How A Trezor Wallet Password Killed By Brute Force Was Cracked By KeychainX Experts In 24 Hours – Sponsored Bitcoin News

Lost your hardware wallet passphrase and looking to recover your coins? Here’s how the KeychainX recovery experts did just that for a client. This is a reliable service provider that specializes in recovering lost crypto wallets and they can even recover money from broken hardware drives, phones or Trezor/Ledger wallets.

Recover a Trezor Wallet Passphrase

A TREZOR hardware wallet is a security device that protects the user from keyloggers and phishing emails, keeping the user’s Bitcoin and crypto safe. Various hacker groups can open the device by mitigating side-channel attacks; however, the method was only possible because “a passphrase was not used”. When making a transaction, the user simply enters a PIN code and therefore protects the Bitcoin private key. The only backup is a 12/24 word mnemonic that determines which addresses are stored on the device.

Recently, a client asked the KeyChainX team to brute force their TREZOR wallet when the client had forgotten the passphrase, commonly known as the 25th word. The password was designed to ensure that the money is safe if a user loses TREZOR and someone gets hold of the 24-word mnemonic. The password can be a word, a number or a string of random characters. The idea behind it is to trick the thief into thinking that when he opens someone’s TREZOR or restores it with the 24 words, he will only find a “fake” or low value of BTC. This particular client had $10 worth of Bitcoin stored on TREZOR’s main wallet based on the 24 words, but the real treasure chest was a wallet hidden behind his passphrase, the value of which the team cannot reveal.

The KeyChainX team split the job into two sentences (or three). But before the team could start, the client wanted to meet face to face. Since traveling to South America was out of the question since we had scheduled a security presentation in Europe, the client agreed to a Skype interview. After 2 hours, the team convinced him that the team would not run away with his money.

How did the team crack it open and break force it?

The first part is data acquisition. First, the team gathered information on possible hints for the passphrase, as a six-character passphrase would take forever to brute force with conventional tools. For example, a GITHUB repo from user gurnec has a tool called Btcrecover that brute forces a few hundred passwords per second on average. For example, it will take two days to crack a 5-character password; if you add capital letters and numbers six months.

The client’s password consisted of more than 5 characters with both upper and lower case letters, possibly numbers and a unique character, which may take approx. 2+ years to brute force with the tool; that is, if the main wallet was the first created on TREZOR. This was not the case. Instead, the “fake” wallet was created; first there were transactions and the real wallet was created later. The team was then forced to search for multiple wallet addresses and change addresses, multiplying the time it took to break the encryption.

Since this was not the first time the team had received a request to open a TREZOR, the team decided to build a custom tool using GPUs about a year ago. The custom tool speed is 240,000 passwords per second, a 1000-fold increase compared to the gurnec GitHub source.

Customize Mask Attack

The client provided the KeyChainX team with 5 wallet addresses he had used previously, a list of hints and a 24-word mnemonic. First, the team had to determine if the 24 words were valid and if the mnemonic was valid.

They then had to choose which diversion route to search for; a TREZOR can use both LEGACY and SEGWIT addresses, and their specifications can be easily distinguished by looking at the first character of the address. LEGACY starts with one and SEGWIT with 3. They also use different diversion paths depending on the BIP version, so the team had to specify which wallet type and diversion path to use. Finally, SEGWIT uses m/49’/0’/0’/0 and LEGACY has more options. Finally, TREZOR fired up the custom tool with 8 x 1080Ti Founders Edition GPU cards (they cost up to $1000 each depending on spec and model).

Initially, the team searched a good number of characters and words, but the mask and algorithm took about two months too long. The team had to change tactics and look at the TREZOR owner’s hints and find a pattern. The pattern used lowercase/uppercase characters as the first password character. Then more lowercase letters, and then limited combinations of numbers (dates of birth, months, safe pin codes etc.). Two unique characters were also used, so the team had to add that into consideration. The mask was changed again and BOOM, the team found the password within 24 hours of the “interview”.

A quick message on WeChat, asking the customer for their BTC wallet (the team advised him not to use the same TREZOR again). The team transferred the client’s funds to them within an hour.

How a Trezor Wallet Passphrase That Should Have Taken a Lifetime to Brute Force Was Cracked by KeychainX Experts
KeychainX GPU Crack Rig

Crypto wallet recovery experts

If you are not yet familiar with KeychainX, it is a cryptocurrency wallet recovery service that has been operating since 2017. The company has recovered wallet keys for many customers from all over the world and you can see some of their glowing reviews on Trustpilot where KeychainX has an almost perfect 4.9 ‘Excellent’ score. Read this article about how it unlocks different types of wallets, here about working with blockchain wallets and here about specifically recovering keys from Multibit Classic or Multibit HD.

KeychainX has moved in 2021 from its birthplace in the United States, to Zug, Switzerland – a part of the world known in the blockchain community as Crypto Valley due to its concentration of relevant companies. Robert Rhodin, CEO of the company, is naturally one of the leading experts in crypto wallet recovery.

To learn more about the company visit KeychainX.io or email [email protected] if you need to talk about password recovery.


This is a sponsored post. Find out how to reach our audience here. Read disclaimer below.

Bitcoin.com Media

Bitcoin.com is the premier source for all things crypto related. Contact [email protected] to discuss press releases, sponsored posts, podcasts and other options.

Image credit: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or an endorsement or recommendation of products, services or companies. Bitcoin.com does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on content, goods or services mentioned in this article.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *