Michael, a German, bought some bitcoins in 2013 and stored them in a digital wallet with a password. He used a password generator called Roboform to create the wallet and stored it in an encrypted text file. Shortly afterwards, the password file became corrupted and he lost it forever: “At that moment I thought, ‘Oh, shit, two thousand euros… well, you just get angry,’” says Michael, who uses a fictitious name to protect his identity. But over the years, the price of bitcoin began to rise. In 2024, his portfolio was worth around 3 million euros. “I have this fortune, I can see it but I can’t use it because I don’t have the password,” he said.
The only way he could think of to get her back was to resort to a hacker Legendary Joe Grand, known as the Kingpin, had recovered other passwords in laborious and complex processes and had recounted them in YouTube videos. When Michael wrote to him, Grand told him to forget about his wealth: “All possible combinations are more than 100 trillion times the drops of water in the entire world. It could be a drop falling from the sky, or in a river, or in any ocean in the world. The only solution is to reduce that insurmountable amount to something we can succeed with,” Grand explains. And he refused Michael’s request, whose only hope was to bequeath the wallet to his son so that one day more advanced technology would be able to open it.
Grand’s main job is teaching classes on how to hack devices in companies and organizations: “I take an electronic device, analyze it, find out how it works, identify the main components that we can exploit, monitor signals and look for vulnerabilities,” he explains via video conference to EL PAÍS. In addition, he is dedicated to helping people like Michael who have lost their passwords or have damaged their digital devices with cryptocurrencies. He receives many emails every week: “Now it takes up a significant amount of my time, I didn’t expect the amount of messages I receive,” he says.
Two of his recent successes, he says, are reviving the wallet of a guy who threw it into a lake in Florida and had to hire a team of divers to retrieve it (“I still don’t know why he threw it”) or finding the password of a young man who, on his deathbed, told his brother that he thought the key had something to do with his grandmother’s name. In such cases, when the affected person has an idea of the password, it is possible to search for it by brute force, trying millions of nearby variables one after another. But it is not the same when there are trillions.
Michael insisted and Grand, in collaboration with Bruno, a young man hacker software specialists, discovered an intriguing detail in how different versions of Roboform had changed over the years. For the new 2015 version, the company wrote this new feature: “Increases the randomness of generated passwords.” Did that mean that before, for example in 2013, when Michael created his password, passwords weren’t really random?
This is where they began to imagine that there might be an option to recover the money: “Creating random numbers is very difficult. If we can manipulate that randomness, we can generate a predictable result that can help us find Michael’s password,” Grand explains in the video of this case, which has more than 820,000 views. First, they had to find in Roboform’s code how it generated passwords. That function is not accessible and, to find it, they even used a tool from the US National Security Agency (the famous NSA), called Hydra: “It’s like Russian dolls. The goal is to find the one in the middle, the small one,” says Grand.
After many hours of trying to understand how Roboform generated passwords, they found that they could create the same password twice. They had discovered that the randomness depended on time: “We could trick the system and travel back to 2013 so that it would generate passwords in the time window in which we thought Michael had generated his password,” says Grand. The passwords that Roboform created depended on the time at which they were created: “Now the game really started,” adds Grand. First, however, Michael had to remember the approximate day in 2013 when he had generated the password and the precise parameters (number of characters, lowercase, uppercase, special keys).
But before that, Grand and Bruno had actually discovered a huge vulnerability in Roboform. People who used random passwords before 2015 with Roboform are potential victims: “It was the first time I had done a project like this. I have done reverse engineering before, but recreating basically every possible password that could have been generated with a generator was something new and I didn’t even know it was possible. It’s also extremely problematic for anyone who has used that software,” says Grand.
The magazine Wired contacted Roboform, which did not give details on how they had fixed the problem. Nor had they warned all of their customers: “This is a bigger issue for me than finding someone’s password to recover their bitcoin,” Grand says. “Those passwords [defectuosas] “They can protect bank accounts, medical records, because it is software that is sold. Sometimes the vendors are very grateful and fix the problems, but other times they act as if nothing happened. It is possible that future versions will also be susceptible, just in a slightly different way, because they never shared how they fixed the problem,” he adds.
You might think that no one else would spend as many hours solving a problem like Grand and Bruno, especially when they had the incentive to keep a percentage of the bitcoins they helped recover. But Grand believes that is extremely unlikely: “If Bruno and I discovered this problem, then surely someone else has discovered it too. Since I was young, when I was in hacker collectives, I have always said that we are just guys messing around. Imagine if it is a public agency, an adversary or some state, chances are they are taking advantage of it in some way, it could even be the US government,” he says.
Success was not easy
But now Grand and Bruno had to help Michael. He gave them a date in the spring of 2013 and some parameters: 20 digits and lowercase, uppercase and special characters. They tried the millions of passwords that Roboform created in that window and they didn’t work. Something wasn’t right. They started to get nervous: “[Michael] “He was getting annoyed with us,” Grand says. “But in the end his memory was wrong. We tried a different set of parameters and it worked.”
Michael was spending a few days in Barcelona in the fall of 2023, and Grand and Bruno showed up with a huge check that said “1.6 million dollars” because that was the value of his bitcoin at the time. When they posted the video on YouTube in June 2024, it had doubled.
The videos on Grand’s channel aren’t just about showing off his technical skills: “Hacking often seems like magic, but there’s actually a process behind it. If you do the right thing, you can take control of systems, and that’s something I love. I like being able to share that with people, so they can look at the code and say, ‘Oh, that’s all it is! It’s just moving some stuff around and running this code, and all this happens. ’”
Although he makes money, Grand doesn’t do these projects to get rich, he says: “It keeps my mind off the hacker “I’m busy and awake and I’m interested in working on interesting projects because each case is a little different. Right now I’m with a wallet that I’ve never seen before, so I have to explore it, understand it, do some experiments and then try to hack it. There’s also another project in the works that is very interesting from the point of view of the challenge and the puzzle, that’s important,” she says.
Despite this healthy goal for his technical head, Grand also sends a message to the industry: software is not infallible, and even less so in the hands of humans. “I have 935 passwords, some created before 2015,” he says. “If I, who am in the business of this, don’t renew them unless I am forced to, what will other people do? That is why it is so important for companies to report their problems when they arise.”
Grand’s success in finding these types of passwords has led to many messages from people who have been scammed. In such cases, there is little to be done. “I never ask for money in advance, because that is how scammers work,” he says. One of his problems is pages that impersonate him: “Right now our main objective is to take down one that has my name and the extension ‘.es’, from Spain,” he says.
You can follow THE COUNTRY Technology in Facebook and X or sign up here to receive our weekly newsletter.
#traveled #time #recover #password #million #euros #bitcoin