Bitcoin Wallet: A Tale of Lost and Found
In a fascinating turn of events, a European cryptocurrency owner, known as “Michael,” found himself in a predicament two years ago. He had securely stored approximately $3 million worth of Bitcoin in an encrypted digital wallet. Michael took every precaution, using the RoboForm password manager to create a 20-character password, which he then encrypted with TrueCrypt. However, a corrupted file led to the loss of access to his 43.6 BTC.
Michael’s cautious nature prevented him from storing the password in RoboForm due to security concerns. Little did he know that this very paranoia would contribute to his current situation.
Enter Joe Grand, the renowned hardware hacker who has made a name for himself in the world of computing. His journey began at a young age, as he started hacking hardware at the tender age of 10. By 2008, he was co-hosting the Discovery Channel’s show “Prototype This,” showcasing his impressive skills. Today, Grand utilizes his expertise to consult with companies on protecting their digital systems from hardware hackers. In 2022, he successfully cracked a Trezor wallet, revealing its password and recovering a significant amount of cryptocurrency.
Grand’s achievement garnered national attention, and he soon found himself inundated with requests for help in recovering lost cryptocurrency. One notable case involved retrieving $2 million when the owner had forgotten their PIN. Despite the high demand, Grand, also known by his hacker name “Kingpin,” turns down most of these requests for various reasons.
Michael’s case presented a unique challenge as his cryptocurrency was stored in a software wallet, rendering Grand’s hardware skills ineffective. Brute-forcing the password was not a practical option, and Grand suspected a flaw in the RoboForm password manager, although he wasn’t entirely certain.
Desperate to regain access to his lost Bitcoin, Michael reached out to various cryptography experts, all of whom declared recovery impossible. However, in June, he decided to give it one last try and contacted Grand once again. This time, Grand agreed to take on the challenge, enlisting the help of his friend Bruno, a fellow digital wallet hacker based in Germany.
For months, Grand and Bruno tirelessly reverse-engineered the version of RoboForm that Michael had used. Their efforts led them to a significant flaw in the pseudo-random number generator in RoboForm’s versions prior to 2015. The program linked the generated passwords to the date and time on the user’s computer, making them predictably vulnerable. Armed with this knowledge, they could recreate any password generated at a specific time by knowing the relevant parameters.
However, the challenge didn’t end there. Michael couldn’t recall the exact date he had created the password. He only remembered moving Bitcoin into his wallet on April 14, 2013. Grand and Bruno attempted to generate 20-character passwords using the parameters Michael had used, covering the period from March 1 to April 20, 2013. Their efforts proved futile. They decided to expand the timeframe to June 1, 2013, but still couldn’t crack it.
Frustrated, Michael provided the hackers with other passwords he had generated in 2013. Surprisingly, some of these passwords did not include special characters. Adjusting their approach, Grand and Bruno reached out to Michael again in November, armed with the correct password. It had been generated on May 15, 2013, at 4:10:40 PM GMT, without special characters.
This incident sheds light on the risks associated with using RoboForm for Bitcoin storage. Developed by Siber Systems, RoboForm was one of the first password managers on the market. While the company claims to have fixed the flaw in 2015, the specifics of the fix remain unknown. The changelog only mentions increased randomness. Consequently, Grand remains cautious about trusting newer versions of the software.
After recovering the password, Grand and Bruno received a percentage of Michael’s Bitcoins as compensation for their hard work. At the time, Bitcoin was valued at $38,000 per coin. Michael took the opportunity to sell some of his Bitcoins when the value reached $62,000 per coin. He now holds 30 BTC, worth $3 million, and plans to wait until Bitcoin reaches $100,000 per coin before considering further sales.
Reflecting on his experience, Michael ponders the importance of striking a balance between security and accessibility when it comes to safeguarding valuable assets like Bitcoin.