Bitcoin advocate cracks known 12-word seed phrase in minutes

A systems designer cracked a effect operation and won a 100,000 Satoshi bounty, oregon 0.001 Bitcoin (BTC), worthy $29, successful conscionable nether fractional an hour. Cointelegraph spoke to Andrew Fraser successful Boston, who underscored however captious it is to support a Bitcoin wallet effect operation unafraid and offline. 

A effect operation oregon recovery operation is simply a drawstring of random words generated erstwhile a wallet is created that tin entree the wallet, akin to a maestro key. Fraser brute forced a 12-word effect operation that Bitcoin pedagogue “Wicked Bitcoin” shared connected Twitter:

Anyone privation to effort and brute unit this 12-word effect operation securing 100,000 sats? I’ll springiness you each 12 words but successful nary peculiar order. Standard derivation way m/84'/0'/0'…no fancy tricks. GL.https://t.co/c9FyMv3HYM pic.twitter.com/nPGTB9bX2g

— Wicked (@w_s_bitcoin) April 26, 2023

As shown, Wicked’s Tweet challenged users to decipher the close bid of the 12-word effect phrase.

"Anyone wants to effort and brute unit this 12-word effect operation securing 100,000 sats? I’ll springiness you each 12 words but successful nary peculiar order. Standard derivation way m/84'/0'/0'…no fancy tricks. GL.”

It took conscionable 25 minutes to unlock the 100,000 Satoshis–or conscionable nether $30. The incidental serves arsenic a timely reminder for Bitcoin users and crypto enthusiasts to instrumentality crypto information seriously.

Fraser cracked the codification utilizing BTCrecover, a bundle exertion disposable connected GitHub. The bundle offers a scope of tools that tin find effect phrases with missing oregon scrambled mnemonics and passphrase-cracking utilities. Over Twitter DMs, Fraser told Cointelegraph:

"My gaming GPU was capable to find the close bid of the effect operation successful astir 25 minutes. Though a much susceptible strategy would bash it overmuch faster.”

He noted that anyone with a basal cognition of moving Python scripts, utilizing the Windows bid shell, and knowing the Bitcoin protocol–particularly BIP39 mnemonics– should beryllium capable to replicate his success.

Cointelegraph queried Fraser astir the information of 12-word effect keys. Fraser explained they are "perfectly unafraid if the words stay chartless to an attacker oregon determination is simply a passphrase '13th effect word' utilized successful the derivation way of the wallet."

Moreover, helium emphasized the superior information of 24-word effect keys.

"Even if an attacker knew the retired of bid words of your 24-word effect key, they would ne'er basal a anticipation of discovering the close seed.”

Fraser broke down the entropy calculations to explicate the quality successful information betwixt the 2 types of effect keys. A 12-word effect has astir 128 bits of entropy, portion a 24-word effect boasts 256 bits. When an attacker knows the unordered words of a 12-word seed, determination are lone astir fractional a cardinal imaginable combinations, which is comparatively casual to trial with a decent GPU. A 24-word seed, however, has astir 6.24^24 imaginable combinations–and that's a batch of zeros. 

Related: The worst places to support your crypto wallet effect phrase

Even the probability of an attacker cracking a 12-word effect operation is borderline absurd. 24-word effect phrases whitethorn beryllium superior, but arsenic Wicked points retired successful a post-mortem to the effect operation challenge; “it’s not going to beryllium hacked tbh.”

In the disconnected accidental that idiosyncratic finds your effect operation chopped up and retired of order, past yes lol.

— Wicked (@w_s_bitcoin) April 27, 2023

Ultimately, it’s a timely reminder to readers to guarantee effect phrases are ne'er published oregon shared online. That means a effect operation should not beryllium stored successful a password manager, a unreality retention solution, and they surely should not beryllium typed retired into a phone. 

Fraser besides stressed the value of keeping effect keys concealed and to instrumentality vantage of a passphrase that functions arsenic portion of the derivation path. As for the 100,000 Sats Fraser took home? Fraser tweeted that helium spent them connected meal that night: Chicken Marsala. Talk astir circular economy. 

Cointelegraph Magazine: Bitcoin successful Senegal: Why is this African state utilizing BTC?