Cracking a $2 Million Crypto Wallet

First, he forgot his PIN -- then he started looking for hackers. From a report: In early 2018, Dan Reich and a friend decided to spend $50,000 in Bitcoin on a batch of Theta tokens, a new cryptocurrency then worth just 21 cents apiece. At first, they held the tokens with an exchange based in China, but within weeks, a broad crackdown on cryptocurrency by the Chinese government meant they would soon lose access to the exchange, so they had to transfer everything to a hardware wallet. Reich and his friend chose a Trezor One hardware wallet, set up a PIN, and then got busy with life and forgot about it. By the end of that year, the token had sunk to less than a quarter of its value, come back up, and then crashed again. Reich decided he wanted to cash out, but his friend had lost the paper where he'd written the PIN and couldn't remember the digits. They tried guessing what they thought was a four-digit PIN (it was actually five), but after each failed attempt, the wallet doubled the wait time before they could guess again. After 16 guesses, the data on the wallet would automatically erase. When they reached a dozen tries, they stopped, afraid to go further. Reich gave up and wrote off the money in his mind. He was willing to take the loss -- until the price started to rise again. From a low of around $12,000, the value of their tokens started to skyrocket. By the end of 2020, it would be worth more than $400,000, rising briefly to over $3 million. It would be hard to get into the wallet without the PIN -- but it wasn't impossible.

And with potentially millions on the line, Reich and his friend vowed to find a way inside. The only way to own cryptocurrency on the blockchain is to have sole possession of a private key associated with a block of currency -- but managing those keys has been a, sometimes high-stakes, challenge from the beginning. [...] The cryptocurrency data firm Chainalysis estimates that more than 3.7 million Bitcoins worth $66.5 billion are likely lost to owners. Currency can be lost for many reasons: the computer or phone storing a software wallet is stolen or crashes and the wallet is unrecoverable; the owner inadvertently throws their hardware wallet away; or the owner forgets their PIN or dies without passing it to family members. As the value of their inaccessible tokens rapidly rose in 2020, Reich and his friend were desperate to crack their wallet. They searched online until they found a 2018 conference talk from three hardware experts who discovered a way to access the key in a Trezor wallet without knowing the PIN. The engineers declined to help them, but it gave Reich hope. "We at least knew that it was possible and had some directional idea of how it could be done," Reich says. Then they found a financier in Switzerland who claimed he had associates in France who could crack the wallet in a lab. But there was a catch: Reich couldn't know their names or go to the lab. He'd have to hand off his wallet to the financier in Switzerland, who would take it to his French associates. It was a crazy idea with a lot of risks, but Reich and his friend were desperate. Gripping story.

This seems like the biggest hurdle to adoption...

[AmazingRuss]

... most people can't even keep track of a halfway secure password. Engraving on metal plates seems to be the Cadillac solution, but what if you lose the plates?

Easy come, easy go.

[OrangeTide]

If you spent $50,000 on something. Couldn't you also afford some archival paper and a safety deposit box?

Re:Easy come, easy go.

[e3m4n]

A decent gun safe isnt just for guns. If the storage locker isnt fireproof, you can still get fireproof zipper bags and keep them locked away. I keep roughly $3000 in 20 dollar bills inside fireproof zipper bags inside of a locked gun safe. I also have a few hundred dollars worth of pure silver 1 troy ounce rounds as well. This would be an ideal place to keep those. I have been told that with cold wallet crypto, you print out the keys to the wallet and store them somewhere safe. Somewhere fireproof would be ideal.

Re:

[Ksevio]

You can also just get fireproof safes

Re:

[OrangeTide]

I wouldn't recommend fire safes. Many of them are garbage and aren't flood proof. And the temperature ratings for what makes a firesafe are lower than a large percentage of modern house fires. I have an old homemade safe that is built into the foundation, it's amusing but impractical. While it is incredibly fireproof due to the concrete and location beneath the foundation, but of course I wouldn't keep a Rolex in it if I didn't want it to get wet.

If what you are storing degrades at high temperature, like do

Re:

[e3m4n]

flood proof is easily solved with ziplock bags and or waterproof paper. Why would your rolex get damaged in a flood? Isnt the entire rolex made of mechanical parts which are made of gold? Thats the entire beauty of the thing isnt it? I thought they did not corrode due to the gold parts and were the last bastion of fine swiss craftmanship. Safety deposit boxes have great uses, but they are somewhat limited in supply compared to general population, and are somewhat pricey. If you have a ton of diamonds worth

Re:

[UnknownSoldier]

Rolex are for shallow people with more money then brains. They are too busy trying to impress others a fake status.

Keeping a Rolex save from fire/flood/etc. is the very definition of First. World. Problems.

Re:

[e3m4n]

a long time ago when you retired from a company after 20-30 years they gave you one. That was mid 80s. In that regard I can appreciate them. I could never bring myself to spend that sort of cash on a watch. Hell after 20yrs training martial arts I dont even wear a watch because it can be a liability. However, being gifted one for loyal service and retiring after 20-30 years still sounds pretty cool.

Re:

[cheekyboy]

I would store the Rolex inside the Lamborgine that is inside a fire proof undeground garage.

Rolex is for life, apple watch is for 2 years.

Re:

[Methadras]

What do you care how people spend their money and on what. Stop being a poor.

Re:

[arglebargle_xiv]

I had my wallet combination hidden inside a movie by Mel Brooks, if I ever forget it I just need to rent Spaceballs and I've recovered it. Clever huh?

Re:

[e3m4n]

they are often smaller. So it depends on what you need. A decent gun safe weighs so much no thief is going to run off with it, and if you stick to the mechanical combination or key entry types and not the electronic types, the odds of running across a burglar with skills and time to stay and fuck with it are really down to impossible. Most simple fire safes are either the fire proof file cabinets the size of a milk crate, or the smaller sentry safes [sentrysafe.com]. However there is a large fire sentry safe [sentrysafe.com] but I would sti

Re:

[cheekyboy]

I dont have a car, but have car keys.

Good luck to those burglers, who will never find the car.

Re: Easy come, easy go.

[e3m4n]

That reminds me of the joke "I have 6 deadbolts on my door. I only lock half of them. That way a burglar will lock half the deadbolts he tries to pick"

Re:

[Methadras]

If you can build a safe into a concrete pad that wouldn't be exposed to the heat that most 'fireproof' safes would, then do it. When I build my house, that's what I did on top of having a safe room that is fireproof as well.

Re:

[lucifer_666]

Werewolves?

Re:

[e3m4n]

there wolf.... there castle

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[e3m4n]

yep, for lots of shit. even swindled a booster shot before they were officially authorized. Also up to date on pneumonia vax, shingles, flu, etc. between those and all the shit they gave me in the navy, I should be immune to everything. Ive lived through ice storms where power was out to nearly a million homes for periods of more than a week. So having to use cash for transactions like gas or food is not uncommon. I would also recommend a survival-type kit in your car for things like flat tires, dead batte

Re:

[Johnny Mnemonic]

Who just "writes off" $50k?

You'd have to have a stupid amount of money to be willing to throw away a value that represents an entire annual wage for many people.

Fleeting Tech Companies

[pr0t0]

I don't remember how many I had, but I lost somewhere between 3-30 BTC. Companies used to give them away just for creating a wallet with them. My problem is that I backed up all the information using tech and services that are no longer around. I'm pretty sure I backed up my wallet on my first-gen IronKey that I don't recall the pw to, the windows app for accessing it is no longer around, the server we had in place for managing creds is no longer around, and the key itself is currently un-crackable. The wallet was also backed up with a secure-vault kind of company that is no longer around.

So yeah, I could say that I lost perhaps up to $2M. However, had I never lost access to that BTC, I almost certainly would have sold it off when it was $100-$500 each thinking it would never go higher.

Re:

[e3m4n]

nothing beats a good fireproof safe or fireproof gun safe. Im worried about ironkey type tech because of things like moores law. In the grand scheme of things a decade isnt that long of time yet in technology its huge. Hell the iphone with a working app store only dates back to July 2008. Thats only a little over a decade. Considering how much has changed since the very first iphone? Consider how much a role our phones play now, compared to back then. At the time PalmOS was still competitive. Now lets say

Re: Fleeting Tech Companies

[Malays2 bowman]

"I wouldnt trust anything to USB sticks, just look at one wrong and they'll corrupt them selves."

  There is also the problem of memory fade which happens to all (E)EPROM memory after all.

  Many vintage computer collectors ran into the unpleasant surprise of certain devices no longer working because the contents of the (E)EPROM had faded out.

Re:

[thegarbz]

nothing beats a good fireproof safe or fireproof gun safe.

Thieves do. That's the problem with security. The easier you make it for yourself the easier you make it for others.

Re: Fleeting Tech Companies

[e3m4n]

There is no chance thieves are getting into my safe. I dont use digital keypad safes. They dont have time to crack a safe and its WAY too heavy to run off with. Im not talking some single pistol quick access safe. Im talking much bigger and weighing more than 300lb. Hell the full ammo cans alone add up to 300lb.

Re:

[Deep Esophagus]

Another big win for cryptocurrency proving how much safer and more secure it is than traditional banking.

Re:

[Tablizer]

No problem, they are in my skull.

choose a god damn memorable pin#

[cheekyboy]

Either choose something that is known your whole life.
Like your high school grade scores, or your first CPU, 80286 or something easy, but not obvious. A bible number or year of something, like ww2 ending or the time you wake up in the morning each day, like 06:33 or something, or element # for gold Au79, or surface pressure on venus. Or your favourite movie War Games WOPR or something unique to you.

But designing a hardware wallet that kills it self is really stupid, even if they claim that, I would lie and

Re:

[Jhon]

I think the "summery" was a good prolog. They did provide the link (which I missed at first) to the story:

https://www.theverge.com/2022/... [theverge.com]

But other than that.... this particular slashdot post is "OK".

Re:

[Anonymous Coward]

No, no it's not "OK". This is lazy-ass copy/pasting of the first two paragraphs as a cheap enticement. This is not a summary, it's a waste of reader time.

Re:

[Jhon]

Sorry your attention span doesn't exceed two paragraphs. Read more. It might help.

Re:

[Mononymous]

What attention span? TFS doesn't exceed two paragraphs. Read more of what?

Re:

[rpresser]

The purpose of a summary is to make you click through to the article. These two paragraphs don't accomplish that.

Re:

[e3m4n]

the summary reads very well, but it also has the flow style that I halfway expect to be directed to a website with a lot of rehash and a new ad that requires a new page click every half paragraph. Some 20 pages later you're still rehashing half the last page plus half a page of new story. Ads Ads Ads. Glad it wasnt the case this time.

Re:

[PPH]

And now you know ... the rest of the story.

You had one job ...

No Only

[Luthair]

Was it a massive waste in power originally, its a massive waste of power trying to break the wallet.

Only one backup?

[smooth wombat]

Reich decided he wanted to cash out, but his friend had lost the paper where he'd written the PIN and couldn't remember the digits.

And Reich didn't write it down as well so he had a copy? Sorry, not sorry. These two deserve to lose their money.

Re:

[Jhon]

"These two deserve to lose their money."

But they didn't. That's the "gripping" part of the story. Maybe not "gripping", but it was an interesting read.

This is not sane

[Sloppy]

... hardware wallet .. lost the paper where he'd written the PIN ...

Dude, WTF. If you're part of that weird religion who thinks hardware wallets aren't crazy, then I'd think you'd be fanatical about things like PINs. (Don't get me wrong, I totally understand why someone wouldn't be fanatical about securing PINs, but that's because I'm not the kind of person who would use a hardware wallet.)

yawn...

[bb_matt]

https://www.theregister.com/ [theregister.com]

Not as frequently updated as /. - more UK focussed, but not a crypto story in sight on todays front page.

I'd say it's probably a lot more akin to the /. of old - "News for Nerds. Stuff that Matters"

Nope, I have no association with this site, it's just more useful these days ... I'm proper sick of seeing the /. main thread of posts 20, 30, 40 percent cryptocurrency related.

Re:

[sjames]

Had you actually read TFA, you would know that it was more about a glitching attack on a popular microcontroller allowing readout of data that was supposed to be impossible to read out. The bitcoin was just the incentive to do the hack.

It could also inspire discussion about security vs. future accessibility.

Or, I suppose it might inspire your disgruntled shitpost.

Who thought of this?

[avandesande]

What is the point of making a wallet that erases after so many tries? What is the difference between a wallet being self erased or the contents stolen?

Re:

[sjames]

It sounds really good when you're bullet pointing security. But as you observe, in effect it's too secure by half.

I suppose it could be argued that it provides dis-incentive to steal the wallet in the first place, but that depends on the thief knowing it will self erase before they steal it. It also depends on nobody wanting to harm the owner by causing a self erase.

Re:

[freeze128]

Store the hardware wallet in a safe. When the theif breaks into your house, cracks your safe, steals your hardware wallet and ransoms it like you said above, call his bluff. Your real bitcoin is stored on the hard disk with the pin in keepass. The hardware wallet was blank the whole time.

Re:

[sabt-pestnu]

Hmm... well, maybe stored on the hard disk. But you'd still want a backup. Say, a usb drive embedded in a rubber duck, in among your collection of USB-holding rubber ducks with 15 year old IRC transcripts.

Re:

[MattMann]

if the wallet doesn't autoerase, it dramatically increases the chances of theft, even your friends would have an incentive to steal it

Re:

[jythie]

ah, but at least then the police can not get it! These are people who value someone else not winning more than themselves losing.

Re:

[Johnny Mnemonic]

Could this be used to store secrets that are more important to be deleted than possessed, however?

Re:

[Megane]

For cryptocurrency? It's just a meme. Unless you like the idea of losing potentially millions just because you couldn't remember a stupid number. I think I remember this story from a year or to ago and thought it was dumb back then too. Self-erasing stuff is for secrets that can be done without, not cryptocurrency keys.

Re:

[meisdug]

Security!

If you're using a hardware wallet you obviously care about security so if you aren't careful with your backup, that's on you.

These wallets all give you a list of 24 seed words that your entire collection of wallet addresses can be generated from. Once. Only once, when you initiate the device do you see your 24 seed words. This is the most important part. Write these down.

Etch them in steel and bury them in your back yard. Or a safety deposit box, or even a password manager. Maybe split up betw

Re:

[avandesande]

I have to disagree that obviously a user cares about security. I would guess 80% of the users don't have the technical skill or understanding to do what you describe. Their best bet is to sharpie the pin on the wallet and treat it like physical gold...

Re:

[meisdug]

I would guess 80% of the users don't have the technical skill or understanding to do what you describe.

I agree. And these users will be perfectly happy with a software wallet. There are very few people willing to drop $60 on a hardware wallet and still not care about security. Why even bother?

Maybe one of them is lying.

[kdjk5467]

Or the guy who "forgot the PIN" actually cashed out a couple years ago and does not want the other guy to know.

Hope this message finds you in good health.

[140Mandak262Jamuna]

Hello most esteemed stranger on the slashdot board,

My name is Prince Mosasa Salama, I am from Nigeria. I am in possession of a crypto wallet, worth 128.33 million dollars. But unfortunately the computer with the password is saved was stolen by Boko Haram. If you would help me hire a team of hackers to unlock the wallet I would share half of the profit with you. Or you can have this crypto wallet without the password for a low low price of $9.99

Sniff the buss traffic?

[Nocturrne]

Couldn't you just use a logic analyzer and sniff the data?