How to crack a bitcoin wallet

Possible but Improbable

Publicado por AlbertoBSD el 2020-11-08 22:29:29

How to crack a bitcoin wallet (Theory and practice)

Well this investigation started as a joke and only by hobbie . Our group ( ) have a telegram channel

There in the telegram channel, I or someone else comment the existence of a bitcoin Wallet of 69K Bitcoin, at todays exchange rate (4 of November 2020 ) it's about 995 millions $USD, we said that We need to crack that wallet with a quantum computer.

I decide go more further and research how a wallet is cipher or decipher

The normal process to open a locked wallet using the Bitcoin-Core is the next one:

First we load the wallet in the Bitcoin-core using the bitcoin-cli

bitcoin-cli loalwallet "wallet.dat"

"wallet.dat" must exists in our path ~/.bitcoin/wallets/

After the wallet was load we need unlock with the next command

bitcoin-cli walletpassphrase "passphrase or password" 60

if the password or passphrase is incorrect we are going to see some error like this:

error code: -14
error message:
Error: The wallet passphrase entered was incorrect.

There is a lazy and very slow way to try to unlock the wallet with a bash script that call the bitcoin-cli but this way is very slow.

We need to know how the bitcoin core internally works and after that we need to reproduce it in C Language or C++

What process do the bitcoin core with our passphrase?

Well after we pass our password to the bitcoin core, the password or passphrase is merged with a SALT and passes to a PBKDF process with a minimum of 25000 iterations but usually that number of iterations is about 5 or 10 times more bigger, the PBKDF function returns a hash sha512 this is a raw number of 64 bytes.

The first 32 bytes of that sha512 output are used as KEY to decrypt the Master KEY in our wallet and the next 16 bytes are used as IV for the same process of decryption.

With this data (KEY,IV) our Encrypted KEY is decrypted (AES256 CBC + Padding method) and his output is our Master KEY decrypted, this new value is also used to Decrypt all the CKey in our wallet.

Here a resume with Pseudo Code

prekey = PBKDF(passphrase,IV, N Iteraciones,"sha512");
aesctx = AES256_init(KEY);
if( AES256CBC_decrypt(aesctx,IV,ENC_mKey,DEC_mKEY) > 0)	{
	foreach(OthersENC as oENC)	{	// All the Ckeys
		oCtx = AES256_init(DEC_mKEY);
		if(!AES256CBC_decrypt(oCtx,IV_fromPublickey,oENC,dummy) > 0)	{
			return false;
	return true;

Then if our plan is an forcebrute attack, we CAN skip the PBKDF and jump directly to the Decryt function AES256CBC_decrypt but we have two options

1.- Generate and try all the (KEY,IV) possibles (48 bytes) for the first AES256CBC_decrypt and use that value to unlock all the Ckeys


2.- Generate and trye all the KEY possible (32 bytes) for the next N AES256CBC_decrypt (All the Ckeys) in the wallet

But wait a moment is only 32 Bytes not? well 32 bytes is 2^256 number this is a number of 78 digits 115792089237316195423570985008687907853269984665640564039457584007913129639936 , KEYs to try.

A force Brute Attack to AES256 CBC with padding is possible but improbable, maybe in the future with more computer power or with some kind of cloud computing or even some kind of network work with BOINC o maybe one botnet.

By the way.

The 69K bitcoin wallet was emptied or cracked for someone else on 3 of november 2020