Electrical engineer Joe Grand and his little team of security researchers were able to hack into an encrypted file holding 43.6 bitcoins, unlocking a cryptocurrency wallet worth $3 million and ultimately saving a man who had forgotten his password 11 years ago.
Taking to his popular YouTube channel on Tuesday (May 28), Joe uploaded a video showing how he had been hired to hack into a man’s highly valuable encrypted file, which he had not been able to access since 2013.
Michael, whose identity was blurred during the 21-minute-long video, which has amassed nearly 300,000 views, emailed Joe for help last year.
Joining forces with his fellow hacker friend Bruno, Joe was able to reverse engineer the RoboForm password generator in order to regenerate passwords that have been generated in the past.
Electrical engineer Joe Grand and his little team of security researchers were able to hack into an encrypted file holding 43.6 bitcoins
Image credits: Joe Grand
RoboForm is a password management software that helps users generate, store, and manage passwords securely.
It creates complex, unique passwords for different accounts, stores them in an encrypted vault, and can autofill login information on websites and applications.
Michael had used a 20-character password with uppercase and lowercase letters, numbers, and special characters.
Image credits: Joe Grand
The password management software then generated the password, which Michael promptly copied and put in the passphrase of his wallet.
He further put the password in a text file that he had subsequently encrypted on his computer.
Unfortunately, a holder of data got corrupted, which caused Michael to lose his password, ultimately locking him out of his cryptocurrency wallet.
They unlocked a cryptocurrency wallet worth $3 million
Image credits: Joe Grand
“At this time I was like okay crap a couple of thousand euros which was painful but okay,” Michael said. “But then that’s when we found out what’s the price [of] Bitcoin.”
At the time, 43 Bitcoin was worth €1.6 million.
“I have this fortune, I can see it, but yeah I can’t use it because I don’t have the password,” Michael recalled.
Image credits: Joe Grand
In 2022, upon discovering that Joe had helped another crypto owner recover access to over $2 million in cryptocurrency, Michael contacted the technology savant.
The IT expert recalled responding that the project wouldn’t work unless they could exploit a bug in RoboForm, so he initially declined to help Michael.
Joe noted that brute-forcing the password—generating a vast list of possible passwords and testing them one by one—was an impractical solution due to its complexity.
Joe and his friend Bruno ultimately saved a man who had forgotten his password 11 years ago
Image credits: Joe Grand
“If we had to try every possible password combination, that’s more than 100 trillion times the number of water drops in the entire world,” the hacker explained.
However, a year later, Michael asked Joe to reconsider, and within that time frame, Brune had done some work in reverse engineering a different type of password generator for a different project.
After accepting helping Michael this time, Joe used a tool developed by the US National Security Agency to disassemble the password generator’s code.
“In a perfect world, when you generate a password with a password generator, you expect to get a unique, random output each time that no one else has,” he explained.
Joe continued: “[But] in this version of RoboForm, it was not the case.
“While RoboForm’s passwords appear to be randomly generated, they’re not.
“With the older versions of this software, if we can control the time, we can control the password.”
RoboForm is a password management software that helps users generate, store, and manage passwords securely
Image credits: Pexels/Karolina Grabowska
Joe was able to trick the system by changing the time back to 2013 when the password was generated, and after a few failed attempts, it finally led to the same password being recreated.
“There was something interesting that we found in that change,” the hacker recalled as he worked on RoboForm’s 2013 version. “It just so happens that Michael was using this earlier version where [the] randomness of the password had not been fixed.”
Joe and Bruno worked to generate millions of potential passwords, and eventually, they cracked the code.
Image credits: joegrandofficial
“Moral of the story: Use insecure password generators,” a viewer commented.
A YouTube user wrote: “That password generator really just generated a password for every second of time lmao.”
A person noted: “Password generator… You had one job!”
A separate individual chimed in: “Moral of the story: Don’t attack the password, attack the system that created the password.”
Upon successfully hacking into Michael’s crypto wallet, Joe told Wired in an article published on Tuesday (May 28): “We ultimately got lucky that our parameters and time range was right.
“If either of those were wrong, we would have … continued to take guesses/shots in the dark.”