Article sponsored by KeychainX.
A famous director once told me, “Shooting a film is only 10% of the work, the other 90% is preparing it.” This is what came to mind recently, when I succeeded to recover a Bitcoin wallet password.
Summary
Wednesday evening 8:55 PM
Someone sends me a request to find the passphrase to their Bitcoin Core Wallet password. I immediately reply that I would be more than happy to help him. There was no response until the next day.
Thursday afternoon 2:04 PM
I was in our summer house with my cat, back in town after a short break when the reply arrived in my inbox. As always, I responded courteously to the necessary steps. Including a request to send the amount and/or public address before starting, to make sure the wallet wasn’t stolen.
Thursday afternoon 3:44
The gentleman from New York sent the requested information. As I drove the car in the rain with the cat uncomfortable from the lightning, I read the email “Can you call me now?”. I stopped the car in the middle of nowhere, launched Skype and made the call.
The New York trader had a small Bitcoin fortune locked away in a Bitcoin Core wallet since 2017. His first question was whether I hadn’t blocked his number once I opened the wallet.
“Of course I will,” I thought smilingly, then got my senses back together and replied, “No, I won’t, we’re an incorporated entity based in the US, not some obscure anonymous service”. I explained that while other services would remain anonymous or simply parked in the garage, we were part of Delaware USA, with major investors and that we had a patent pending with the USPTO.
Having said that, the guy asked if we would send a contract and demanded that I sign and specify the terms before we started. I explained that I was still in the car, so we would continue later. In the meantime, I managed to send it to him with my phone so he could take a look at it while I was driving.
Thursday night 10:50 PM
I got home late, still no contact from the guy, “Oh well, he changed his mind” I thought and went to sleep. An hour later (New York is 6 hours apart) my phone buzzed. I got an email with the signed contract and a request to call him back. He needed me to get his wallet out of his computer as he didn’t know how to locate it. (Bitcoin Core uses a hidden folder where it stores the encrypted wallet)
We connected via Teamviewer and after a minute the wallet was located.
Thursday night 11:15 PM
Final step, I asked for suggestions. It was a list of words, which he didn’t know, and some misspelt. He also suggested that there might be spaces between words or small capital letters.
Thursday night 11:35 PM. Recovery phase
Having these suggestions I quickly created a small python script that merged the suggestions into all sorts of different combinations on my laptop. His hints were a combination of 6-8 words in one line used as a wallet passphrase. I usually connect to corporate servers via a secure VPN, but I decided to try my luck on the NVIDIA-powered laptop. (An NVIDIA is a GPU that allows passwords to be cracked thousands or even millions of times faster than using the CPU in specific circumstances, such as Bitcoin wallets).
Thursday night 11:36 PM
The first example (algorithm used in conjunction with hints) created too many combinations as there were many variations without written words. It would have taken several days. Then with my intuition, I minimized the variations and pressed enter.
Thursday night 11:37 PM. Bitcoin wallet password found!
BOOM! My script found the passphrase for Bitcoin Core within two minutes after I started coding my first script.
As usual, I emailed him to let him know that I had found the passphrase and asked him where to move his share of the funds. My chain of action was once I opened the wallet, move % of the portfolio value and then the rest to a wallet address chosen by the client. I received an address within minutes and swept the remaining funds from the portfolio.
After receiving a confirmation that the wallet had been emptied, I received a phone call from the guy asking if I could retract the transaction. I said “NO” since it is not possible to reverse transactions on the blockchain.
He explained that maybe he had sent me the wrong address because his Coinbase account showed a different address. I tried to calm him down by explaining that it was probably an HD wallet that created a new address every time you requested funds. This is common in many wallets or services as a security option.
I told him to stay calm and wait and that we would probably need more confirmation on the blockchain.
He seemed to calm down a bit and we waited together for the Bitcoin Network to confirm the transaction and eventually, the funds appeared in his Coinbase account.
While it took more than a day to discuss the whole procedure on how to retrieve the wallets, the final approach to find the password took only 2 minutes. Just as my director friend predicted…
Lesson learned
Preparing an algorithm with good suggestions is the most important work. Don’t panic if the address of your wallet changes using a service like Coinbase. You only create new addresses every time you request funds.