Joe Grand, better known as “Kingpin”, is good at cracking devices protected by impossible passwords. He did this in 2022 with the Trezor crypto wallet, thus recovering two million dollars from its owner. He’s done it again in another crazy story of hackers able to accomplish seemingly impossible things.

Joe, I can’t access my crypto wallet. Two years ago, “Michael” (the pseudonym he uses to protect his identity) contacted Joe Grand and asked for help. He had lost access to a crypto wallet containing approximately two million dollars worth of Bitcoin. Joe rejected the offer.

password from 11 years ago. Michael had created his wallet password 11 years ago using RoboForm, an experienced password manager. He then saved this password in a file encrypted with the TrueCrypt tool, but at some point this file got corrupted and Michael lost access to the 20-character password and therefore his crypto wallet. It contained 43.6 BTC, which cost him around 4,000 euros in 2013. It is now worth over 2.7 million euros, or about three million dollars.

“Kingpin” finally accepted the challenge. Grand, an electrical engineer, has an outstanding reputation for hacking passwords. He now works as a consultant for companies that hire him to ensure that other malicious hackers cannot break their hardware protections. The problem here is that Michael’s crypto wallet is based on a software application, not hardware. After consulting some experts, they all told him that it was impossible to get that money, but this time Grand decided to try.

This random number generator has a trick. Grand collaborated with a friend named Bruno, himself a hacker specializing in digital wallets. They spent months reverse engineering the version of RoboForm that Michael was using and managed to discover something important: the random number generator the app was using wasn’t that random after all. It used the date and time on the user’s computer to generate these numbers, thereby creating predictable passwords.

But Michael didn’t remember the date.. Knowing the date range in which the password was created in 2013 or some of its parameters (how many characters it used, whether it used uppercase letters, lowercase letters, numbers and/or symbols) was very important in being able to hack the password. However, Michael did not remember the exact date. What Grand and Bruno did was to test different date ranges around Michael’s first Bitcoin move on April 14, 2013.

They finally did it right. Grand and Bruno wanted to meet to tell him the good news: they had managed to reveal the password. I created this on May 15, 2013 at 16:10:40 GMT and it had 20 characters but no special characters. As Grand noted in Wired, “We were lucky in the end that our parameters and time period were correct. If either had been wrong,…we would have continued guessing and shooting blindly. It would have taken much longer to do so.” precalculation.”all possible passwords”.

It turns out that it is best to lose the password. As Michael explains, he was almost lucky to lose the password to his crypto wallet, because if he had the password he would have sold the bitcoins when they reached $40,000. He would lose a small fortune because the price today is around $68,000, so in his words “losing the password was a good thing financially.”

in Xataka | $256 million Bitcoin, lost password and two remaining attempts: The story of a German engineer who couldn’t access his wallet