A famous movie director once told me: “Shooting a movie is just 10% of the work, the other 90% is preparing”. That came into mind recently.
Wednesday 8.55 pm
Someone sends me a request to find the passphrase to his Bitcoin Core wallet password. I reply immediately I would be more than happy to help. There was no answer until the next day.
Thursday afternoon. 2.04 pm
I was at our summerhouse with my cat, making it back to the city after a short break when the reply dropped into my inbox. As always I replied with courtesy the needed steps etc. Including a request to send the amount and/or public address before we start, to make sure the wallet wasn’t stolen or forged (lately many of those occur)
Thursday afternoon 3.44 pm
The gentleman from New York sent the requested info. While driving the car with the rain pouring down and the cat being uncomfortable with the lightning strikes, the email was reading “can you call me now?”
I stopped the car in the middle of nowhere, booted up Skype and made the call.
The New York trader had a small Bitcoin fortune locked up since 2017 in a Bitcoin Core wallet. His first question was if I wouldn’t block his number once I opened the wallet.
“Sure I will” I thought to myself smiling, then got my senses together and answered “No, I would not, we are an incorporated US based entity, not a shady anonymous service.” I explained that while other services might be around longer, they are anonymous or simple a garage operation. We are incorporated in Delaware USA, with prominent investors and have a patent pending with the USPTO.
Having that said the guy asked if we would send over a contract and he would like me to sign and agree on terms before we start. I explained I am still in the car so we would need to continue in a few hours. I managed to send it with my phone so he could look it over while I was driving.
Thursday night 10.50pm
I arrived late home, still no contact from the guy, “Oh well, he changed his mind” I thought to myself and went to sleep. An hour later (New York is 6 hours behind me) my phone buzzed. I received an email with his signature on the contract and a request to call him. He would like me to extract the wallet from his computer as he did not know how to locate it. (Bitcoin core uses a hidden folder where it is storing the encrypted wallet)
We connected through Teamviewer and after a minute the wallet was located.
Thursday night 11:15pm
Final step, I asked for hints. They were a list of words, order which he did not know, and some misspelled. He also suggested there might be spaces between the words and or small/capital letters.
Thursday night 11:35pm. RECOVERY starts
Having those hints I quickly created a small python script that merged the hints into all kind of different combinations on my laptop. His hints were a combination of 6–8 words in a row used as the wallet passphrase. Usually I would connect to the company servers through a secure VPN but decided to try my luck on the NVIDIA boosted laptop. (An NVIDIA is a GPU that lets you crack passwords thousands or even millions time faster than using CPU during specific circumstances, like Bitcoin wallets).
Thursday night 11:36pm.
The first instance (algorithm used together with hints) created too many combinations as there were many variations including miss spelled words. It would take days to go through. Then using my intuition I minimized the variations and hit enter.
Thursday night 11:37pm. PASSWORD FOUND.
BOOM! My script found the passphrase to Bitcoin Core within two minutes after starting to code my first script.
As usually I sent him an email that we have found the passphrase and asked him where to move his share of the funds. My usual chain of action was once the wallet was opened, I would move my % of the wallet value and then the remaining to a wallet address of the clients choice. I received an address within minutes and swept the remaining funds out of the wallet.
After getting a confirmation that the wallet was emptied, I received a phone call from the guy asking if I can retract the transaction. I said “NO” since there is no such thing as reversing transactions on the blockchain.
He explained that he might have sent me the wrong address as his Coinbase account showed a different address last time he checked. I tried to calm the guy down by explaining that it was most probably a HD wallet that created a new address each time you requested funds. That is common in many wallets or services as a security option.
I said “just be cool and wait, we probably need more than 1 confirmation on the blockchain”.
He seemed to calm down a bit and we waited together for the Bitcoin Network to confirm the transaction and finally the funds appeared on his Coinbase account.
While it took over a day to discuss our chain of action when recovering wallets, the final approach to finding the password took merely 2 minutes, just like my movie director friend predicted…
LESSONS LEARNED
Preparing an algorithm with good hints is the most crucial job. Don’t panic if your wallet address changes using a service like Coinbase. They just create new addresses each time you request funds.
Disclaimer! This article was written by Robert Rhodin, the CEO of Wallet Recovery Service KEYCHAINX SA, based in Zug Switzerland. To read more about our company visit https://keychainx.io or send us an email to keychainx@protonmail.com if you need to talk about password recovery.