Bruteforce Attack on Bitcoin Brainwallets

August 8, 2013
bitcoin cryptocurrency bruteforce security python

The concept of storing Bitcoins in a wallet generated by a passphrase is referred to as a brainwallet. This post will explore the insecurities of brainwallets and why you shouldn’t be using them.

There are many ways to generate a brainwallet. For example, brainwallet.org provides a simple client side javascript application to do this. The passphrase used to generate the wallet is essentially just a password and it provides the only means of protection from theft. If someone guesses this password, they have full access to the wallet and the funds.

The Idea

Out of pure curiousity, I wanted to see how many insecure brainwallets could be found with just a simple dictionary. I would create a script that would loop through a dictionary file; each word would be converted into a public Bitcoin address and the resulting address would be searched for in all historical transactions.

Code and Setup

I was able to find an existing python library for the Bitcoin address generation code in order to convert a dictionary word into a public Bitcoin address.

Next up was finding a way to query for a public address in all historical Bitcoin transactions. My first option was blockexplorer.com. This website stores every Bitcoin transaction in a database and provides an API to query information. The biggest problem with using this site was that my bruteforce experiment would generate alot of traffic to the site. I then stumbled upon Abe, which is essentially a clone of blockexplorer.com that I could run locally. After getting it up and running, it took over a week to insert all transactions into the database from the blockchain.

I pointed my script at an English dictionary file and let it run.

Results

Here are the brainwallets I found with this particular dictionary. Note that none of these wallets actually had any funds at the time of running the script, but at one point in the past these wallets were in use.

WordReceived BitcoinsPublic Address
a0.011HUBHMij46Hae75JPdWjeZ5Q7KaL7EFRSD
cat0.15162TRPRZvdgLVNksMoMyGJsYBfYtB4Q8tM
chicken0.00115Z16yvxv3oH6FBd83qkgo8AmzYcaSy2vX
destruction0.0911p4664ndnKmiPBL6naW9nF9z91skDdkf
dog0.0119MxhZPumMt9ntfszzCTPmWNQeh6j6QqP2
hangzhou0.21EaUxkWMQ1kGPh3gWLev3Uzb2MUEmP59ws
love0.0121Mm6ouhpHqbtahCRNYfTo7Art1fbmk7PcR
password0.0610816ga2uqnF1NqpAuQeeg7sTCAdtDUwDyJav
poop0.0011LVL6qEhMQTbNtSBDfBkmzo5ZS1PwaKZWs
root0.001148qEts4TkouGRwvUMRFM8dB9MjxM6iCuN
sausage0.011TnnhMEgic5g4ttrCQyDopwqTs4hheuNZ
supper0.00216rAKW1gUqtQL8PaaYM2Drkitm686kgdEC
root0.001148qEts4TkouGRwvUMRFM8dB9MjxM6iCuN
swordfish0.001442711PG9p4dG3vhZ8gx19aVdu5ZfECw9Q7N3B6
test0.05118761HKqKTMpBTZZ8H5zcqYEWYBaaWELrDEXeE
very0.007516NpdGeEeEebivqHGSXeDCjozr9yKHeZPD
wang0.00011AjzxqeicCxMYDSAW5xqk1is3KX8eipD82
you0.011NGj2UvhbC79ZXFBPBaXSmf7vwRy7cXK5R

Conclusion

Don’t use brainwallets! If you want to try it yourself, you can check out the project on Github.

CopperheadOS: Feature Review Part 1

May 14, 2018
android security copperheados review