Tech
Researchers ‘hack time’ to recover $3 million bitcoin wallet
Sign up for our free weekly IndyTech newsletter delivered right to your inbox
Sign up for our free IndyTech newsletter
Security researchers have done it cracked a password to recover over $3 million worth of bitcoin that had been stuck in a crypto wallet for 11 years.
Electrical engineer Joe Grand, known by the pseudonym “Kingpin,” was hired to hack an encrypted file containing 43.6 BTC, which had been stored there since 2013. The cryptocurrency was protected by a password created by a password generator. random password called Roboform, however the password was long lost.
The password was a series of 20 uppercase and lowercase letters, as well as numbers, designed to be as difficult as possible to crack.
“I generated the password, copied it, put it in the wallet passphrase and also in a text file which I then encrypted,” he said in a video published by Mr Grand.
The password was lost after the encrypted part of his computer that contained it was damaged. At the time the bitcoin was worth a couple of thousand euros, which the wallet owner described as “painful but ok”.
Over the next decade, however, the lost bitcoin became a fortune as the price of bitcoin increased by more than 20,000%, forcing its owner to contact Mr Grand.
After initially turning down the job, Mr. Grand eventually agreed to try to recover the funds after devising a new method to hack the initial password generator.
Mr Grand used a reverse engineering tool developed by the US National Security Agency (NSA) to disassemble the password generator code.
“In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output every time that no one else has. [But] that wasn’t the case in this version of RoboForm,” Grand said.
“Even though RoboForm passwords appear to be randomly generated, they are not. With older versions of this software, if we can check the time, we can check the password.”
He figured that if he could trick the system into saying it was the time in 2013 when the password was generated, he would recreate the same password.
Having only a rough idea of when the password was generated, Mr. Grand worked with his colleague Bruno to generate millions of potential passwords and then crack it.
Since then, password generator RoboForm has updated its platform to improve the randomness of its tool, meaning that the time-based hacking approach no longer works with passwords created after 2015.
Mr Grand now hopes to help more people run out of their crypto wallets, although new approaches may be needed.
He said: “If this project takes time to hack, what size will we have to hack next time?”
The Independent has contacted RoboForm for comment.