$103,000 stolen in Brain Wallets cracking attacks

Pierluigi Paganini February 17, 2016

A group of researchers discovered that roughly 1,000 brain wallets have been drained by cyber criminals that have stolen $103,000

The term brainwallet refers to the concept of storing Bitcoins in one’s own mind by memorization of a passphrase. The phrase is converted into a 256-bit private key with a hashing or key derivation algorithm (example: SHA256). That private key is used to calculate the final Bitcoin address.

This method was erroneously considered secure because malware based attacks are ineffective in stealing private keys, but now an expert demonstrated that brain wallets are not secure because the passwords can be easily cracked by an attacker. The researcher explained that brain wallets used no salt and passed plaintext passwords through a single hash iteration, this makes easy for hackers to crack brain wallet passwords. Another problem is represented by the fact that a form of the insecurely hashed passwords is stored in the Bitcoin blockchain giving more information for the attack to the hackers.

The researcher Ryan Castellucci demonstrated at the DEF CON conference last year how to crack brain wallets:

“Our implementation improves the state of the art by a factor of 2.5, with focus on the cases where side channel attacks are not a concern and a large quantity of RAM is available. As a result, we are able to scan the Bitcoin blockchain for weak keys faster than any previous implementation.” states the paper .

Now researchers at the University of Tulsa, Stanford University and the Southern Methodist University have discovered a new method to crack brain wallet passphrase faster respect the method elaborated by Castellucci.

The researchers published a paper demonstrating the efficiency of their Bitcoin Key Recovery Attacks, that is 2.5 times faster compared to Castellucci’s technique.

The researchers analyzed roughly 300 billion passwords and discovered that only less than 1,000 brain wallets used between September 2011 and August 2015.

“In this paper, we report on the first large-scale measurement of the use of brain wallets in Bitcoin. Using a wide range of word lists, we evaluated around 300 billion passwords. Surprisingly, after excluding activities by researchers, we identified just 884 brain wallets worth around $100K in use from September 2011 to August 2015.” researchers wrote in their paper

“Our results reveal the existence of an active attacker community that rapidly steals funds from vulnerable brain wallets in nearly all cases we identify,” explained the researchers. “In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value. Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours.”

The passwords were derived from words available in dictionaries, the passwords were then compared to a list of all used Bitcoin addresses to determine which of them were associated with brain wallets.

Experts identified 884 brain wallets storing 1,806 BTC (worth approximately $100,000)  and discovered that only 21 of them were not drained by cyber criminals.

Brain Wallets hack

It was disconcerting that in many cases, the accounts were drained within minutes or seconds, the researchers also noticed that there is no evidence that Bitcoin wallets containing larger amounts of money were protected by the owners with stronger passwords.

“We find that all but 21 wallets were drained, usually within 24 hours but often within minutes. We find that around a dozen “drainers” are competing to liquidate brain wallets as soon as they are funded.” continues the researchers.

The experts analyzed the Bitcoin transactions involving brain wallets and discovered that at least 14 entities were involved in the attacks.

“A few drainers are very successful while the rest do not make very much,” researchers wrote in their paper. “The top 4 drainers have netted the equivalent of $35,000 between them. The drainer who has emptied the most brain wallets — 100 in all — has earned $3,219 for the effort. But other drainers have stolen very little money. For example, one drainer stole from 78 different brain wallets but netted only $62 worth of bitcoin.”

The group of researchers will present the study, titled “The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets,” at the next Financial Cryptography and Data Security 2016 conference.

Pierluigi Paganini

(Security Affairs – Brain Wallets, Bitcoin)

you might also like

leave a comment