YEREVAN (CoinChapter.com) — Two years ago, a European cryptocurrency owner, “Michael,” contacted hardware hacker Joe Grand for help. Michael had stored around $3 million worth of Bitcoin in an encrypted digital wallet. He used the RoboForm password manager to create a 20-character password, then encrypted it with TrueCrypt. Unfortunately, the encrypted file got corrupted, and he lost access to his 43.6 BTC.
Michael didn’t store the password in RoboForm due to security concerns.
“At that time, I was really paranoid with my security,”
he said.
This paranoia led to his current situation.
Joe Grand, The Hacker Who Recovers Lost Cryptocurrency
Joe Grand’s journey began early; he started hacking computing hardware at the age of 10. By 2008, he cohosted the Discovery Channel’s show “Prototype This,” showcasing his skills. Today, he uses his expertise to consult with companies on protecting their digital systems from hardware hackers. In 2022, his techniques enabled him to crack a Trezor wallet, making it reveal its password and recovering a significant amount of cryptocurrency.
This achievement gained National attention. Many people sought his help to recover lost cryptocurrency, especially after he helped retrieve $2 million when its owner forgot the PIN. Despite the demand, Grand, also known by his hacker name “Kingpin,” turns down most of these requests for various reasons.
Cracking the Code to Michael’s Lost Bitcoin
Michael’s cryptocurrency was in a software wallet, so Grand’s hardware skills couldn’t help. They thought about brute-forcing the password, but it wasn’t practical. Grand suspected a flaw in the RoboForm password manager, but he wasn’t sure.
Desperate, Michael contacted various cryptography experts, all of whom told him recovery was impossible. But in June, he reached out to Grand again. This time, Grand agreed to try, teaming up with Bruno, a friend in Germany who also hacks digital wallets.
Grand and Bruno spent months reverse-engineering the version of RoboForm Michael used. They discovered a significant flaw in the pseudo-random number generator in RoboForm versions before 2015. The program tied the generated passwords to the date and time on the user’s computer, making them predictable. Knowing the date, time, and other parameters allowed them to recreate any password generated at that time.
Finding the Right Password
Michael couldn’t remember the exact date he created the password. He knew he moved Bitcoin into his wallet on April 14, 2013. Grand and Bruno tried generating 20-character passwords with the parameters Michael used, from March 1 to April 20, 2013. They failed. They then expanded the time frame to June 1, 2013, but still had no success.
Michael was repeatedly asked about the password parameters. Frustrated, he provided other passwords he had generated in 2013. It turned out some did not include special characters. Grand and Bruno adjusted their approach and, in November, reached out to Michael again. This time, they had found the correct password, generated on May 15, 2013, at 4:10:40 PM GMT, without special characters.
“We ultimately got lucky that our parameters and time range were right,”
Grand said
“If either of those were wrong, we would have continued to take guesses/shots in the dark.”
Risks of RoboForm for Bitcoin
RoboForm, developed by Siber Systems, was one of the first password managers on the market. In 2015, the company fixed the flaw, but it’s unclear how. The changelog only mentions increased randomness. Without knowing the specifics of the fix, Grand remains cautious about trusting newer versions.
Users who generated passwords with RoboForm before 2015 might still have vulnerable passwords. Grand pointed out,
“We know that most people don’t change passwords unless they’re prompted to do so.”
After recovering the password, Grand and Bruno took a percentage of Michael’s Bitcoins for their work. At the time, Bitcoin was worth $38,000 per coin. Michael sold some of his Bitcoins when the value reached $62,000 per coin. He now has 30 BTC, worth $3 million, and plans to wait until Bitcoin reaches $100,000 per coin before selling more.
Michael reflects on his experience,
“That I lost the password was financially a good thing.”
The post A Decade-Old Bitcoin Wallet Vomits $3M Out — Here’s How? appeared first on CoinChapter.
