BrainWallet Defcon Attack Discussion, Advice, Q&A, Brainflayer Info, etc.

[btcspry]

In light of recent events, it has been proven that BrainWallet is now no longer regarded as safe.  At Defcon 23 (running August 6-9 2015), a whitehat hacker (named Ryan) released a program (codenamed Brainflayer) capable of checking 10s of thousands of brainwallets per second.  During his research, he discovered private keys for addresses that at some point held over 730BTC.  Many of the phrases were regarded as generally safe.  However, they were still cracked by his program.  BrainWallet as a whole is now being regarded as unsafe for use.  While experts have considered it unsafe for a long time, this is one of the first practical implementations that proves exactly how unsafe they are as a wallet choice.

Following the announcement and presentation of the software implementation, BrainWallet's website has been shut down.  The latest commit on their GitHub page removed the website and replaced it with a parked page, saying that the project is now closed.

However, there are still many safe BrainWallets.  As of now, it is recommended that you clean the balance out of your BrainWallet and into a safer storage method.  It is important to note that Ryan, the developer of this program, did not take any of the bitcoins.  He attempted to alert the owner of 250BTC that their bitcoins are at risk.  However, he has not personally gained anything from this, and works for the betterment of the bitcoin community.

While many BrainWallet cracking tools have existed over time, Brainfalyer is many orders of magnitude faster.  It uses Bloom Filters to effectively and quickly check if addresses have been used, which increases its speed.  Various other optimizations have made is very efficient as well.  In the next months, it can be expected that other hackers will be creating botnets, and various other large scale attacks against brain wallets.  It is no longer safe to use a BrainWallet.  Transfer funds out immediately!

The presentation regarding general information about the attack is available on Ryan's website.
The source code for the project is available on GitHub

If you are one of the lucky BrainWallet users who have not haven your bitcoins stolen, we have hosted the BrainWallet code on our website.  It can be used to transfer your bitcoins to a safer medium.  A Trezor or Electrum (cold storage) wallet is recommended for users with larger amounts of bitcoin.  They are easy to set up, and are many times safer than your BrainWallet.  To use the BrainWallet software, go to our website's hosting of BrainWallet.  For smaller amounts of bitcoin, you can use the website implementation itself.  For larger amounts, click the "Download ZIP" button in the footer of the website.  From there, you can generate the private key and transfer your bitcoins before theft occurs.

Please do not take this warning lightly.  Over 730BTC were available for theft thoughout the history of BrainWallet.  Please ensure that your bitcoins are not part of the ones that are taken in the future.  Save your bitcoins today, and transfer them to a safe storage system such as a Trezor or an Electrum Cold Storage wallet.

[1713537211]

1713537211

[1713537211]

1713537211

[tautvilis]

Please do not take this warning lightly.  Over 800BTC were available for theft (and lucky taken by a whitehat hacker - more information coming soon).  Please ensure that your bitcoins are not part of the ones that are taken in the future.  Save your bitcoins today, and transfer them to a safe storage system such as a Trezor or an Electrum Cold Storage wallet.

I were robbed of 22BTC by most likely a brainwallet cracker is there any chance I could get my BTC back for more info check my thread https://bitcointalk.org/index.php?topic=1146935.0

[btcspry]

Please do not take this warning lightly.  Over 800BTC were available for theft (and lucky taken by a whitehat hacker - more information coming soon).  Please ensure that your bitcoins are not part of the ones that are taken in the future.  Save your bitcoins today, and transfer them to a safe storage system such as a Trezor or an Electrum Cold Storage wallet.

I were robbed of 22BTC by most likely a brainwallet cracker is there any chance I could get my BTC back for more info check my thread https://bitcointalk.org/index.php?topic=1146935.0

What is the BrainWallet string used to create that address?  I'll check if it's in his list of notable hacks.

[tautvilis]

Please do not take this warning lightly.  Over 800BTC were available for theft (and lucky taken by a whitehat hacker - more information coming soon).  Please ensure that your bitcoins are not part of the ones that are taken in the future.  Save your bitcoins today, and transfer them to a safe storage system such as a Trezor or an Electrum Cold Storage wallet.

I were robbed of 22BTC by most likely a brainwallet cracker is there any chance I could get my BTC back for more info check my thread https://bitcointalk.org/index.php?topic=1146935.0

What is the BrainWallet string used to create that address?  I'll check if it's in his list of notable hacks.

I do not remember the string but maybe you can check for an address it is 1JqL1fp2nfuoSKirnRLjqUbQpf7Pou7mXR.

[tautvilis]

How would it be possible? Only shot would be to see where your coins were sent to and followup with a plea for sympathy... But considering that it cost the hacker money/resources to carry out the attack, it's really, really doubtful you're getting your coins back... after all, that was the goal.

And you don't remember the string to your own brainwallet? Uhhh, how did you plan on recovering the coins before they were stolen?

Check my thread you'll find all the answers.I have the private key for the address.

[ryanc]

I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.

You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.

I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.

[tautvilis]

I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.

You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.

I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.

So you mean you not only don't have my BTC you don't have anyone's BTC?So who is that whitehat who has 800BTC.I already messaged robinhood but he didn't seem to post for months.And I don't need to get my passphrase back I have a private key of that wallet.

[foxkyu]

I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.

You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.

I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.

i'm glad we have a white hacker like you. you inform us about bug on brain wallet and didn't steal anyone bitcoin.
mostly people will take their bitcoin if they found the bug, but you are not. thanks to you.

[medUSA]

https://rya.nc/cracking_cryptocurrency_brainwallets.pdf

I originally thought there was a backdoor to the key generation algorithm. After reading the PDF, I believe it's boarder list generation and more efficient way of checking balance. At the end, boils down to weak phrases: Brainwallet users believe they can created a phrase that no one could ever think of. 

I don't use brainwallets because I do not trust myself with remembering the phrase. If I need to write it down, it defeats the purpose of using brainwallets.

[favdesu]

I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.

[Muhammed Zakir]

I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.

If you memorize Electrum seed, it will be a brainwallet.

[ryanc]

So who is that whitehat who has 800BTC.

btcspry said that based on a misunderstanding of some sort. What I said was that I ran a "peak balance analysis" on all the brainwallets I cracked, and the total was about 733 BTC. This does not reflect the balances they had when I found them - it's the most they ever held. I do not know how much of this was moved out by the legitimate owners and how much was stolen.

[ryanc]

If you memorize Electrum seed, it will be a brainwallet.

There's a couple of things people use the term "brainwallet" to mean.

1. The weak cryptocurrency private key generation scheme of SHA256(passphrase)

2. Brainwallet.org, a site implementing the SHA256(passphrase) algorithm as well as some miscellaneous tools

3. Any scheme turning a user chosen passphrase into a cryptocurrency private key

4. Any scheme where a user memorizes a generated passphrase representing a cryptocurrency private key

Brainflayer specifically targets number one in that list.

[btcspry]

I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.

If you memorize Electrum seed, it will be a brainwallet.

Different type of brainwallet.  You seem like the kind of person who shows up at a crane convention, and while everyone else has a little bird, you show up with this giant crane for lifting things.

The brainwallet in this case refers to those generated by Brainwallet.org (which uses SHA256(passphrase) to generate the private key).

[jdebunt]

On paper, the idea of Brainwallet sounded great. But the biggest problem is the human element in the equation

If you remove the human part, you're stuck with a third party.

There is no proper implementation to do this in a trustless environment.

[favdesu]

I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.

If you memorize Electrum seed, it will be a brainwallet.

Yeah, but as far as I know it can't be cracked as easy as brainwallet.org keys. That's what I was questioning

[btcspry]

On paper, the idea of Brainwallet sounded great. But the biggest problem is the human element in the equation

If you remove the human part, you're stuck with a third party.

There is no proper implementation to do this in a trustless environment.

The problem is that BrainWallets don't implement a random number generator in any way.  That's the thing that pretty much every other wallet implementation has in common - they don't trust the user to supply the piece that everything is generated from.

[tautvilis]

So no news for my Bitcoins?

[btcspry]

So no news for my Bitcoins?

No, not really.  Someone else stole them.  It is very unlikely that it was BrainWallet's operators who stole them, so it simply can be concluded that you just used a weak passphrase to generate the wallet.

[fran2k]

I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.

You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.

I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.

ryanc, I would like to see more documentation about brainflayer as there is almost none.

In regards a commentary you made in your presentation on how to advert people that they have a weak address. You said that it could be thought sending a small amount to a vanity address but you could send it to a burn address like '1DontUseThisWeakBrainWa11etAf1F98T'. Here you have a python scrypt for generating them, also check the bitcoin address validation wiki entry.