ALBAWABA - Joe Grand, an electrical engineer known by the pseudonym "Kingpin," was employed to get into an encrypted digital Bitcoin wallet containing 43.6 BTC, worth over $3 million, stored behind a randomly generated password lost for 11 years.
The randomly generated password, created with a software called Roboform, consisted of a string of twenty characters, both capital and lowercase, in addition to numbers, and it was intended to be as complex to decipher as possible.
To safeguard his 43.6 BTC, or around €4,000 to $5,300, in 2013, Michael, a European man who requested to stay anonymous, created the password, duplicated it, and I entered it into the wallet's passphrase as well as a text file that he later encrypted, before his computer was corrupted leading to the loss of the password and eventually his Bitcoins.
“At [that] time, I was really paranoid with my security,” Michael said, in a YouTube video posted by Joe Grand to document the hack, who said that losing the few thousand euros was “painful, but OK,” before the Bitcoins grew in value since 2013, becoming a fortune of over $3 million, leading to him reaching out to Grand for help.
“In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output each time that no one else has,” Grand explains, but “While RoboForm’s passwords appear to be randomly generated, they’re not. With the older versions of this software, if we can control the time, we can control the password.”
He notes how the older version of Roboform uses a timestamp as a seed that it then manipulates to create a ‘unique’ password, he discovered that the password would be recreated if he could fool the system into thinking it was the same instant in 2013 when it was created.
Reverse engineering the extremely old version of the RoboForm application that they believed Michael had used in 2013, Grand collaborated with Bruno, a German hacker who specializes in retrieving such wallets, and spent months finding the security vulnerability.
Since then, the RoboForm password generator has updated its algorithm to increase the tool's randomness, so passwords made after 2015 cannot be hacked using the same time-based method.
