Randomly guessing a long Bitcoin wallet password is as unlikely as winning the Powerball 100 times in a row. But there are some do-good hackers who’ve made a living doing exactly that.

Two years ago, “Michael” contacted a team of white hat hackers with a near-impossible request.

Could they help him brute-force attack the lost password to his decade-old Bitcoin wallet, which now holds the equivalent of $3 million in Bitcoin?

The catch? Michael’s lost password is 20 characters long, and he has no clue what it could be because he used a password generator.

“Nobody would take on a brute forcing project of this scale,” says Grand (YouTube)

The task was so monumental that Offspec.io’s co-founder, lead hacker and YouTuber Joe Grand — turned down the job.

“If we had to try every possible password combination, that’s more than 100 trillion times the number of water drops in the entire world,” explained Grand in a YouTube video about the case. 

But in a stroke of luck a year later, Grand and his team stumbled across a way to significantly trim the odds. 

It turns out that Michael’s password generator, RoboForm, had a long since patched vulnerability at the time, where it relied too much on the computer’s system time to generate “random” passwords — meaning the passwords weren’t so random after all. 

After reverse engineering the algorithm and plugging in every potential possibility over a seven-week period (that’s millions upon millions of guesses), Grand and his team finally cracked the wallet, ending with one very thrilled Bitcoin hodler. 

What the RoboForm password generator looks like today (RoboForm)

“It was a good one. It definitely was,” Grand tells Magazine. However not every case has a happy ending. Some of the recovered wallets have turned out to be almost empty. 

“It’s not a business for the faint of heart. I would say its not really a business for someone who honestly is looking to make a lot of money.” 

“You know, cryptocurrency people, I think, are getting into recovery thinking they’re going to strike it rich, and it’s a lot of work,” says Grand. 

“If you work on a project that happens to have a lot of money, that’s great […], but for every huge wallet, you have a lot of smaller wallets […] you have to start weighing that time versus effort,” he adds. 

Grand is a famed hardware hacker who’s testified in Congress about cybersecurity. He’s also a YouTube personality, a former host of Discovery Channel’s ‘Prototype This,’ and a public speaker. 

So for Grand, crypto recovery is more of a “side quest” than a full-time commitment.

Brooks and son crypto recovery team

That’s not the case for Chris and Charles Brooks, a father-and-son crypto recovery team based in New Hampshire who have operated Crypto Asset Recovery since late 2020. 

The duo claim to have recovered as much as $6 million worth of Bitcoin since they began their venture.

“We’re not billionaires or millionaires or anything like that, but it’s a nice little business,” Chris tells Magazine. 

Some of their recent crypto spelunking has involved guessing the remaining six characters of a private key that had been partially ripped when removing the holographic sticker from their Casascius coin — a physical Bitcoin made of metal that was available for a brief window between 2011 and 2013. It held around half a Bitcoin, worth around $33,000 today. 

Another recent case involved a lady from Croatia who had written down a 24-word seed phrase for a hardware wallet and then lost the paper on which it was written. She somehow used pencil shading to get an imprint for most of the seemingly lost words, and the Brooks duo was able to test every possible combination for the remaining words. 

Physical bitcoin recovery
There are still 18,499 Casascius Coins and Bars still “unopened” today (Stack’s Bowers Galleries Auction)

“We don’t really do brute force just because the space is too vast, but when you’re only missing a few characters of a private key, it’s […] something that with some compute power you can do pretty quickly,” said Chris. 

But crypto recovery has its limits too. Brooks and Grand say they have had to turn down a great deal of the jobs they’re offered. 

Scammers, scammers everywhere

“We get dozens and dozens of emails a day,” says Grand. “I would say we turn down most of them, and the primary issue is people who have been scammed.” 

“It’s just super unlikely to ever get funds back, and we don’t want to misdirect them and give them a glimmer of hope.”

Crypto fraud losses in America rose to $3.9 billion in 2023, rising more than 50% year-on-year, according to a report from the FBI’s Internet Crime Center. The figure made up the lion’s share of all investment fraud perpetrated last year. 

Crypto scams
Investment fraud losses in the United States in 2023. (Federal Bureau of Investigation)

“Since 2021 to 2023, we saw maybe 60% of our inbound leads were folks who had been scammed and our policy at that point was that ‘we can’t do anything for you,’” adds Charles. 

Adding insult to injury, many of these clients would then go to another “crypto recovery” company — though they are often just scammers in disguise. 

“We started to see folks we turned away getting scammed themselves. So in May last year, we started very slowly offering scam tracing services to customers,” said Charles. 

That service doesn’t involve them recovering the funds or hacking the scammers, though.

“Our job is to trace the funds from the scammer’s wallet to a real-world entity which more often than not means an exchange.” 

Crypto investment scams
PSA about scammers who claim to help recover funds from… scammers. (Federal Bureau of Investigation)

Last August, the FBI issued a public warning about companies falsely claiming to be able to recover funds lost in cryptocurrency investment scams. 

These fraudsters will typically charge an up-front fee and then proceed to ghost the victim or produce a shoddy tracing report asking for additional fees to recover funds. 

“Fraudsters may claim affiliation with law enforcement or legal services to appear legitimate,” said the FBI:

“Private sector recovery companies cannot issue seizure orders to recover cryptocurrency. Cryptocurrency exchanges only freeze accounts based on internal processes or in response to legal process.”

Isn’t impersonation Grand?

Meanwhile, Grand has been fighting a personal battle against impersonators — some who appear to have employed deepfake audio calls to try to swindle others. 

“I’ve had people that have been scammed by impersonators of me that say they’ve talked to me through voice messaging. So it’s probable they’re already doing that because my voice is somewhat unique in that way.” 

Read also


Year 1602 revisited: Are DAOs the new corporate paradigm?


Ethereum restaking: Blockchain innovation or dangerous house of cards?

When you search Google for the term “Joe Grand crypto recovery,” you will find at least one very suspicious looking website, which is most definitely not legit so we won’t show it here. 

“I’ve actually had to set up a social media presence on every social media platform […] which at least helps bring people to the right Joe Grand.” 

Do you really own the wallet?

Sometimes, people try to use crypto recovery services to get into wallets that they don’t own. 

“We get cases where people tell us that they are Satoshi Nakamoto and that they have access to the wallet,” says Charles. 

“They always seem to have access to one wallet with a million [in] Bitcoin.” 

Brute force crypto wallets
There’s a tool on GitHub that claims to be able to brute force crypto wallets. We have no idea if its legit, though. (GitHub)

There was a case where a divorcing wife tried to enlist their help to get into her ex-husband’s Bitcoin stash too. 

“We’ve had folks who say that they were involved in the creation of Bitcoin and it was created by the US military in 2006 or 2007. We cover the spectrum in terms of crazy stories.”

It’s not always about the money

Charles and Chris Brooks stress that while the business can be lucrative, there’s more to it than that. 

“When you put someone back in control of $500 or $5,000 […] this makes a difference to people, making the business fun.

According to Brooks, around 50 to 60% of Crypto Asset Recovery’s inbound tickets come from less economically developed countries that use Bitcoin as their means of savings.

Argentina and Venezuela, two of the highest-inflation countries in the world, also have a high crypto adoption rate.

Joe Grand crypto recovery
Grand tried to help a Seattle Bus driver recover millions in BTC in 2023, but it turned out to be a bust. (YouTube)

“One of the prerogatives of ours for converting to scale model where we can help people at any price point because to us a $200 or $300 wallet may not affect the bottom line […] those are the most impactful cases often times because that’s where you see people’s life savings,” said Brooks. 

Grand says it’s the same for him too. 

“Just because we’re not going to make money on a deal doesn’t mean we’re not going to do it,” he adds.

“Money, the value of money is different to different people […] and yeah, that’s part of it too, is being able to change people’s lives.” 

“I wasn’t even thinking of that when we started helping… to really see people’s eyes light up when we’re successful for them […] Those are pretty special moments that are hard to describe,” says Grand.

Felix Ng

Felix Ng

Felix Ng first began writing about the blockchain industry through the lens of a gambling industry journalist and editor in 2015. He has since moved into covering the blockchain space full-time. He is most interested in innovative blockchain technology aimed at solving real-world challenges.

Source link