Description of the “brain wallet” vulnerability principle

BY KEYHUNTER 08.02.2024
Description of the “brain wallet” vulnerability principle

When even a small part of a Bitcoin costs tens of thousands of rubles, and a whole Bitcoin can buy a bar of gold, a reasonable question arises. How to safely store your cryptocurrency?

A smartphone can be snatched from your hands at any moment. Your home computer is subject to many virus attacks every day. Online wallet – you have to trust your savings to the developer company.

It turns out that while the brain is not yet directly connected to the Internet, our memory is perhaps the safest place to store bitcoins. But remembering 51 random characters of the private key from your Bitcoin wallet is a rather difficult task. Here’s an example: 5KWeAfgnW3j8wTogqfHbyf8tiwboB1Tvc76GuN2962zDV8sFL8a

You can do it differently. First, come up with a strong password that is easy to remember, and then generate a Bitcoin wallet based on it. In this case, you don’t need to remember the key, but you can easily access your savings. This type of Bitcoin wallet is called a brain wallet.

The weak link in Bitcoin security? Yes.
One of the famous hackers of our time, Kevin Mitnick, noticed that hacking any, even highly complex, system is most effective through its weakest point – through a person. It is impossible to pull a password out of your head, but you can imagine how a person thought when creating his password.

All people think in a similar way. Everyone uses a limited vocabulary of their language to communicate.

How it all happened:
At the first stage, I generated 6 billion unique passwords and phrases. The material included dictionaries in English, Chinese and Russian, online books, song lyrics, an offline version of Wikipedia and a list of the most commonly used passwords.
It took several days to prepare a list of all existing Bitcoin addresses with a non-empty balance or those addresses that have ever held Bitcoins. In total there were 412 million addresses.
Having received the hash of Bitcoin addresses, we build a Bloom filter. Then we convert each password from our dictionary to hash160 and filter them. The output was about 240 million Bitcoin addresses of candidates. We construct the intersection of a set of candidates and a list of all actually existing addresses.

Simple enough. Even an ordinary home computer is sufficient for this work.

As a result, I picked up private keys from 56340 Bitcoin wallets, spending about a week of my time on this. True, there were only 7 wallets with money with a total deposit of 2.5 BTC.

Some general statistics:
Since 2011, 5010 BTC or $30 million have been withdrawn from all brain wallets. In just less than a year in 2018, hackers stole 736 BTC. After analyzing the transactions, I counted 19 separate groups involved in hacking brain wallets.

If 7 years ago it took several days to hack one wallet, now hackers need a split second. As soon as the victim transfers his bitcoins to the compromised wallet, they are immediately automatically transferred to the hackers’ account. The great competition between hackers is understandable; people continue to use the same hacked wallets with basic passwords. For hackers, this is a constant source of income.

The largest theft I discovered occurred in November 2012. It took hackers only 36 seconds to steal 500 bitcoins from the wallet 14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE
The password from the brain wallet was: bitcoin is awesome
this address https://www.blockchain.com/btc/address/14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE

Among the passwords , the words in Russian were often encountered:

voice – 0.0017 BTC
zoo association – 0.01038281 BTC
Sergey – 0.0095 BTC
In Chinese:
试试看 – 0.001 BTC
潇潇雨 – 1.001 BTC
吸烟有害健康 – 0.01 BTC

Most hacked brain wallets, of course, with passwords in English:

correct horse battery staple – 15.94334851 BTC
The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.
god – 0.3083699 BTC
wallet – 30.28128 BTC
Bitcoin – 0.28163155 BTC
allyouneedislove – 0.5 BTC

and about 58 thousand simpler one-word passwords, with transactions on addresses, but without a balance, there is no point in listing them here.

How to avoid becoming a victim?

You’ve probably heard similar sad stories, like a British programmer unsuccessfully looking for his 7,500 BTC in a landfill, and the editor of a popular website throwing out a hard drive with 1,400 BTC. Someone cannot recover their bitcoins from an old flash drive, and someone accidentally threw away a piece of paper with a private key. Currently, for one reason or another, people have lost about 4 million bitcoins. Against this background, the damage from hacker attacks looks like a drop in the bucket.

However, to avoid becoming easy prey for hackers, there are a few simple recommendations:

To safely create your brain wallet, open the Bitcoin address generator in private mode, turn off the Internet, create your wallet and save the resulting address, then close the browser and only now turn on the Internet. The absence of the Internet will not allow attackers to find out your password, and the private mode will prevent you from saving your data and forwarding it to hackers immediately after reconnecting.
When creating a password for your wallet, do not use well-known phrases and sayings, words from songs and books, or any simple words and phrases. Remember, any information available to you on the Internet is also available to hackers.
Do not use your old passwords that you have ever used before. Hackers have billions of passwords for popular services and social networks. Even if you have never been hacked, there is a good chance that your old password is stored in the hackers’ database. Your password must be unique. Add “salt” to your password – this will make hacking much more difficult. This could be information that only you know, for example, your grandmother’s phone number, your dog’s name in Chinese, your backup e-mail. Ideally, come up with your own system for creating a complex password for others, but easy to remember for you.
Before you start using, check your address, there should not be any transactions on it. Do not use a wallet that has already had fund movements.
Before sending a large amount, send a small part of the funds to your new address; if your wallet is compromised, the money will be debited instantly.
If you decide to top up your old wallet, check your balance first! Many users continue to use hacked wallets for several months or even years.
Store your bitcoins in different wallets. This will protect your funds from accidental hacking.

source https://vc.ru/flood/43597-kto-zarabatyvaet-500-bitkoinov-za-minutu

How to check your password for strength?
We take any address generator from strings, for example this one: https://brainwalletx.github.io/
Enter the password string, note that even one character is enough, but there are no restrictions on the length.
There can be as many words as you want.
We get 2 addresses.
And we check them here https://www.blockchain.com/btc/address/bc1qx4d5tv0vdyvnthy27yz88jvewup8v3nj98w8th
Substituting the received addresses into the address line.
And remember. About 226,000 bitcoins still lie in forgotten and lost addresses, waiting for someone to find them.
Good luck 🙂

Useful information for enthusiasts:

Contact me via Telegram: @ExploitDarlenePRO