Recovery firm proposes cracking former Ripple CTO’s $244M Bitcoin hard drive

October 25, 2023 Coin Telegraph

Bitcoin

Stefan Thomas, the former chief technology officer at Ripple, has an IronKey hard drive containing 7,002 BTC with only two attempts at guessing a password remaining.

A company is petitioning former Ripple chief technology officer Stefan Thomas for a hard drive containing more than 7,000 Bitcoin (BTC) that he has been unable to access for years.

In an Oct. 25 open letter, crypto recovery firm Unciphered offered to unlock an IronKey hard drive belonging to Thomas containing 7,002 BTC — roughly $244 million at the time of publication. The former Ripple CTO forgot the information to access the drive, designed to erase its data if an individual enters the incorrect password ten times. So far, the German-born programmer has used eight out of his ten attempts.

According to Unciphered, its teams developed a method to crack the hardware and access the BTC keys safely stored for years. Technology magazine Wired reported on Oct. 25 that the company was able to access the data on a similar IronKey after “200 trillion tries” — seemingly bypassing the 10-attempt restriction on the drive.

“Though there are always caveats, this is not theoretical,” said Unciphered. “We can do it; we’ve done it many times before [...] And we can do it again. You don’t have to take our word for it [...] we would be happy to demonstrate it on as many samples in a row as it takes for you (and everyone) to feel confident before moving forward.”

This is an open letter to Stefan Thomas (@justmoon) - we would love to help you get back into your IronKey.https://t.co/zhfu41b9jn pic.twitter.com/1hYg3h79BF
— Unciphered LLC (@uncipheredLLC) October 25, 2023

Speaking to Cointelegraph, Unciphered CEO Eric Michaud said the company accessed the data in the IronKey from the Wired report by extracting some of the drive’s information and using offline servers, giving its team more than one bite at the apple at guessing the password. He declined to say what the firm would ask for in return from Thomas but added Unciphered had created a “sustainable business” helping people recover crypto.

“We're prepared if Stefan doesn’t want to work with us, but we’re hopeful," said Michaud. "We already have a business that is growing and we'll be here when he’s ready."

There are many highly publicized stories like Thomas’ involving recovery or users unable to locate their keys for one reason or another. In 2021, a Redditor claimed to have regained access to 127 BTC after more than ten years, finding the private keys on an old computer. In 2013, British national James Howells mistakenly discarded a hard drive containing roughly 7,500 BTC — he has made multiple attempts to locate and recover the drive in a landfill without success.

Estimates from 2022 suggested that users could have lost access to roughly 20% of Bitcoin’s supply. This amounted to billions of dollars worth of the cryptocurrency.

Magazine: How to protect your crypto in a volatile market: Bitcoin OGs and experts weigh in

Ledger co-founder clarifies “there is no backdoor” in Recover firmware update

May 20, 2023 Coin Telegraph

" title="

Ledger co-founder clarifies "there is no backdoor" in Recover firmware update

"/>

Coin Telegraph

Ledger Recover is an OTA firmware update, which would allow users to back up their seed phrases by third-party entities only if a user chooses to opt-in to the new service.

The launch of Ledger Recover, a service that allows users of the Ledger hardware wallet to back up their secret recovery phrases, met with immense resistance from the crypto community. Ledger co-founder and ex-CEO Éric Larchevêque took the criticism against Ledger as “a total PR failure, but absolutely not a technical one.”

Ledger Recover is an OTA firmware update, which would allow users to back up their seed phrases by third-party entities. If a user chooses to opt-in to the new service, the recovery phrase fragments get encrypted and are stored by 3 different parties, which can be used to recover the phrase in the future. However, the idea of the seed phrase leaving the hardware wallet did not resonate with users that considered Ledger as a trustless service for storing cryptocurrencies.

Addressing the rising concerns of users worldwide, Larchevêque posted on Reddit clarifying that Ledger was never a trustless solution:

“Some amount of trust must be placed into Ledger to use their product. If you don't trust Ledger, meaning you treat your HW manufacturer as an adversary, that can't work at all.”

He argued that the Ledger Recover update has no impact on the hardware wallet’s security model. He added:

“My mistake as a CEO during my tenure was probably not be relentless enough about explaining the security model, but at some point you just give up as people don't care at all. Until they care again, like now.”

Larchevêque believed that the only thing that changed is the general user’s perspective on trustlessness and that the Recover code in the firmware is not a malicious code:

“Ledger is still safe, there is no backdoor, the Ledger Recover is not a conspiracy, no one will ever force anyone to use Recover.”

Trusting Ledger with sharding the seed phrase is just like trusting Ledger with signing a transaction, he added. Addressing a user’s recommendation about having two different firmware to eradicate ‘backdoor’ concerns, Larchevêque said that “it wouldn't change anything” and would be saddening for him personally.

The firmware update in question is not available for Nano S — Ledger’s cheapest hardware wallet offering — as the chipset does not have enough memory to store the new firmware.

Amid the rollout of Ledger’s controversial firmware update, competing hardware wallet provider GridPlus decided to open-source its firmware for its users.

The most trusted name in cryptography, relied upon by the world's governments for their highest security applications for decades, sold products backdoored by the CIA. How can we ensure this won't happen again? Open-source software.

GridPlus will open-source its firmware in Q3. pic.twitter.com/889OnqXd20
— GridPlus (@gridplus) May 18, 2023

Turning the Ledger controversy into a marketing opportunity, GridPlus announced plans to open source its device firmware in the third quarter of 2023 to deliver greater transparency.

What security? Bitcoin enthusiast cracks known 12-word seed phrase in minutes

April 27, 2023 Coin Telegraph

Bitcoin Community

If the words of a 12-word seed phrase are known, it’s deceptively easy to enter the wallet and sweep the funds.

A systems architect cracked a seed phrase and won a 100,000 Satoshi bounty, or 0.001 Bitcoin (BTC), worth $29, in just under half an hour. Cointelegraph spoke to Andrew Fraser in Boston, who underscored how critical it is to keep a Bitcoin wallet seed phrase secure and offline.

A seed phrase or recovery phrase is a string of random words generated when a wallet is created that can access the wallet, similar to a master key. Fraser brute forced a 12-word seed phrase that Bitcoin educator “Wicked Bitcoin” shared on Twitter:

Anyone want to try and brute force this 12-word seed phrase securing 100,000 sats? I’ll give you all 12 words but in no particular order. Standard derivation path m/84'/0'/0'…no fancy tricks. GL.https://t.co/c9FyMv3HYM pic.twitter.com/nPGTB9bX2g
— Wicked (@w_s_bitcoin) April 26, 2023

As shown, Wicked’s Tweet challenged users to decipher the correct order of the 12-word seed phrase.

"Anyone wants to try and brute force this 12-word seed phrase securing 100,000 sats? I’ll give you all 12 words but in no particular order. Standard derivation path m/84'/0'/0'…no fancy tricks. GL.”

It took just 25 minutes to unlock the 100,000 Satoshis–or just under $30. The incident serves as a timely reminder for Bitcoin users and crypto enthusiasts to take crypto security seriously.

Fraser cracked the code using BTCrecover, a software application available on GitHub. The software offers a range of tools that can determine seed phrases with missing or scrambled mnemonics and passphrase-cracking utilities. Over Twitter DMs, Fraser told Cointelegraph:

"My gaming GPU was able to determine the correct order of the seed phrase in about 25 minutes. Though a more capable system would do it much faster.”

He noted that anyone with a basic knowledge of running Python scripts, using the Windows command shell, and understanding the Bitcoin protocol–particularly BIP39 mnemonics– should be able to replicate his success.

Cointelegraph queried Fraser about the security of 12-word seed keys. Fraser explained they are "perfectly secure if the words remain unknown to an attacker or there is a passphrase '13th seed word' used in the derivation path of the wallet."

Moreover, he emphasized the superior security of 24-word seed keys.

"Even if an attacker knew the out of order words of your 24-word seed key, they would never stand a hope of discovering the correct seed.”

Fraser broke down the entropy calculations to explain the difference in security between the two types of seed keys. A 12-word seed has approximately 128 bits of entropy, while a 24-word seed boasts 256 bits. When an attacker knows the unordered words of a 12-word seed, there are only around half a billion possible combinations, which is relatively easy to test with a decent GPU. A 24-word seed, however, has roughly 6.24^24 possible combinations–and that's a lot of zeros.

Even the probability of an attacker cracking a 12-word seed phrase is borderline absurd. 24-word seed phrases may be superior, but as Wicked points out in a post-mortem to the seed phrase challenge; “it’s not going to be hacked tbh.”

In the off chance that someone finds your seed phrase cut up and out of order, then yes lol.
— Wicked (@w_s_bitcoin) April 27, 2023

Ultimately, it’s a timely reminder to readers to ensure seed phrases are never published or shared online. That means a seed phrase should not be stored in a password manager, a cloud storage solution, and they certainly should not be typed out into a phone.

Fraser also stressed the importance of keeping seed keys secret and to take advantage of a passphrase that functions as part of the derivation path. As for the 100,000 Sats Fraser took home? Fraser tweeted that he spent them on dinner that night: Chicken Marsala. Talk about circular economy.

Cointelegraph Magazine: Bitcoin in Senegal: Why is this African country using BTC?

How to keep your crypto safe in 2023: a few tips from an analyst

January 9, 2023 Coin Telegraph

Bitcoin Wallet

Lead on-chain analyst at Glassnode, James Check, explains why taking self-custody of your private keys has become more important than ever and how to do it in a few simple steps.

There is no excuse for not putting a few hours of research into how to properly custody your crypto, according to lead on-chain analyst James Check. Joining the latest debate around self-custody, the analyst pushed back against the notion that managing private keys is too complicated and risky for the average crypto user.

“If you have gold in your vault, if you have cash in your wallet, it's the same concept: you need to exercise a level of responsibility,” said Check in our latest Cointelegraph interview.

Check argued that, while third-party custody and semi-custodial solutions such as collaborative custody may appear more user-friendly for the average user, they also have their own, even bigger, vectors of risks.

To the analyst, when it comes to custody "there are no solutions, only trade-offs." His position is that being in full control of your own crypto and eliminating the third-party risk is well worth the effort of learning how to keep your wallet's 12 word seed phrase safe.

Ultimately, Check pointed out that the amount of time and effort someone should put into learning self-custody should be scaled proportionally to the size of thei holdings.

“If you're not willing to put more than 5 minutes into it, then don't put more than $5 into it. If you're willing to do 100 hours now, you can start talking about doing your significant sums of savings,” he said.

To find out more about Check's approach to self-custody, check out the full interview on our YouTube channel and subscribe!

What is a seed phrase and why is it important?

August 27, 2022 Coin Telegraph

Bitcoin Wallet

It’s crucial to remember your seed phrase, which is a string of random words produced by your cryptocurrency wallet when you initially set it up.

How to keep your seed phrase safe

A crypto seed phrase in the wrong hands can do damage, so it is advisable to always ensure it is safe. The following are some tips for ensuring your seed phrase is secure.

Never share your seed with anyone else: It’s extremely important that you never reveal your recovery phrase to anyone. Why? Because if someone else finds out your recovery phrase, they will be able to access — and therefore control — your crypto funds.
Make a note of it on paper and keep it in a secure location: This is the most old-fashioned way of storing your recovery phrase, but it’s still a perfectly valid option. You can either write it down by hand or print it out — just make sure that you keep it in a safe place where only you can access it. A fireproof and waterproof safe would be ideal.
Storing inside a Password Manager: A password manager is an encrypted digital vault that can store sensitive information like usernames, passwords, and recovery phrases. This way, you only have to remember one password (the password to your password manager) instead of dozens or hundreds of different ones. Some examples of password managers include Onepassword and Lastpass. Storing your recovery phrase in a password manager has several advantages, one of which is added security. Adding a secondary password — also known as a passphrase — users can create an even stronger and more secure backup.

If you want to be extra safe, store your recovery phrase in multiple locations. That way, even if one backup gets destroyed, you’ll still have another one intact.

Purchase a licence for this article. Powered by SharpShark.

What happens if you lose a seed phrase?

Losing a seed phrase is really the worst-case scenario for a cryptocurrency owner. One cannot recover a wallet seed in case they lost or forgot it.

Giving your seed phrase to someone or entering it on a website has no practical benefit as it may lead to losing your cryptocurrency assets. Additionally, avoiding writing a recovery phrase on a refrigerator may help you protect against theft.

The best way of ensuring you don’t lose your seed phrase is by noting it down and keeping it safe. In addition, keep your seed phrase somewhere it cannot be destroyed by any element. But, can someone guess a seed phrase?

The seed phrase is generated randomly; not even the cryptocurrency user knows what word combination will be used to generate the seed phrase. Due to a seed phrase’s random characteristic, it is hard to guess a seed phrase. Something else that makes it challenging to know a seed phrase is that it consists of 12 to 24 words leaving no chances of getting all the words right.

Can a seed phrase be hacked?

In the crypto world, losing cryptocurrency is a nightmare for all cryptocurrency owners. Losing your seed phrase to an attacker means you can’t recover your crypto funds.

Being in a digital world, crypto heists are tirelessly working to reap what they didn’t plant. The worst part you would want a hacker venturing into is your cryptocurrency wallet. As seen earlier, a seed phrase is a master key to accessing a cryptocurrency wallet, which means that in the wrong hands, damage is inevitable.

However, by having a large number of words in a seed phrase, it is hard to hack it. In order to access a seed phrase, phishing is the main method used. One way scammers try to get a seed phrase is by sending emails pretending to be customer support and request for a seed phrase or private key.

Once the seed phrase lands in their hands, they can access a crypto wallet and steal everything in it. It is always advisable to keep your seed phrase private and never share it with anyone else.

Recovery phrase vs. private key

Despite being related to each other, the recovery phrase and private key are different. They both are used for securing cryptocurrency wallets.

A recovery phrase is a crypto wallet recovery password. The recovery phrase is used for the recovery of a cryptocurrency wallet in case the owner forgot their password. A private key, on the other hand, is used to point to a blockchain address hence securing transactions. A private key is used for transacting cryptocurrencies by proving ownership.

In short, a recovery phrase is a master key to all of your crypto accounts. These words are what give you access to all of the private keys stored in your original wallet. The goal is to have full control over your assets. Having this phrase allows you to still access your blockchain assets even if you lose or damage your physical hardware device. But, how does a seed recovery phrase work?

Simply put, users may access their crypto accounts from whatever wallet they choose — it’s like having a charger for every type of phone. Imagine the confusion if every wallet necessitated a different recovery phrase format. This would imply that your crypto assets would be entirely dependent on which sort of recovery phrase you’re using, leaving you no control over them.

How does a seed phrase look?

A seed phrase might be confusing and probably you might be wondering how a seed phrase looks and maybe how it is created. The seed phrase is generated by a cryptocurrency wallet and the user has no way of customizing it.

The words generated are derived from a list of 2048 words. So, how many words is a seed phrase? A seed phrase is made up of a long string consisting of a group of random words.

The words on a seed phrase are simplified so that the user can remember them, unlike if the seed phrase consisted of long numbers or special characters.

The recovery phrase consists of 12 to 24 words like energy, road or open. To avoid errors, these randomly generated words do not include pairs like “man” and “men” in the same seed phrase. Bitcoin improvement proposal-(BIP)-39 in 2013 introduced these types of phrases and established a standard for deterministic wallets. Here is an imaginary 12-word seed phrase: Cry, planet, Loose, Typical, Humankind, Toddler, Anxiety, Difficult, Happy, Never, Alternative, Remorse.

A seed phrase controls all the private keys associated with a deterministic wallet. BIP-39 proposal makes major wallets cross-compatible, allowing the users to load the recovery phrase to a new BIP-39-compatible wallet to access the funds when they are lost or if you want to switch wallets.

What is a seed phrase?

A recovery phrase (also called a seed phrase) is a group of random words generated by the cryptocurrency wallet that allows you to access the crypto stored within.

One can consider it as a wallet comparable to a password manager for crypto, and the recovery phrase to be similar to the master password. You’ll have access to all of the crypto linked with the wallet that created the phrase — even if you delete or lose it — as long as you remember your recovery phrase.

A seed phrase aids to recover a cryptocurrency wallet when a user forgets their password. The seed phrase can be said to be a crypto wallet’s master key. For example, if you had a hardware wallet and lost it or deleted your wallet from your computer, you can easily create a new wallet and use the seed phrase, which will recover your cryptocurrencies.

Recovery Seed