In an extraordinary turn of events, two hackers have successfully cracked the long-forgotten password of a digital wallet, leading to the recovery of approximately $2 million worth of Bitcoin (BTC).
As reported by Wired, the story began in 2013 when an individual known by the alias “Michael” securely stored his Bitcoin holdings in a password-protected digital wallet. Unfortunately, over time, he lost access to the wallet due to a corrupted file containing the 20-character password generated using the RoboForm password manager.
Despite his efforts to prioritize security, Michael’s concerns about potential hacking led him to refrain from storing the password in his manager, inadvertently locking himself out of his fortune.
Enter Joe Grand, a renowned electrical engineer and hardware hacker, popularly known as “Kingpin.” In 2022, Grand gained recognition for aiding another cryptocurrency wallet owner in recovering $2 million worth of digital assets after forgetting the PIN to his Trezor wallet. Since then, numerous individuals have approached Grand seeking his expertise, but he selectively chooses his projects.
Michael initially approached Grand two years ago, seeking assistance in recovering his lost Bitcoin. However, due to the unique challenges posed by a software-based wallet, Grand declined the request.
Nonetheless, Michael persisted, and last June, Grand agreed to give it another shot, teaming up with a fellow hacker named Bruno from Germany.
Months of reverse engineering led Grand and Bruno to a significant breakthrough. They discovered a flaw in the pseudo-random number generator used by the RoboForm program, which was employed by Michael in 2013.
The flaw tied the generated passwords to the date and time on the user’s computer, making them predictable. Armed with this knowledge, the hackers devised a plan to exploit the flaw and crack the password.
The major hurdle in this process was Michael’s inability to recall the exact date when the password was generated. However, armed with the knowledge that Bitcoin had been moved into the wallet for the first time on April 14, 2013, Grand and Bruno configured RoboForm to generate passwords within a specific time frame, utilizing the parameters used by Michael.
Despite initial failed attempts, Grand and Bruno persisted, adjusting the time frame and parameters until they finally struck gold. On November 15, 2023, they discovered the correct password—20 characters long and generated on May 15, 2013. The long-lost Bitcoin treasure was finally within Michael’s grasp.
However, the report notes that the successful recovery of Michael’s assets raises concerns about password security, particularly for users who generated passwords using earlier versions of RoboForm.
While Siber Systems, the company behind RoboForm, claims to have fixed the flaw in 2015, questions remain about the vulnerability of older passwords. Grand stresses the importance of understanding the improvements made to password generation in newer versions.
Having access to his Bitcoin once again, Michael experienced a stroke of luck. He waited for the value of Bitcoin to rise before selling a portion of his newfound fortune. With 30 BTC currently valued at $3 million, Michael eagerly anticipates the potential for even greater returns as he aims for a future surge to $100,000 per coin.
As of press time, the largest cryptocurrency on the market is trading at $68,200, consolidating for the past week below the key $70,000 threshold that is crucial to BTC’s uptrend prospects.
Featured image from Shutterstock, chart from TradingView.com