How a presale Ethereum wallet containing 1000 ETH was recovered…
A few months ago an Ethereum enthusiast contacted us with a pretty unique story.
He was a part of the Ethereum presale in 2014 and amassed an amazing 1000ETH, today worth about 4 million USD for a mere 300USD.
An astonishing 13000x increase in value.
The story began when Alex (lets call him that for the sake of security) sent us a question if we dealt with damaged wallets. Alex suspected the wallet to be corrupt or the encryption to be wrong as he had the password saved in Splash ID together with other passwords and used to copy-paste it into the pre-sale webpage to join in the Ethereum token sale.
He was worried though that by using multiple systems like ipad, mac and phone and various language setups (Alex was half French) there might be some hiccup or language character decryption errors.
Since the password was pretty long (99 characters) and contained several special or non ascii characters it was a devious task. Inserting a random character at random position is doable for shorter passwords. For an almost 100 character long password it was impossible, to say the least.
But Alex was pretty sure of the password so we “just” had to look up what was wrong. The password was also of sexual nature so it was quite hilarious to write the various password deviations using sexual explicit language.
Although the words were not using S/M code words like one of our Hong Kong clients, it did contain the words p*ssy and c*ck.
Little did we know how close to the problem we were, but on the other hand how far away it was.
Being stubborn, we started by adding random characters at the positions we suspected were those with possible problem. Sometimes if a character was non English the code would translate it to a double character, which ultimately would cause the search space to increase dramatically. Doing that produced no result.
So we went back to have a look at Splash ID source code and tried to reverse engineer it to reproduce the problem. There were many versions of Splash ID and their page did not offer it to be open source. No luck.
Then a Russian client contacted us with a completely different wallet using Cyrillic characters. Most of our custom written tools were written for English or Latin passwords, so we had to look into our old tools source code and look how to translate those to fit into our system.
It gave us an idea for Alex´s wallet.
What if the tools we used, and the special characters that encrypted his wallet, were translated through the encryption software just like Cyrillic characters.
Going back to the Presale wallet, we attacked those special characters positions using same approach as if they were Cyrillic.
Password was found. Good, but not that fast…
A little problem. Most wallet software that would generally import the wallet and display the private key did not work, and the password would not be accepted since the special characters were outside the boundaries of their respective code or character set.
Instead we had to manually decrypt the wallet to export the private key using the foreign character set.
After moving out the funds we tried to call Alex multiple times, answering machine. We mailed Alex, no answer. There was no sign of life.
It took almost 3 days before he got back to us which was a little nerve wrecking sitting on someones 4 million USD without knowing where the person was. Ethereum price did also swing quite a bit so the value moved hundreds of thousands every day in both directions.
So we moved Alex his share of the funds, said good luck and stay safe, then never heard from him anymore… Hope he has some fun with his newly recovered long lost fortune!
Disclaimer! This article was written by Robert Rhodin, CEO of KeychainX Crypto Recovery Service. To read more about our company please visit https://keychainx.io or send us an email to firstname.lastname@example.org if you need to talk about password recovery.