Recover bitcoin wallet from 2013

A client from Norway, the country known to have been inhabited by Vikings, contacted us with a unique story.

He was holding Bitcoin in an open source bitcoin wallet from Schildbach that has been around since 2011. The story is fascinating but somehow sad, how the backward compatibility in crypto is broken.

We received the first email 3.39pm with the text

Hi. I bought XX bitcoin back in 2013 and used a wallet simply called “Bitcoin” that had a B-logo on a yellow background.The phone died the same year and couldn’t be resuscitated — so access to the Bitcoin went with it.

The user only had an encrypted string which was supposed to be the private key. With little to go we asked where and how he got the bitcoin. He replied twenty minutes later, bitcoinsnorge.no which unfortunately is another Bitcoin platform that is defunct and no longer around. Their Facebook page https://www.facebook.com/Bitcoinsnorway/ was full of angry users asking to have their funds returned. Oh well, old fashioned rug pull.

We started to look in the Android store for the wallet and found an open source wallet that matched the description. It had the yellow logo, oh well, hundreds other did. But this wallets github repo was around since 2011, so we might have been up to something.

After downloading the latest version, we tried to import the backup string.

Unfortunately it did not recognize the backup file.

So we went back to the original Github page and started to look for older versions. There were over 350 commits. Source code could be found here:

https://github.com/bitcoin-wallet/bitcoin-wallet

While playing around with the Android emulator, another email (4.14pm) dropped from the client telling us he found 16 words that could be the backup. Unfortunately the 16 words were not part of this wallet, instead it turned out it was the recovery mnemonic for the old blockchain.info legacy wallet. It would not recover the original wallet instead decrypt the blockchain.info login password.

The blockchain.info legacy wallet password could be recovered here:

We entered the 16 words and discovered the password was different from the hints.

While installing different commits of the old bitcoin wallet with the help of Android Studio we started to play around with the encryption. The Github source code page explained how the encryption key was stored and that it was possible to decrypt the wallet using standard OpenSSL. We quickly wrote a bruteforcer with the known hints and started to check variations while loading old versions of the wallet into Android Studio. This all failed as later we found out the encryption changed during the upgrade of the app…

So we went back trying old versions of the software, but problem was old versions of the wallet did not match with never phones. They required new versions of Android and old versions of Android were not able to load on never phones. The wallet kept crashing in the Andoid Studio environment.

Finally, we decided to simulate an old Nexus Google phone with the Lollipop Android from 2014 which was not too far from the November 2013 purchase of the Bitcoin. The backup loaded!

So we finally started to see the light. Merely three hours after the first mail. So we started manually trying the password with variations, but decided to modify the source code to read the password from a text file. After all, the wallet software was open source.

None of the tries worked for thousands of variations. So we started to suspect maybe the encryption was still different from our wallet version. So we went back a few steps and managed to install a wallet commit from 2013 instead of 2014.

BOOM! The software accepted a password that was not too far from the original hints and started to sync. A transaction from November 2013 showed up.

7.13pm we sent an email to the client which said: Done! Where do you want your share?

Three days later we received this fantastic review on Trustpilot

Thank you friend!

LESSONS LEARNED

Sometimes the password you might find is the correct one to your wallet could fail when you enter it, its not your fault, you are just using an updated version which no longer uses the same parameters to store your password. And wallets that are supposed to be backward compatible are not….

Disclaimer! This article was written by Robert Rhodin, the CEO of Wallet Recovery Service KEYCHAINX LLC, based in California USA. To read more about our company visit https://keychainx.io or send us an email to keychainx@protonmail.com if you need to talk about password recovery.

Crypto Recovery Service https://keychainx.io