Randomly guessing a long Bitcoin wallet password is about as unlikely as winning the Powerball 100 times in a row. But there are hackers who make a living doing exactly that.
Two years ago, “Michael” contacted our white-hat team with a nearly impossible request.
Could they help him brute force the lost password of a 10-year-old Bitcoin wallet, which currently holds $3 million worth of Bitcoin?
The problem is that Michael’s lost password is 20 characters long, and since he used a password generator, he has no idea what the password was.
The challenge was so massive that Joe Grand, co-founder, chief hacker, and YouTuber at Offspec.io, turned it down.
“If you had to try every possible password combination, that’s more than 100 trillion times more than the number of water droplets in the world,” Grand explained in a YouTube video about the incident.
But a year later, in a stroke of luck, Grand and his team stumbled upon a way to drastically reduce the odds.
Michael’s password generator, RoboForm, had a vulnerability that was patched long ago, which meant it relied too heavily on the computer system time to generate “random” passwords, which meant the passwords weren’t all that random.
After seven weeks of reverse engineering the algorithm and running through millions of guesses, Grand and his team finally cracked the wallet, much to the delight of one of the Bitcoin holders.
“It was a good thing, for sure,” Grand told the magazine. But not all cases have a happy ending. Some of the recovered wallets were found to be nearly empty.
“It’s not a business for the faint of heart. I would say it’s not a business for people who want to make a lot of money, frankly.”
“I think crypto investors are going into the recovery thinking they can make a ton of money, but it’s going to take a lot of work,” Grand said.
“If you’re working on a big project, that’s great, but (…) for every huge wallet, there are a lot of small wallets (…) you have to weigh the time and effort,” he added.
Grand is a renowned hardware hacker who has testified before Congress on cybersecurity. He is also a YouTube personality, former host of Discovery Channel’s ‘Prototype This’, and a public speaker.
So for Grand, recovering his cryptocurrency is more of a “side quest” than a full-time commitment.
Brooks and Sons Crypto Recovery Team
But that’s not the case for Chris and Charles Brooks, a wealthy New Hampshire-based cryptocurrency recovery team who have been running Crypto Asset Recovery since late 2020.
The pair claim to have recovered a whopping $6 million worth of Bitcoin since starting their business.
“We’re not billionaires or millionaires or anything like that, but it’s a good business,” Chris told the magazine.
Part of their recent cryptographic exploration involved guessing the remaining six characters of a partially torn private key when the holographic sticker was removed from a Casascius coin. The Casascius coin was a physical Bitcoin made of metal that was available for a short period between 2011 and 2013. It contained about half a Bitcoin and is worth about $33,000 today.
Another recent case involved a woman in Croatia who had written down a 24-word seed phrase for her hardware wallet and then lost the piece of paper on which she had written it. She had somehow managed to use pencil shading to get an imprint of most of the words that had seemingly disappeared, and the Brooks duo were able to test all possible combinations of the remaining words.
“It’s not like we’re going to brute force it just because the space is so large, but if we’re missing just a few letters of the private key, it’s something that can be done pretty quickly with just enough computing power,” Chris said.
But crypto recovery has its limits. Brooks and Grand say they have had to turn down many job offers.
Scammers, scammers are everywhere
“We get dozens and dozens of emails a day,” Grand says. “I would say we reject most of them. The biggest problem is people who are being scammed.”
“The chances of getting their money back are very slim and we don’t want to give them a glimmer of hope by misleading them.”
According to a report from the FBI Internet Crime Center, losses from cryptocurrency fraud in the United States will increase to $3.9 billion in 2023, up more than 50% from the previous year. That figure accounts for the lion’s share of all investment frauds committed last year.
Charles added, “From 2021 to 2023, 60% of our inbound leads were fraudulent customers, and our company policy at the time was, ‘We can’t do anything for you.’”
What’s even more insulting is that many of these customers then go to other “cryptocurrency recovery” companies, but these are often just scammers in disguise.
“We started seeing people who we rejected get scammed themselves, so in May of last year we started very slowly rolling out fraud tracking services to our customers,” Charles said.
However, the service does not include recovering funds or hacking scammers.
“Our job is to trace the funds from the scammers’ wallets to real institutions, which usually means exchanges.”
Last August, the FBI issued a public warning about companies falsely claiming they could help people recover funds lost to cryptocurrency investment scams.
These scammers usually ask for an up-front fee and then either ignore the victim completely or create a false tracking report to demand additional fees to recover the funds.
“Scammers may partner with law enforcement or legal services to appear legitimate,” the FBI said.
“Private sector recovery companies cannot issue seizure orders to recover cryptocurrencies. Cryptocurrency exchanges can only freeze accounts according to their internal procedures or as required by law.”
Isn’t impersonation awesome?
Meanwhile, Grand is waging a personal war against impersonators, some of whom appear to be using deepfake audio calls to scam others.
“I’ve had people say they’ve been tricked into talking to me via voicemail by people impersonating me, so it’s likely they’re already doing that because my voice is somewhat unique in that way.”
Also read
characteristic
Looking Back at 1602: Are DAOs the New Corporate Paradigm?
characteristic
Ethereum Re-Staking: Blockchain Innovation or Dangerous House of Cards?
A Google search for the term “Joe Grand crypto recovery” will return at least one very questionable website that is clearly not legitimate, so I won’t list it here.
“I actually had to build a social media presence on all the social media platforms. (…) It at least helps people reach the right Joe Grand.”
Do you really own the wallet?
Sometimes people try to use cryptocurrency recovery services to gain access to wallets they don’t own.
“There are cases where people say they are Satoshi Nakamoto and have access to the wallet,” Charles said.
“It seems like they always have access to one wallet with a million bitcoins in it.”
There was also a case where a divorced wife asked for help from two people to steal her ex-husband’s Bitcoin.
“There were people who said they were involved in the creation of Bitcoin, and that it was created by the US military in 2006 or 2007. We cover the spectrum in terms of crazy stories.”
Money isn’t always important
Charles and Chris Brooks stress that while the business can be profitable, it’s worth more than that.
“When you give someone control of $500 or $5,000, it changes people and makes business more fun.
According to Brooks, about 50-60% of Crypto Asset Recovery’s inflow tickets come from less economically developed countries that use Bitcoin as a means of savings.
Even Argentina and Venezuela, two of the most inflationary countries in the world, have high rates of cryptocurrency adoption.
“One of our privileges is to be able to turn that into a model that can help people at any price point, because for us, a $200 or $300 wallet might not make a difference to the bottom line. (…) That’s often where we see the biggest impact, because that’s where people’s lifetime savings are,” Brooks said.
Grand said the same thing about himself.
“Just because you can’t make money trading doesn’t mean you won’t trade,” he added.
“Money, the value of money is different for different people (…) and yes, that’s part of it. The ability to change people’s lives.”
“When we started helping, we didn’t even think about it… It’s really hard to see people’s eyes light up when we bring them success (…) Those moments are so special, it’s hard to explain,” Grand says.
Subscribe
The most interesting articles on blockchain, delivered once a week.
Felix Yeah
Felix Ng first started writing about the blockchain industry in 2015 from the perspective of a gambling industry journalist and editor. Since then, he has been covering the blockchain field full-time. He is most interested in innovative blockchain technologies that aim to solve real-world problems.