It's clear that several people have been conned by this particular wallet (not that the wallet-selling-scam is anything new). It also seems that at least a couple of people have been reselling this wallet, possibly without the knowledge that it's empty or broken, or possibly with that knowledge.

FWIW, there's no hard evidence that I've found which implicates anyone in this thread (or the others referenced) of being the creator of this wallet / original scammer, so I personally see no reason to assume malice on anyone's part. On the other hand, reselling this wallet (or any for that matter) is at the very best terribly irresponsible.

I wouldn't think this needs saying, but buying a wallet of dubious origin is never a good idea. It's trivial to create a wealthy-looking wallet which appears undoctored but is actually devoid of any spendable funds. This particular wallet is not an example of this (it's obviously messed up in several ways), but the bottom line is: caveat emptor!


Anybody with a full node and the wallet.dat in question can verify that it contains no spendable funds. (This is not true in general, but is true for this particular wallet.) The email where I was quoted above (highlighted in way-too-much-red) shows how to do this.


I don't mean to pick on you, but claiming that your are "in crypto full time" and at the same time were unable to see any problems with this wallet (some of which were very much related to cryptographic mistakes) does little to advance your credibility IMO.

1. Decode the base-64 into binary.
2. Remove the first 16 bytes, they are the IV. The rest is the cyphertext.
3. Derive the encryption key as sha256(sha256(convert_to_utf8(password))).
4. Decrypt they cyphertext with AES-256 in CBC mode using the key, IV, and cyphertext from above.
5. Remove the trailing PKCS7 padding.

This script will do so for you from a wallet file: https://github.com/gurnec/decrypt_electrum_seed

By default, btcrecover only uses multiple GPUs at the same time if they're identical, but you can force it to use different GPUs if you'd like.

First, ask it for a list of your current OpenCL devices like so:
It's easiest to specify the GPUs you want to use by the #ID numbers, so for example to use the two 1080s, even though they're different models:
Note that you may get better performance if you use a different global-ws for each GPU (with a bigger global-ws for the Ti), something like this:Note that the order matters: in this example, GPU #1 (the faster one) is listed first after --gpu-names, so the larger --global-ws is also listed first. Only way to know if using different global-ws values improves performance is trial and error unfortunately.

Good luck!

Do you mean a seed could be used as an alternative for a UUID? I suppose, they both "encode" 128 bits of data minus a checksum (for seeds) or a small header (for UUIDs), except that UUIDs are designed more to be convenient for machines, whereas seeds are for humans.

Actually, the "Random UUID probability of duplicates" on Wikipedia is quite relevant for seeds too.

If Dave doesn't respond, you can try recovering the password yourself with btcrecover, however it will be more difficult and involves a bunch of reading to get it set up and running...

I realize I may be a bit late here to be helpful, but if your wallet was created by Bitcoin Wallet v4.0 or later (released Oct 2014), it may be easier to extract the seed with this tool and restore it into a compatible wallet such as MultiBit HD.

Ah, gotcha.

Yup, pretty much that.

It accepts as input a seed "guess", plus something it can use to test potential seeds against: either a Master Public Key, a wallet file (which contains the MPK), or an address that can be generated from the seed.

It then introduces various changes to the seed (cartesian-product-wise) and tests each result against the MPK/address, such as swapping consecutive words and/or replacing words with similarly spelled ones (from the same language list as the other seed words).

Although most of the variations it tests are "small" variations such as those listed above which don't lead to a large growth of tested seeds, it also tries up to one "large" variation which means inserting a word or replacing an existing word with one that isn't even spelled similarly.

Of course it skips seeds which can't possibly be correct (BIP39 seeds not of length≡0 (mod 3), Electrum 2 seeds of length > 13 (or > 12 for Electrum 2.7+), seeds with invalid checksums, etc.).

Being part of btcrecover, it picks up a few additional features from it (multithreading, Unicode support, progress bar/ETA, etc.). I could go on, but I'm sure you've already had enough

I appreciate that you don't explicitly promote brain wallets, but you must admit that you did post a response in a thread that was started by OP to promote a "good" way of creating brain wallets (it wasn't) showing that your brain wallet was still safe as pro-brain-wallet evidence. Depending on how some will read that response, it could be misinterpreted as a general promotion of brain wallets (how many people will follow your link and read that entire thread? or even read the context in this thread?).... that was my complaint.

That last sentence is rather important, and usually gets lost in the noise.

It's not a question of whether or not it's theoretically possible to create a safe brain wallet, it's one of whether or not it's a wise idea to promote them.

I've no problem if CIYAM wants to create a brain wallet because he's demonstrated that he generally knows what he's talking about, and is willing to accept the risks.

I've a big problem with OP (or anyone else for that matter) promoting brain wallets in general because of the damage it can cause. This is further compounded by the fact that most people (I'm no exception) tend to overestimate their knowledge of a subject they haven't thoroughly studied ("maybe someone else will choose a bad brain wallet, or forget their brain wallet due to a wetware malfunction, but surely I'm smart enough to avoid these problems").

In short: please don't use brain wallets. Please don't promote them (that includes you, CIYAM).

If you still have your wallet file (or if you have your master pubic key or an address that's part of your wallet), and you know most of your seed as you said, you can use seedrecover to recover the missing parts of your seed: https://github.com/gurnec/btcrecover/blob/master/docs/Seedrecover_Quick_Start_Guide.md (which is part of btcrecover).

If you have any questions about it, feel free to ask.


They are interconnected to the master public key (stored unencrypted in the wallet file) and to the addresses they generate, but of course it's only possible to "brute-force" the seed if most of the seed is also known.

Maybe I'm not understanding you correctly.

Surely a human-created pass phrase is very likely to be weaker than a randomly-generated private key, but a sufficiently long randomly-generated pass phrase (such as a seed created by Electrum, assuming a non-broken OS) is not any weaker than any private key.

In other words, for a 256-bit EC curve, a seed with 128 bits of entropy which generates a private key with just as much entropy is as strong as a private key with more than 128 bits of entropy since the weakest link is the curve itself (reversing an exponentiation takes on the order of "just" 2^128 EC operations even when the private key has more than 128 bits of entropy).

adaseb,

Your math is more or less within the right order of magnitude, but is missing a few things.

First, you need SHA512, not SHA256.

Next, for each seed you try, you need to check its "checksum" with HMAC-SHA512, so that's 2x SHA512's, not one.

1 in 256 of the seeds you try will pass the checksum step above, and with these you'll need to run PBKDF2-HMAC-SHA512 with 2048 iterations (and each iteration requires 2x SHA512's) to get the xprv. This means on average, you'll need another 16x SHA512's per seed tried (so your initial estimate was 18x too small).

Once you have a potential xprv, you still need to check if it's in use. This means deriving a bunch of private keys from the xprv (let's say we derive 30ish keys on both the internal and external chains, using both BIP32 and BIP44 style paths). Now we're looking at 120+ EC operations per seed which passes the checksum step (on average 1 EC operation for every 2 seeds you initially try). There is also another HMAC-SHA512, SHA256, and RIPEMD operation per address that's generated.

Finally, we need a whole bunch of CAMs to look up (in parallel) these addresses in the UTXO set (which has about 43M entries today). I'm not sure how big CAMs get these days, but I can say that a 43M-entry cam is at least 10x or 20x bigger than anything commonly used in networking gear.

We can shift some things around a bit (generate fewer private keys/addresses, but search in the every-address-every-used set which is 10x bigger), but it remains a daunting task.

Of course, if we have this theoretical hardware mentioned above that can do silly-fast EC operations, it makes a lot more sense to just choose a public key visible on the blockchain which has a large UTXO value and attack it directly (which would take only on the order of 2^128 EC operations). In any case, it seems pretty likely it would take longer than current the age of the universe to succeed--personally I'm not that patient.

So yes, "12 worded seeds [are] really secure from Brute force".

Given enough private-key entropy, the weakest link in securing Bitcoin funds is the secp256k1 curve used to sign transactions and generate public keys from private ones, which takes on the order of 2^128 operations to break. Using more than 128 bits of entropy does not help at all. While it's true that Electrum uses slightly less entropy as Abdussamad mentions above (124 bits), practically speaking this is still in the same ball park.

Claiming that is flat-out wrong.

Each wallet is stored in its own file on your PC. You can locate your wallet files here: http://docs.electrum.org/en/latest/faq.html#where-is-my-wallet-file-located. Actually, the FAQ is confusing when it comes to Windows; to find you wallet there, open File Explorer, and copy and paste this into the address bar: %appdata%\Electrum\wallets

With Electrum closed (very important), rename the current "default_wallet" file to something else, and then rename your imported old wallet to "default_wallet".

Thanks!


I'm glad it's solved!

Not to be argumentative, but when you initially created your wallet, you did use a '/', specifically you named it "Escrow/MISC wallet". That slash was definitely the culprit. You probably forgot about the slash because (related to this bug) the "Escrow/" part wasn't being displayed when you re-opened (recreated really) the wallet via the "Recently open" menu item. It was hidden from view in the menu/wallet name, but it was still in there and was the cause of this issue.

Having spaces in the wallet name works fine (feel free to give it a try).

Great, there it is! You can't use a '/' in the name of an Electrum wallet. Electrum obviously didn't handle this in a user-friendly way....

Oh well, was worth a try.

If you're up to it, could you try this next?

Recreate your wallet as normal, and once it's ready, close (via the X in the upper right, there is no cancel button) the "Electrum is generating your addresses" window. Next, on the Console tab, run these four commands (each command is the text to the right of the ">>"). If it's successful, it should look like this:
I'm hoping it's not successful, and that one of the last two commands (they are what get run in that dialog box you closed above) either generates an error or hangs... it might offer a clue as to what's going on.

Ah, makes sense.

The instructions for using it are right in that link. You need to download it (it's a .zip file), extract it, install Python, and run a PowerShell script to install two other dependencies. Then just double-click it to run it. The instructions in that link should walk you through it.

This isn't Keepkey's tool, I doubt they know anything about it. The seed is stored in the wallet file, it just needs to be decrypted (which is all the tool at that link does, it doesn't do any sweeping).

So, did you try it on a different Internet connection? Can you simply wait until Friday?

Do you still have your wallet file (mbhd.wallet.aes) and your password? If so, you could use this tool to extract the seed (wallet words) and then try restoring them into a new MultiBit HD wallet (perhaps even on a different machine) or into a compatible wallet (I think that breadwallet is the only wallet that's compatible with MultiBit HD and still supported).

Silly question perhaps, but might this be a simple file permissions issue (for ranochigo's issue; mocacinno's issue seems different because it's intermittent)?

ranochigo, can you try creating a file (say a text file) in the wallets folder next to your default_wallet?