If there was ever more of a lesson to write down your passwords somewhere safe…
A Bitcoin wallet worth $3 million took 11 years to be hacked into after the owner forgot his password.
You think it’s a joyful day when you find a ten dollar bill in an old bag you haven’t used in years, but imagine this guy’s joy after getting access to $3 million-worth of Bitcoin after being locked out of his wallet for a whopping 11 years.
An anonymous owner got in touch with electrical engineer Joe Grand – who goes by the handle ‘Kingpin’ online – to hack into an encrypted file holding 43.6 BTC.
In a bid to protect his crypto as best he could, the owner had used a random password generator called Roboform – alas, it seems he’d protected it too well, later losing the password.
The anonymous owner became ‘really paranoid’ someone would hack his computer and obtain his password – ultimately gaining access to his cryptocurrency – and so enlisted the help of Kingpin to try and get it back – with Grand having previously helped another owner recover their access to over $2 million in crypto in 2022.
He said dozens of people have previously contacted him to ask for help with recovering lost treasure.
Grand decided to turn a lot of them down for various reasons, but decided to help this particular anonymous owner with his quest.
In a YouTube video published by Grand, the wallet’s owner said: “I generated the password, I copied it, put it in the passphrase of the wallet, and also in a text file that I then encrypted.”
At the time of the owner losing access to the account, the Bitcoin worth stood between $3,000 and $4,000.
But as the price of bitcoin had risen by more than 20,000 percent, the owner decided to reach out to Grand.
So, Grand used a tool developed by the US National Security Agency (NSA) to disassemble the password generator’s code.
He said: “In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output each time that no one else has.
“[But] in this version of RoboForm, it was not the case.
“While RoboForm’s passwords appear to be randomly generated, they’re not. With the older versions of this software, if we can control the time, we can control the password.”
Grand was able to trick the system by changing the time back to 2013 when the password was generated, and after a few failed attempts, it ultimately led to the same password being recreated.
The hacking expert then worked with his colleague Bruno to generate millions of potential passwords.
He was able to eventually crack the code – which Grand said to Wired was a lot down to luck.
“We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have […] continued to take guesses/shots in the dark.” he told them in an email.