Hackers recover $3 million Bitcoin from 2013 wallet through ingenious password crack

Join Japan's Web3 Evolution Today

Hardware hacker Joe Grand and his team successfully recovered $3 million worth of Bitcoin from a software wallet that had been locked since 2013. The project, which Grand described as unlike anything he had worked on, involved reverse engineering a password generator to unlock the wallet. Grand, known for his expertise in hardware hacking, collaborated with his friend Bruno, who is adept at software hacking.

The story began when Michael, the wallet’s owner, reached out to Grand after seeing a video where he had hacked a hardware wallet. Michael had used a password generator called RoboForm to create a highly secure 20-character password, which he then saved in an encrypted text file. However, the partition holding the password became corrupted, rendering the password irretrievable.

Grand and Bruno initially declined the project because brute-forcing a password of that complexity was infeasible. However, a year later, Bruno’s work on reverse engineering another password generator inspired them to reconsider. They decided to attack the RoboForm program itself rather than the password, discovering that older versions of RoboForm were vulnerable in their randomness generation.

The process began with reverse engineering tools like Cheat Engine and Ghidra. Cheat Engine allowed them to search through the running program’s memory to identify where the generated password was stored, giving them confidence that they were targeting the correct part of the program. They then used Ghidra, a tool developed by the NSA, to decompile the machine code into a more understandable format. This step was crucial as it helped them locate the code responsible for generating the password.

Their breakthrough came when they found that the system time influenced the generated passwords. By manipulating the time values, they could reproduce the same password multiple times. This indicated that the randomness of the password generator was not entirely secure in older versions of RoboForm.

Grand and Bruno wrote code to control the password generator, effectively wrapping the original function to manipulate its output. This involved setting the system time to various values within the suspected timeframe when Michael generated the password. They generated millions of potential passwords, but initial attempts to unlock the wallet failed.

The team faced numerous challenges, including repeated system crashes and extensive debugging sessions. Their persistence paid off when they adjusted their approach, realizing that Michael’s recollection of the password parameters might be inaccurate. Based on revised parameters, which included only numbers and letters, excluding special characters, they generated a new set of passwords.

This new approach proved successful. Within minutes of running the updated code, they produced the correct password, allowing them to access Michael’s Bitcoin. This success brought relief and joy to Michael and demonstrated the profound impact of innovative problem-solving and collaboration in cybersecurity.

Grand’s innovative approach highlights the complexities and potential vulnerabilities of software-based security systems, emphasizing the importance of secure random number generation in cryptographic applications. This project recovered significant assets and showcased the collaborative power of combining hardware and software hacking expertise.

Further, it highlights why it may be essential to rotate passwords generated before specific software upgrades when using password generators. Grand’s YouTube channel showcases countless ways he has helped users recover lost Bitcoin and crypto from devices like Ledger, Trezor, and others.

Mentioned in this article

More From Author

US leads $2 billion May crypto inflow while Ethereum ETF sparks investor interest

Bitcoin and Ethereum exchange balances hit record lows as spot ETFs drive withdrawals

Leave a Reply

Your email address will not be published. Required fields are marked *