords created after 2015.
Mr Grand now aims to help more people locked out of their crypto wallets, though he acknowledges that new approaches may be needed. “If this project required hacking time, what dimension are we going to have to hack next?” he remarked.