Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
IT Technology

They Cracked the Code To a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird. (wired.com) 61

Unciphered, a Seattle-based startup, claims to have cracked the seemingly unbreakable encryption of IronKey S200, a decade-old USB thumb drive. By exploiting an undisclosed vulnerability in the device, the company says it can bypass the drive's feature that erases its contents after 10 incorrect password attempts. The breakthrough came within a day of receiving a test device, suggesting that the firm's hacking technique, powered by high-performance computing, could have far-reaching implications.

The startup's focus is not just technological; it's after a specific IronKey that holds 7,002 bitcoins, valued at roughly $235 million, stored in a Swiss bank vault. The device belongs to Stefan Thomas, a Swiss crypto entrepreneur, who has forgotten the password and has only two password attempts left before losing access to his fortune. Unciphered believes its hacking capabilities could unlock Thomas' crypto vault and is preparing to reach out to him to offer its services. The only problem: Thomas doesn't seem to want their help. Wired: Earlier this month, not long after performing their USB-decrypting demonstration for me, Unciphered reached out to Thomas through a mutual associate who could vouch for the company's new IronKey-unlocking abilities and offer assistance. The call didn't even get as far as discussing Unciphered's commission or fee before Thomas politely declined. Thomas had already made a "handshake deal" with two other cracking teams a year earlier, he explained. In an effort to prevent the two teams from competing, he had offered each a portion of the proceeds if either one could unlock the drive. And he remains committed, even a year later, to giving those teams more time to work on the problem before he brings in anyone else -- even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished.

That has left Unciphered in a strange situation: It holds what is potentially one of the most valuable lockpicking tools in the cryptocurrency world, but with no lock to pick. "We cracked the IronKey," says Nick Fedoroff, Unciphered's director of operations. "Now we have to crack Stefan. This is turning out to be the hardest part." In an email to WIRED, Thomas confirmed that he had turned down Unciphered's offer to unlock his encrypted fortune. "I have already been working with a different set of experts on the recovery so I'm no longer free to negotiate with someone new," Thomas wrote. "It's possible that the current team could decide to subcontract Unciphered if they feel that's the best option. We'll have to wait and see." In past interviews, Thomas has said that his 7,002 bitcoins were left over from a payment he received for making a video titled "What is Bitcoin?" that published on YouTube in early 2011, when a bitcoin was worth less than a dollar. Later that year, he told WIRED that he'd inadvertently erased two backup copies of the wallet that held those thousands of coins, and then lost the piece of paper with the password to decrypt the third copy, stored on the IronKey. By then, his lost coins were worth close to $140,000.

This discussion has been archived. No new comments can be posted.

They Cracked the Code To a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird.

Comments Filter:
  • Why doesn't Unciphered just reach out to one of these 'hackers' and offer their services for a large percentage of the commission?
    • Re:Subcontract (Score:5, Interesting)

      by timeOday ( 582209 ) on Tuesday October 24, 2023 @11:57AM (#63949485)
      I think the best solution is really for the guy to just auction off his ironkey, "as is," because the hackers are in the best position to know their own probability of success.

      Well I suppose they need a clause for what if they encryption is cracked but the only think on it is autorun.inf

      • Re:Subcontract (Score:5, Insightful)

        by dmitrygr ( 736758 ) <dmitrygr@gmail.com> on Tuesday October 24, 2023 @12:11PM (#63949521) Homepage
        Selling it at an auction is a taxable event. Unlocking a USB drive is not.
      • Does anyone else get the feeling that the guy really doesn't want the Ironkey data recovered, perhaps because it's not quite what he claims it is? He accidentally erased multiple backups and lost a paper copy and then what's left is in a self-destructing storage system that he won't let the people who can recover data from it access.
      • I would. That gives me a guaranteed payout so I wouldn't have to sell the Bitcoins. Trying to cash out on that much coin requires a lot of suckers and would probably disrupt the market.

        But, hey... I'm not a collector or hoarder. I can't relate to the super-rich who have 1,000 times more than their basic needs.

  • How long will a USB stick store data? AFAIK, 10 years is pushing the limits already.
    • Comment removed based on user account deletion
      • These were never $20

        What sets the IronKey apart from most other USB drives is that its maker uses high-end single-level cell (SLC) NAND flash memory chips as opposed to multi-level cell, consumer-grade (MLC) NAND. SLC has better native performance over MLC, and, perhaps most importantly, it has as much as 10 times the lifespan, up to 100,000 write/erase cycles.

        That said, I don't know to what extent the longer life of MLC extends to years as opposed to rewrite cycles.

        • Comment removed based on user account deletion
          • Nah.. he was relying on his $200 device as the sole means to temporarily hold $7200 left over from buying something else.

          • by ceoyoyo ( 59147 )

            It was only a few thousand when he put his key on it. And he apparently had two other copies in different places that he somehow managed to lose.

            I think I would have been more careful with $5k, but I guess a lot of people aren't.

            • Comment removed based on user account deletion
              • by ceoyoyo ( 59147 )

                Because if you can find some poor dumbass to sell it to at the right time you can get rich and buy a lambo. Well, provided you can remember your password.

                It's just another get rich quick scheme, this time nicely mixed with some gold standard / central bank conspiracy theory.

  • I wonder if he actually stored on that key what he thinks he did.

    • Re: (Score:3, Funny)

      Comment removed based on user account deletion
    • I suspect that he may have been caught off-guard by Unciphered's claim. He probably as intending to launch another one of those scammy "everybody give me money to try and decrypt this, I'll give you a small percentage of my zillion bitcoin if I'm successful" schemes we've seen a few times.

      He collects a bunch of cash from credulous people, occasionally pretending he might be making some sort of progress while just laughing to himself.

  • Bullshit alert (Score:5, Insightful)

    by Baron_Yam ( 643147 ) on Tuesday October 24, 2023 @12:10PM (#63949517)

    Nobody waits indefinitely for $235 million dollars'maybe' when they could have it now 'pretty sure'.

    If he really had bits worth that much on the USB drive, he'd tell his current contractor to get it done and make a deal with the new team if they had to, or they'd lose the contract.

    So... I suspect the original claim was bullshit and he never expected anyone to have the ability to prove it.

    • by Viol8 ( 599362 )

      This. If there really is that sort of money on the drive he could easily afford to pay off the other groups, give unciphered a large percentage of the 235M and still have a fortune in the bank. But no, some kind of "honour" with the hackers is more important. GMAFB.

    • Hard to say, depending on the agreement that was signed. There could definitely be an exclusivity clause, "only us and company X can work on decrypting your key, else you owe us $10M and we stop", and given the Unciphered crack SEEMS like it'll work but he has no guarantee, that may not be something he wants to risk.

      I agree, he should just tell his current 2 contractors to work it out with Unciphered, and share the $, that's the smart thing to do. Or, he knows there isn't that much BTC on the key and is r
      • $10m is a small price to pay to get at $235m
      • It doesn't sound like there was a contract, and I commend the guy for not being a dick to those he already made an agreement with, they could already be close and have exerted a significant amount of effort to get there already. Sounds like it's up to them if they want to subcontract out to the company that has cracked it for some portion of their commission and get an immediate pay day rather than a maybe payday.
    • This is probably true, no one knows what's on the wallet, and no one treats a few hundred mil like pocket change. In addition it seems we're hearing about it because Unciphered went and basically did months of work for a client they hadn't signed. They expected if they succeeded the client would sign, and he didn't. So now they are making as much noise as possible to get this client to give them a chance. Unciphered has probably invested a lot of money in this and is now in financial danger unless they
  • After a blessed respite, suddenly three stories about crypto-crap get posted in less than 24 hours. Apparently the cryptobros think enough time has passed that we have forgotten about their ultra-shady house of cards.

    • After a blessed respite, suddenly three stories about crypto-crap get posted in less than 24 hours. Apparently the cryptobros think enough time has passed that we have forgotten about their ultra-shady house of cards.

      And curiously, right after there has been a sudden jump in the BTC price because of rumors that a big Wall Street firm is getting into crypto.

  • by Opportunist ( 166417 ) on Tuesday October 24, 2023 @12:12PM (#63949527)

    To me this sounds like someone wanted to know whether the device is actually secure, got his answer, and all that for free.

  • by groobly ( 6155920 ) on Tuesday October 24, 2023 @12:12PM (#63949529)

    Rich people's problems. I'm rooting for the USB drive.

  • by a5y ( 938871 ) on Tuesday October 24, 2023 @12:16PM (#63949537)

    As long as the USB isn't decrypted its owner can continue to be claimed to be *potentially* worth millions regardless of whether it contains nothing more than a never_gonna_give_you_up.mp3

    As for the devs they never checked to see if they weren't developing a solution in search of a problem first. They just assumed. It's not like Bitcoin is something people value because it's so useful for spending.

  • The more this guy claims he really, really wants his drive decrypted, except by the people who might actually be able to do it, strongly suggests to me that the drive's entire value rests on the fact that nobody except him knows what's on it...if anything.

    • On the one hand, I can see this guy's point of view. He made an agreement with some people and his own moral code won't allow a breach of that agreement. I am the same way.

      On the other hand, the clock is ticking on the charge state of those cells... The sooner you can read the data, the better.

      • by cob666 ( 656740 )

        On the one hand, I can see this guy's point of view. He made an agreement with some people and his own moral code won't allow a breach of that agreement. I am the same way.

        On the other hand, the clock is ticking on the charge state of those cells... The sooner you can read the data, the better.

        And he might not even KNOW that these devices have a limited lifespan...

        • Im sure it's got a much longer life span than any flash created today. It's likely SLC flash on a large process node, compared to todays MLC or TLC flash on smaller process nodes.I would almost want to treat MLC ot TLC flash as a DRAM and fully "refresh" it's contents at least every few years, All it takes is for a cell's voltage to fluctuate a tiny bit to be read as a completely different set of bits.
  • Iâ(TM)m not sure, but why would you protect Bitcoin by a device that deletes the data after a certain number of attempts? Thatâ(TM)s what you would do if you have secrets that could hurt you if uncovered. But Bitcoin, if I canâ(TM)t read it myself, then it doesnâ(TM)t hurt me if unconvered. The bitcoin is gone (for me) anyway. And I assume that anyone with access to the device could destroy it maliciously anyway.
  • That is why you fail. If you don't have a signed contract, you don't have shit. You'd think with $235 million at stake, they'd take care of this most basic of prerequisites before doing any work.
    • For real. And since you are talking about $250 million, assuming these other guys are working on commission for whatever is recovered, you'd want to put into said contract a clause like "in the event the data is recovered via other means" (like...I finally found the post it note with my passwords) then you pay them time+materials and some amount of money.

      Likewise these 'other guys' would probably want some time+materials guarantee payment if the USB drive turns out not to have Bitcoin on it.

      But overall th

  • Has "Stefan Thomas" confirmed with the Blockchain that he does indeed own this Bitcoins? This is one case where the intrinsic traits of Bitcoin would be useful for showing authenticity.
  • More like Swiss-Cheese brain.
    - lost the first drive
    - lost the second drive
    - lost the paper backup
    - thinks he has $235M but won't let anyone prove it.

    I think he's Craig Wright for sure. Prove me wrong if you disagree.

  • "Now we have to crack Stefan. This is turning out to be the hardest part."
    No, you need to sell the technique to one of the other 2 teams.
    Btw I had over $100 million in crypto in 2010 and sold MOST of it in 2011. But I finally "cracked" a non-encrypted but damaged wallet I thought had about 5 BTC in it. Nope. All balances were in earlier addresses/keys/whatever and the fallback wallet I restored from a backup had access to all of them and no funds were added in the time between when the wallet broke and wh
  • I started reading this thinking they were gonna say feds showed up with a cease-and-desist order, or aliens or time travelers showed up demanding the key or something like that. I'm disappointed that this was utterly mundane.

  • by bartle ( 447377 ) on Tuesday October 24, 2023 @02:09PM (#63950053) Homepage

    I just want to point out how ridiculous it is to build a device that destroys it's contents after 10 failed attempts. They could increase it to 100 without decreasing the security by a meaningful amount but it would give the owner a lot more breathing room to access their data.

    • by kackle ( 910159 )
      password123
      password1234
      password12345
      password123456
      password1234567

      May I give it a shot?
    • I just want to point out how ridiculous it is to build a device that destroys it's contents after 10 failed attempts. They could increase it to 100 without decreasing the security by a meaningful amount but it would give the owner a lot more breathing room to access their data.

      Their target customer isn't IT people. I'm sure this device is targeted at people who know next to nothing about IT like doctors, dentists, lawyers, etc. Also it might be targeted at companies who are off the charts risk averse.

  • What is it with rich crypto bros being unable to prevent their losses of these invaluable assets? First Craig Wright, now this guy, purport to lose significant wealth in ways that defies believing they were ever intelligent to begin with.

    In any event, this story is probably just an "explanation" ruse to paper over behavior that otherwise would be hard to ignore, such as money laundering or tax avoidance. The thumb drive probably contains nothing.

  • It seems on the face of it that he made a deal with a couple of others, and is giving them more time.
    Not to mention perhaps the liability of an implied contract and what a court might deem an insufficient time granted to accomplish the task.

    It's not like the value isn't appreciating, so if he doesn't need the money, well, why not?
    Nothing guarantees their 'magic solution' will work either.

  • Sounds like given enough time, all crypto will be ‘lost’.

    • by ceoyoyo ( 59147 )

      That's not a bug, it's a feature! It just increases the deflationary nature of bitcoin. So if you HODL long enough, not only will you own a good chunk of the world's money, if you're the last one, you'll have it ALL.

      It's like Highlander. There can be only one.

  • Many USB flash storage devices have minimal error detection and correction. It appears these IronKeys are mostly flash memory, and few use hard drives. Most flash memory needs occasional refresh, especially cheaper ones. I would think 12 years is too long. The data is probably corrupt, beyond what any internal error detecting and correcting can to.

    This problem with USB flash storage devices is one reason that today, I only buy name brand devices, from known sellers. Won't prevent a fake product getting in
    • I wouldn't even fully trust the big names. Wasn't it WD or Sandisk (doesn't really matter since they are the same company now) that wouldn't recall a bunch of their drives due to data corruption and instead wanted to attempt to fix it though a firmware update? WD entire flash media division is probably just Sandisk being absorbed under the WB umbrella and Sandisk is one of the oldest companies around when it comes to flash storage on PCs I have a 10MB SunDisk PCMCIA card from the early 90's somewhere SunDis
  • I had one of these IronKey's. They were hardware-based "encrypted" and physically-hardened USB drives.

    Nothing you can't replicate with more securely using VeraCrypt and a reliable, high-quality USB drive.

  • I used to be involved in activism, and our activist group got infiltrated by someone who we later learned was a government agent.
    One night while I talked with him (before I learned he was a fed), he recommended that I use a product called IronKey, and he gushed to me about how it was secure and totally unbreakable.

    Needless to say, I have been suspicious of IronKey ever since that experience. I assumed it had some kind of backdoor to allow law enforcement or intelligence agencies to look at hidden data.

In practice, failures in system development, like unemployment in Russia, happens a lot despite official propaganda to the contrary. -- Paul Licker

Working...