A group of researchers helped a cryptocurrency holder regain access to his decade-old, password-protected crypto wallet and recover $3 million worth of Bitcoin fortune.
Bitcoin Holder Loses Access To Crypto Wallet
In 2013, a Europe-based cryptocurrency holder, “Michael” (name changed), securely stored his cryptocurrency in a password-protected digital wallet. The wallet’s password was created using the RoboForm password manager platform. Michael then saved the 20-character password as a text file and encrypted it with a tool called TrueCrypt.
Unfortunately, at some point, the encrypted file holding 43.6 BTC (worth about €4,000, or $5,300, in 2013) got corrupted, and Michael lost access to the 20-character password he had generated to access the digital wallet that held his bitcoins. He was worried that someone would hack into his computer and obtain the password.
“At [that] time, I was really paranoid with my security,” he said.
Two years ago, Michael contacted electrical engineer Joe Grand, also known as ‘Kingpin,’ to help him recover his Bitcoin wallet containing approximately millions of BTC. However, Grand refused to help him, citing that his hardware hacking skills would have no relevance to a software-based wallet and that the password could unlikely be guessed based on a weakness in Roboform.
After Grand turned him down, Michael contacted several other cryptographic experts for help, but all of them told him that he had no chance of regaining access to his Bitcoins.
That’s when Michael contacted Grand again last June, hoping to convince him to help. This time, Grand agreed to take up the project with a friend named Bruno in Germany, who also hacked digital wallets.
According to a report by Wired, the two security experts spent months reverse-engineering the version of Roboform that Michael had used in 2013. While doing this, they found a significant flaw in RoboForm’s password generation, which was tied to the computer’s date and time. This flaw allowed the researchers to predict and regenerate the password from 2013.
Grand disassembled the password generator’s code using a reverse engineering tool developed by the U.S. National Security Agency (NSA).
“In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output each time that no one else has. [But] in this version of RoboForm, it was not the case,” said in a video published by Mr Grand.
“While RoboForm’s passwords appear to be randomly generated, they’re not. With the older versions of this software, if we can control the time, we can control the password.”
Grand was able to trick the system by changing the time back to 2013, making it seem as though he was requesting the password from Roboform for the first time. After a few failed attempts, the generator produced the exact password it had delivered on May 15, 2013, at 4:10:40 pm GMT, the day, date, and time when Michael’s crypto password was generated.
“We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have … continued to take guesses/shots in the dark. It would have taken significantly longer to precompute all the possible passwords,” Grand says in an email to Wired.
After successfully cracking the Bitcoin wallet password last November, Grand and Bruno kept a small percentage of bitcoins for their work before handing over the password information to Michael.
After recovering the bitcoins, Michael sold some at $62,000 per coin and currently holds 30 bitcoins, which are now worth $3 million. However, he wants to wait until the bitcoins reach a value of $100,000 each.
“That I lost the password was financially a good thing.”