Bitcoin News and Finance How a Trezor Wallet Passphrase Taking a Lifetime to Brute Force Was Cracked by KeychainX Experts in 24 Hours Skip to main content

How a Trezor Wallet Passphrase Taking a Lifetime to Brute Force Was Cracked by KeychainX Experts in 24 Hours

Have you lost the passphrase for an hardware wallet and looking how to recover your coins? Here is how the KeychainX recovery experts have done just that for a client. This is a trusted service provider that specializes in recovering lost crypto wallets and they can even recover funds from broken hardware drives, phones or Trezor/Ledger wallets.

Recovering a Trezor Wallet Passphrase

A TREZOR hardware wallet is a security device that protects the user from key loggers and phishing e-mail, keeping the user’s Bitcoin and crypto safe. Various hacking groups could open the device by mitigating side-channel attacks; however, the method was only possible because ‘a passphrase was not used’. When making a transaction, the user only enters a PIN and therefore protects the private key of the Bitcoin. The only backup is a 12/24-word mnemonic that determines which addresses are stored on the device.

Recently, a client asked the KeyChainX team to brute force their TREZOR wallet as the client had forgotten the passphrase, commonly known as the 25th word. The passphrase was designed to ensure funds are safe if a user loses their TREZOR and someone gets hold of their 24-word mnemonic. The passphrase can be a word, a number, or a string of random characters. The idea behind it is to deceive the thief into believing that once he opens someone’s TREZOR or recovers it with the 24 words, he will only find a “fake” or low-value amount of BTC. This specific client had 10 USD worth of Bitcoin stored on their TREZOR’s main wallet based on the 24 words, but the real treasure trove was a wallet hidden behind his passphrase, the value the team cannot disclose.

The KeyChainX team split the job into two phrases (or three). But before the team could start, the client wanted to meet face-to-face. As travelling to South America was out of the question as we had a security presentation scheduled in Europe, the client agreed to a Skype “interview”. After 2 hours, the team convinced him that the team would not run away with his funds.

How Did the Team Crack It Open and Brute Force It?

The first part is data sourcing. First, the team gathered information about the possible hints to the passphrase, as a six characters passphrase would take forever to brute force with conventional tools. For example, a GITHUB repo by the user gurnec has a tool called Btcrecover that brute forces a couple of hundred passwords per second on average. For example, to break a 5-character password would take two days; if you add capital letters and numbers six months.

The client’s password consisted of more than 5-characters with both upper- and lower-case characters, possibly numbers and a unique character, which could approximately take 2+ years to brute force with the tool; that is, if the main wallet was the first created on the TREZOR. This was not the case. Instead, the “fake” wallet was created; first, there were transactions, and the genuine wallet was created later. Then, the team was forced to search for multiple wallet addresses and change addresses, which multiplied the time required to break the encryption.

Since this was not the first time the team had received a request to open a TREZOR, the team decided to build a custom-made tool that uses GPUs about a year ago. The custom tool speed is 240,000 passwords per second, an increase by 1000x compared to the gurnec GitHub source.

Customizing Mask Attack

The client gave the KeyChainX team 5 wallet addresses he had used in the past, a list of hints, and the 24-word mnemonic. First, the team had to determine if the 24 words were valid and if the mnemonic was valid.

Next, they had to choose which derivation path to search for; a TREZOR can use both LEGACY and SEGWIT addresses, and their specifications can easily be distinguished by looking at the first character of the address. LEGACY starts with one and SEGWIT with 3. They also use different derivation paths depending on the BIP version, so the team had to specify which wallet type and derivation path to use. Finally, SEGWIT uses m/49’/0’/0’/0 and LEGACY has several options. Finally, TREZOR fired up the custom tool with 8 x 1080Ti Founders Edition GPU cards (they cost up to 1000USD each depending on specification and model).

At first, the team searched an ample space of characters and words, but the mask and algorithm took approximately two months too long. The team had to change tactics and look at the TREZOR owner’s hints and find a pattern. The pattern used small/capital characters as the first password character. Then several lower-case characters, and then limited combinations of numbers (birth dates, months, pin codes to safe etc.). Two unique characters were also used, so the team had to add that into account. The mask was modified again, and BOOM, the team found the password within 24 hours after the “interview”.

A quick message on WeChat, asking the client for their BTC wallet (the team advised him not to use the same TREZOR again). The team transferred the client’s funds to them within the hour.

Crypto Wallets Recovery Experts

If you are not yet familiar with KeychainX, it is a cryptocurrency wallet recovery service operating since 2017. The company recovered wallet keys for many clients from all over the world and you can see some of their raving reviews on Trustpilot where KeychainX has an almost perfect 4.9 ‘Excellent’ score. Read this article about how it unlocks different types of wallets, here about its work with blockchain wallets and here about specifically recovering keys from Multibit Classic or Multibit HD.

KeychainX has relocated in 2021 from its birthplace in the U.S., to Zug, Switzerland – a part of the world known in the blockchain community as Crypto Valley due to its concentration of relevant companies. Robert Rhodin, the CEO of the company, is naturally one of the leading experts in the field of crypto wallet recovery.

To learn more about the company visit KeychainX.io or just send an email to KeychainX@protonmail.com if you need to talk about password recovery.


This is a sponsored post. Learn how to reach our audience here. Read disclaimer below.

Comments

Popular posts from this blog

Custodial Lightning Network Service Attack Discovered by LN ‘Newbie’ — Hacker Strikes 6 LN Custodians

On September 18, a Redditor posted to the r/bitcoin forum and explained how he discovered a way to “attack [the] lightning Network’s custodial services.” The Reddit account dubbed “Reckless Satoshi” wanted to figure out if a “discrepancy between real routing fees and service’s transaction fee can be exploited for a profit.” The researcher disclosed that he wanted to see how large the damage could be and said “it is bad.” 6 Lightning Network Custodial Services Attacked, Researcher Discloses Findings to Offenders Prior to Public Disclosure A Redditor called Reckless Satoshi published a disclosure post on r/bitcoin this past Saturday and disclosed how he had found a vulnerability with routing fees and some of the Lightning Network’s custodial services. The research attack was done in good faith and after it was complete he disclosed the bugs to the offending services before publishing his findings. Reckless Satoshi used the Lightning Network (LN) attack on six different services incl...

Axie Infinity Down 40% Since Last Week’s Price High, Protocol Revenue Outshines Competitors

Last week, the game token leveraged within the Axie Infinity gaming universe skyrocketed to all-time highs, while other crypto markets remained extremely lackluster. During the last seven days, Axie Infinity’s platform token has dropped significantly in value shedding more than 12%. Meanwhile, the game platform’s smooth love potion token has slid over 8% over the last 24 hours. Axie Infinity Down More Than 40% Since All-Time High Not too long ago, the axie infinity (AXS) token was a topical conversation because it reached an all-time high on July 15. At the time, AXS managed to capture $28.93 per unit and since then it has shed 12.8% during the last seven days. The axie infinity (AXS) token is used within the blockchain-based game that involves battles between token-based creatures called “Axies.” AXS is used for the game’s governance system as well as other actions within the game. At the time of writing axie infinity (AXS) is exchanging hands for $16.70 per coin. AXS/USD on Ju...

Play-to-Earn Game From Polker (PKR) Exchange Listing – Endorsed by Akon

The Play-to-Earn NFT based Polker.Game ‘s native token $PKR has been officially listed on the popular centralized exchange BitMart. Polker.game has been in the spotlight recently as Akon, the American R&B superstar and record producer gave his official endorsement of polker stating that the “game is revolutionary” and that Polker is “hands down.. the best play to earn, NFT game in the space.”. With the BitMart listing and celebrity endorsement from Akon, Polker is perfectly positioned to become a major player in the Play-to-Earn league. Watch Akon’s Video Here What is Play-to-Earn? Although not a new concept, play-to-earn has become a trending term due to the popularity of the NFT game AXIE infinity. In the past, previous play-to-earn games have also achieved success – however, thanks to the huge amount of development in the blockchain space in recent years the gaming experience is now massively improved. Play-to-Earn games are essentially free to play and open to anyone and...

China to Crack Down on Copyright Infringement Through NFTs

Authorities in China are going after creators of digital collectibles based on other people’s works of art, the use of which was not authorized. The government offensive is part of a campaign to combat online copyright infringement and piracy with the participation of several departments. Regulators in China Move to Strengthen Copyright Supervision of Online Platforms The National Copyright Administration of China (NCAC) has recently launched a campaign against copyright infringement and piracy on the internet, together with the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Internet Information Office of the People’s Republic. A major objective of the initiative is to improve copyright supervision of online businesses by investigating cases involving the sale and distribution of infringing products on short video, live broadcast and e-commerce platforms, and promptly dealing with infringing content, the agency announced in a press r...
Blogarama - Blog Directory