Welcome to mnemonic hell.
On December 19th 2020 Miguel Cuneta (@MiguelCuneta) / Twitter tweeted: Helping a friend recover his old blockchain wallet from 2013. Crossing my fingers for him because the $50 he won from our UFC betting is now $3000+
Miguel sent us 17 words, a wallet.aes.json and a bunch of hints, like his friends name, year and month he created the wallet and some variations of the password.
Immediately we started brute forcing the password using custom made algorithms and our custom built password cracking servers. Oh how little we knew about how the next couple of weeks would unfold.
Even with the simplest hints our algorithm can find a Bitcoin wallet password with up to several errors adding random character in between, removing characters and prepending or appending random characters and words. In most cases this will work if the hints are anything close to the final password. We had good hopes as the wallet itself was a blockchain.info V1 wallet that we could try almost 300million different passwords per second. On one big GPU server. And we have many…
Let the battle begin!
Like the old siege of Jerusalem, we tried with sheer force. Our algorithm tried all possible combinations up to 13 characters without luck.
1 week passed. We thought there must be another way.
Luckily Miguel sent us a 17 word sequence called mnemonic seed. Unfortunately not supported anymore by blockchain.com. Instead they now use a 12 word mnemonic from a 2048 word list that is your private key encrypted.
The old mnemonic was your walled ID and password encrypted using a variety of words. But the word list were nowhere to be found. They could be anything from 15 to 21 words or more. They had three different encryption variations and used a different iteration (times the password was encrypted using that specific algorithm). Traditional mnemonic seeds used with Ledger, Trezor, Electrum or Bitcoin Core wallets were 12 or 24 words (with sometimes a 13th or 25th word called passphrase)
Using old fashion reverse engineering, we searched for old snapshots of blockchain.info at archive.org and found a snapshot from 2014 that would accept those words.
Unfortunately it gave us a wrong checksum. And it did not have a copy of all libraries.
Archive.org is a great resource for checking old variations or defunct websites. Unfortunately it is not a 100% full backup.
Using Google Chrome web developer tools, we looked what the java script did, then we discovered they were using a now defunct word list of around 50000 words! The mnemonic used today with blockchain.com wallet recovery seeds only uses 2048 different words. We also discovered they used two different word lists to decrypt their wallets in 2014. One to calculate the checksum, the other to calculate the wallet ID and password. So what different usage did the length of the mnemonic have?
Seeds with more words were for longer passwords...
So back to Miguel and his friend. The 17 words gave us a wrong checksum, so we decided to have look at blockchain.com-s GITHUB page where they store all their source codes.
Unfortunately the code for V1 wallets was not available anymore, we had to search somewhere else, only knowing the name of the bigger word list from the archive.org snapshot from 2014.
Google could be really helpful sometimes. We found a hidden Github with the old wallet source code using that bigger word list, only the 17 words were still giving us a wrong checksum.
So we decided to write a mnemonic brute forcer using GPUs. (a brute forcer for Trezor mnemonics using 2048 words was a real feat to break, here we needed to create a brute forcer with 50000 variations of each word).
So we had 17 words. Each word could have 50000 combinations.
Then 3 of the words were a checksum from a totally different word list.
Instead of worrying the amount of combinations, we decided to examine what each group of words would give us. We manage to recover the word Jesp and 1980, which were part of the hints. We then knew we were on the right path.
Another batch of words gave us 0301 which was a birthday month and date, also in the hints list.
So we decided to randomly add words from the 50000 word list where the group of words gave us weird non English characters (the hints were all numeric numbers or English word-names)
300 lines of code later…
Knock Out!
We manage to find the right combination of words, it turned out Miguels friend had one word missing.
Now the checksum was correct using combination of 18 words, and we were able to decrypt the wallet.aes.json with the password our custom tool found.
UFC bet won, Bitcoin from 2014 recovered!
LESSON LEARNED.
Although many claim there are no 15 or 17 or 19 or 21 word mnemonics, and they are not possible to use or decrypt anymore, we proved them wrong. There are several odd number mnemonics used in early blockchain.info wallets and it is possible to recover them.
Disclaimer! This article was written by Robert Rhodin, the CEO of Wallet Recovery Service KEYCHAINX SA, based in Zug Switzerland. To read more about our company visit https://keychainx.io or send us an email to keychainx@protonmail.com if you need to talk about password recovery.