Two researchers exploited a flaw in an outdated version of the RoboForm password manager to crack an 11-year-old password-protected crypto wallet and recover $3 million in Bitcoin.
“Michael” (name changed), a Europe-based cryptocurrency holder, hired electrical engineer Joe Grand, who goes by the handle ‘Kingpin’, to hack into an encrypted file holding 43.6 BTC (worth about €4,000, or $5,300), which was stuck in there since 2013.
About The Lost And Found Case Of Bitcoins
In 2013, Michael securely stored his cryptocurrency in a password-protected digital wallet by creating a 20-character password using a random password generator called RoboForm.
Due to security concerns, he stored this password as a text file and encrypted it with a tool called TrueCrypt.
However, at some point, the encrypted file holding 43.6 BTC got corrupted, and the password to access it was lost.
The password was a series of 20 upper and lowercase letters, numbers, and eight special characters, which was difficult to crack.
In order to recover his bitcoin wallet, Michael contacted Grand, a famed hardware hacker who had helped another crypto wallet owner recover access to $2 million in cryptocurrency in 2022.
However, Grand declined, citing that his hardware expertise wasn’t relevant to software wallets.
After Grand refused to help, Michael contacted multiple people who specialized in cryptography, but they all refused to help, stating that there were zero chances of retrieving the money.
However, last June, Michael contacted Grand and persuaded him and Bruno, his hacker acquaintance in Germany, to help recover access to the password-protected crypto wallet.
Grand and Bruno decided to use the 2013 version of RoboForm, and spent months reverse engineering the password manager. Surprisingly, they were able to discover a significant flaw in the pseudo random number generator used to make passwords in RoboForm.
Apparently, the password manager used the date and time settings of the computer to help “randomize” passwords.
When Michael created his password, the generator associated each code with the specific date and time of its creation on the user’s computer.
Grand and Bruno exploited this flaw in the RoboForm password generator by using a reverse engineering tool developed by the U.S. National Security Agency (NSA).
This flaw was reportedly fixed in 2015 by US-based Siber Systems, which developed RoboForm.
“In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output each time that no one else has. [But] in this version of RoboForm, it was not the case,” Grand said in the published video.
“While RoboForm’s passwords appear to be randomly generated, they’re not. With the older versions of this software, if we can control the time, we can control the password.”
Both researchers managed to set the computer’s date and time to 2013, and after multiple failed attempts, they were able to successfully generate the correct password as of May 15, 2013, at 4:10:40 pm GMT, the day, date, and time when Michael’s crypto password was generated.
“We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have … continued to take guesses/shots in the dark. It would have taken significantly longer to precompute all the possible passwords,” Grand said in an email to WIRED.
Grand and Bruno charged a percentage of bitcoins from Michael’s account for cracking the crypto wallet password and handed over the password information to him to access the remaining bitcoins.
When the bitcoins were handed over to Micheal, it was worth $38,000 per coin. However, he waited until it reached $62,000 per coin and sold some of it.
Currently, he holds 30 bitcoins and plans to wait until the bitcoins reach a value of $100,000 per coin.
Michael says, “Losing the password was financially a good thing”, or else he would have sold the bitcoins when they hit $40,000 per coin, causing him to lose out on a lot of money.
