Fake walle.dat can trick bitcoin core client?

[yangxin325]

The news comes from this website：http://xingfeng.org/?p=517

This site reminds people who buy wallet.dat Bitcoin core wallets from black market, forums and other channels, and forges a wallet.dat wallet, and also provides a download channel for people to read the article to verify.

After downloading the wallet and putting it into the Bitcoin core client, it can be successfully loaded and prompting that 150 bitcoins can be used, but the authors say that these are fake!

After contacting the author, he said that the wallet is fraudulent through special channels. Only professional and technical personnel can identify it. The method of identification is to look at the corresponding version of the wallet code, check the data consistency, time, field, type, structure, It looks very complicated.

Remind everyone to pay attention to this.

[achow101]

The wallet file isn't fake per se, nor are the transactions it shows. What's fake about it is that it doesn't contain the private keys it claims it does.

The method of identification is to look at the corresponding version of the wallet code, check the data consistency, time, field, type, structure, It looks very complicated.

It actually is not that complicated. You don't need to check any data consistency, time, etc. You don't need to check any of the things you mentioned. You also don't really need to look at the wallet code because the data that they are manipulating doesn't change frequently, if ever. In fact, the specific database fields that are being modified will likely never change in order to maintain backwards compatibility with older wallet versions.

What the authors have done here is simply add fields which represent encrypted keys. These fields contain the pubkey and the encrypted private key which will typically just look like random data (because that's the point of encryption). What the authors have done is just create a field that contains the pubkey and random data (or in this case, a string) as the private key.

It is impossible for anyone (technical or not, professional or not) to identify that the wallet is "fake" by simply looking at it (besides the fact that common sense tells you its a scam). If done correctly, the supposed encrypted key will be garbage data and its veracity cannot be determined without knowing the decryption key. Of course, if it's just zeroes or some other obvious non-random data, then it can be easily determined. You can inspect the data of a wallet.dat file using BDB 4.6's db_dump tool.

[yangxin325]

The wallet file isn't fake per se, nor are the transactions it shows. What's fake about it is that it doesn't contain the private keys it claims it does.

The method of identification is to look at the corresponding version of the wallet code, check the data consistency, time, field, type, structure, It looks very complicated.

It actually is not that complicated. You don't need to check any data consistency, time, etc. You don't need to check any of the things you mentioned. You also don't really need to look at the wallet code because the data that they are manipulating doesn't change frequently, if ever. In fact, the specific database fields that are being modified will likely never change in order to maintain backwards compatibility with older wallet versions.

What the authors have done here is simply add fields which represent encrypted keys. These fields contain the pubkey and the encrypted private key which will typically just look like random data (because that's the point of encryption). What the authors have done is just create a field that contains the pubkey and random data (or in this case, a string) as the private key.

It is impossible for anyone (technical or not, professional or not) to identify that the wallet is "fake" by simply looking at it (besides the fact that common sense tells you its a scam). If done correctly, the supposed encrypted key will be garbage data and its veracity cannot be determined without knowing the decryption key. Of course, if it's just zeroes or some other obvious non-random data, then it can be easily determined. You can inspect the data of a wallet.dat file using BDB 4.6's db_dump tool.

Usually in the wallet.dat file, the pubkey(a bitcoin address) and the private key are in pairs. Your point of view seems to be that the website author added a pubkey(a bitcoin address)and a private key that does not match it in the wallet, but successfully cheated the bitcoin core client.

[achow101]

Usually in the wallet.dat file, the pubkey(a bitcoin address) and the private key are in pairs. Your point of view seems to be that the website author added a pubkey(a bitcoin address)and a private key that does not match it in the wallet, but successfully cheated the bitcoin core client.

It only "cheated" because the private keys are supposed to be encrypted with a password. Without knowing the password, Bitcoin Core cannot get the private key to check that it matches the public key. Once it does have the password, it can and will check that it matches, and when it sees it does not, it will throw an error. It is impossible for anyone to check that the encrypted private key is correct without knowing the password to decrypt it.

[yangxin325]

Usually in the wallet.dat file, the pubkey(a bitcoin address) and the private key are in pairs. Your point of view seems to be that the website author added a pubkey(a bitcoin address)and a private key that does not match it in the wallet, but successfully cheated the bitcoin core client.

It only "cheated" because the private keys are supposed to be encrypted with a password. Without knowing the password, Bitcoin Core cannot get the private key to check that it matches the public key. Once it does have the password, it can and will check that it matches, and when it sees it does not, it will throw an error. It is impossible for anyone to check that the encrypted private key is correct without knowing the password to decrypt it.

Yes, you are correct, this wallet.dat is encrypted, the Bitcoin core client can not decrypt it, verify that the private key matches the public key, thank you for your answer.

[bob123]

Usually in the wallet.dat file, the pubkey(a bitcoin address) and the private key are in pairs.

Address != Public key.
The address is the hash of a public key. They are not the same.

Yes, you are correct, this wallet.dat is encrypted, the Bitcoin core client can not decrypt it, verify that the private key matches the public key, thank you for your answer.

The client can decrypt it (given the user knows the correct password), but it won't be able to decrypt the private keys (because they are not encrypted, it is just garbage data).

[LFC_Bitcoin]

If something seems to be too good to be true then it normally is.
People don’t often give out free (or massively discounted) money to random strangers online.

Use your head guys. Do not download files from anybody.

[keychainX]

The news comes from this website：http://xingfeng.org/?p=517

This site reminds people who buy wallet.dat Bitcoin core wallets from black market, forums and other channels, and forges a wallet.dat wallet, and also provides a download channel for people to read the article to verify.

After downloading the wallet and putting it into the Bitcoin core client, it can be successfully loaded and prompting that 150 bitcoins can be used, but the authors say that these are fake!

After contacting the author, he said that the wallet is fraudulent through special channels. Only professional and technical personnel can identify it. The method of identification is to look at the corresponding version of the wallet code, check the data consistency, time, field, type, structure, It looks very complicated.

Remind everyone to pay attention to this.

I have just analyzed the wallet and it looks legit. (have both synced it with bitcoin core 17.1 and used my own wallet.dat parser to see the balances)

There is 3 ins (mined in 2009) but its encrypted with a password.

Could add to the fun that its also a very old bitcoin wallet.dat format (uses uncompressed keys) and hashcat 5.1 wont even recognize the hash format from JTR.

/KX

[yangxin325]

The news comes from this website：http://xingfeng.org/?p=517

This site reminds people who buy wallet.dat Bitcoin core wallets from black market, forums and other channels, and forges a wallet.dat wallet, and also provides a download channel for people to read the article to verify.

After downloading the wallet and putting it into the Bitcoin core client, it can be successfully loaded and prompting that 150 bitcoins can be used, but the authors say that these are fake!

After contacting the author, he said that the wallet is fraudulent through special channels. Only professional and technical personnel can identify it. The method of identification is to look at the corresponding version of the wallet code, check the data consistency, time, field, type, structure, It looks very complicated.

Remind everyone to pay attention to this.

I have just analyzed the wallet and it looks legit. (have both synced it with bitcoin core 17.1 and used my own wallet.dat parser to see the balances)

There is 3 ins (mined in 2009) but its encrypted with a password.

Could add to the fun that its also a very old bitcoin wallet.dat format (uses uncompressed keys) and hashcat 5.1 wont even recognize the hash format from JTR.

/KX

I contacted the webmaster of the website. He clearly stated that the wallet was forged by him and the password was forgotten. He said that the password was freely filled out by him. And he has tried it, it is impossible to transfer the balance displayed by the Bitcoin core client.