bitcoin

How A Trezor Wallet Passphrase Taking A Lifetime With Brute Force Was Cracked By KeychainX Experts In 24 Hours Cointelegraph


Have you lost the passphrase of a hardware wallet and are looking for how to recover your coins? Here’s how the recovery experts at KeychainX did just that for one client. This is a trusted service provider that specializes in recovering lost crypto wallets and they can even recover funds from broken hardware hard drives, phones or Trezor/Ledger wallets.

Recovering a Trezor wallet passphrase

A TREZOR hardware wallet is a security device that protects the user against keyloggers and phishing emails, protecting the user’s Bitcoin and crypto. Various hacking groups could open the device by mitigating side-channel attacks; however, the method was only possible because “a passphrase was not used”. During a transaction, the user only enters a PIN code and therefore protects the Bitcoin private key. The only backup is a 12/24 word mnemonic which determines which addresses are stored on the device.

Recently, a client asked the KeyChainX team to crack his TREZOR wallet because the client had forgotten the passphrase, commonly referred to as the 25th word. The passphrase was designed to ensure funds are safe if a user loses their TREZOR and someone gets their hands on their 24-word mnemonic. The passphrase can be a random word, number, or string of characters. The idea behind this is to trick the thief into thinking that once they open someone’s TREZOR or retrieve it with the 24 words, they will only find a “fake” or amount of BTC of low value. This specific client had $10 worth of Bitcoin stored on their main TREZOR wallet based on the 24 words, but the real treasure was a hidden wallet behind their passphrase, the value the team cannot disclose.

The KeyChainX team broke the job down into two sentences (or three). But before the team could begin, the client wanted to meet in person. As it was out of the question to travel to South America because we had planned a presentation on safety in Europe, the client agreed to an “interview” by Skype. After 2 hours, the team convinced him that the team would not run away with their funds.

How did the team open and brutal it?

The first part is the search for data. First, the team gathered information on the passphrase’s possible clues, since a six-character passphrase would take forever to brute force with conventional tools. For example, a GITHUB repository by user gurnec has a tool called Btcrecover which brute force a few hundred passwords per second on average. For example, cracking a 5-character password would take two days; if you add capital letters and numbers six months.

The client’s password consisted of more than 5 characters with upper and lower case characters, possibly numbers and a single character, which could take around 2+ years to brute force with the tool; i.e. if the main wallet was the first one created on the TREZOR. This was not the case. Instead, the “fake” wallet was created; first there were transactions, and the real wallet was created later. Then the team was forced to look up multiple wallet addresses and change addresses, which multiplied the time it took to crack the encryption.

As this was not the first time the team received a request to open a TREZOR, the team decided to create a bespoke tool that uses GPUs about a year ago. The speed of the custom tool is 240,000 passwords per second, a 1,000x increase over the gurnec GitHub source.

Mask Attack Customization

The client gave the KeyChainX team 5 wallet addresses he had used in the past, a list of clues, and the 24-word mnemonic. First, the team had to determine if the 24 words were valid and if the mnemonic was valid.

Next, they had to choose which branch path to search for; a TREZOR can use both LEGACY and SEGWIT addresses, and their specifications can easily be distinguished by looking at the first character of the address. LEGACY starts with one and SEGWIT with 3. They also use different derivation paths depending on the BIP version. So the team had to specify the type of wallet and the derivation path to use. Finally, SEGWIT uses m/49’/0’/0’/0 and LEGACY has several options. Finally, TREZOR launched the custom tool with 8 1080Ti Founders Edition GPU cards (they cost up to $1000 each depending on specs and model).

At first, the team searched for a large space of characters and words, but the mask and the algorithm took about two months too long. The team had to change tack and look for clues from TREZOR’s owner and find a pattern. The pattern used lowercase/uppercase characters as the first password character. Then several lowercase characters, then limited combinations of numbers (dates of birth, months, safe PIN codes, etc.). Two unique characters were also used, so the team had to take that into account. The mask was changed again, and BOOM, the team found the password within 24 hours of the “maintenance”.

A quick message on WeChat, asking the client for his BTC wallet (the team advised him not to use the same TREZOR again). The team transferred the client’s funds to them within the hour.

How a Trezor wallet passphrase that should have taken a lifetime by brute force was cracked by KeychainX experts
KeychainX GPU Crack Rig

Crypto Wallet Recovery Experts

If you are not familiar with KeychainX yet, it is a cryptocurrency wallet recovery service that has been operating since 2017. The company has recovered wallet keys from many customers around the world and you can see some from their rave reviews on Trustpilot where KeychainX has an almost perfect 4.9 “Excellent” rating. Read this article on how he unlocks different types of wallets, here on his work with blockchain wallets, and here on specific key recovery from Multibit Classic or Multibit HD.

KeychainX moved in 2021 from its birthplace in the United States to Zug, Switzerland – a part of the world known in the blockchain community as Crypto Valley due to its concentration of relevant businesses. Robert Rhodin, the CEO of the company, is understandably one of the leading experts in the field of crypto wallet recovery.

To learn more about the company, visit KeychainX.io or simply email [email protected] if you need to talk password recovery.


This is a sponsored post. Learn how to reach our audience here. Read the disclaimer below.

Media Bitcoin.com

Bitcoin.com is the premier source for all things crypto. Contact [email protected] to discuss press releases, sponsored posts, podcasts, and other options.

Image credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. This is not a direct offer or the solicitation of an offer to buy or sell, or a recommendation or endorsement of any product, service or company. Bitcoin.com does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button