Bitcoin Wallet Recovery Services - for forgotten wallet password

[walletrecoveryservices]

Yes, absolutely. And I haven't taken offense at the aspersions cast on my service (or my character ).

As you said earlier: Trust takes time.

I myself would be skeptical of similar services. It is, in fact, really fortunate (was it planned?) that the structure of the encrypted bitcoin wallet is such that it allows for the 'remote' brute force decryption of the password by a third party without needing to trust that third party with all the bitcoin addresses in the wallet.

How did you become aware of this possibility? I wouldn't even have thought of that.

The fact (of the reduced trust required for a third party for password recovery) was raised in this forum previously. I can't claim credit for the original idea, although I have developed it.

[1714835283]

1714835283

[1714835283]

1714835283

[1714835283]

1714835283

[1714835283]

1714835283

[1714835283]

1714835283

[Liquid]

Hello i need your very services

I will provide positive feedback if you are successful on breaking my wallet

[molecular]

Scammer Fails So Hard

Ok, let's harden the assumption he can't scam us.

I made a fresh wallet and encrypted it with password "s3cr3t"



I prepared the wallet dump I would send to the service for recovery following the instructions:

Code:

{
    "bestblock": "0000000000000027d106ec4bc7ac89c72c9fa91590f53027c7d4c3ec5ab084fe", 
    "defaultkey": "19xTYJg3i1YuoHtYqtNhXcer65K9wZ1n4b", 
    "keys": [
        {
            "addr": "1ErroNQ8CAM85Ryw9Dn1Ye9GLX3qoLHZrd", 
            "ckey": "73f64a4c34cc90b3a60feecae953b94b34c1358fcfe8b82ebd0256acd993ca84e763d0137ad18ce2213072c91e02260a", 
            "pubkey": "03c49569aaffb9208507b96b150432cd95bbacfade16867430803d0c47f9219353", 
            "reserve": 1
        }, 
        {
            "addr": "17J3e6ibabHLr1RxZDXcbs6dFaY9v8aDZe", 
            "ckey": "3fea2dedcdbd7b7e74e51012b00b968ea43a42ae4d5e404048f50a34fc731ee50e6d3eeef981ca3250c2cab299a84b87", 
            "pubkey": "03ca391703beda1af19a5a6190aa2041d4f185e6596e1b97ae58d453177a250f67", 
            "reserve": 1
        }
    ], 
    "minversion": 60000, 
    "mkey": {
        "crypted_key": "6057c6954b2d264f4cb7ef43155bce87663b903b1525d1f760d1974ef997f908ebe8c57e982784367ddd226598629390", 
        "nDerivationMethod": 0, 
        "nDeriveIterations": 191354, 
        "nID": 1, 
        "salt": "a20c57149389df16", 
        "vchOtherDerivationParameters": ""
    }, 
    "settings": {
        "addrIncoming": "0.0.0.0:0"
    }, 
    "version": 80202
}

I dare walletrecoveryservices to transfer some money to that address: 19xTYJg3i1YuoHtYqtNhXcer65K9wZ1n4b, which is part of the wallet (but not the dump, obviously). I realise he has to trust me with the money, so I could understand if he doesn't do it.

If his method was flawed, anyone could take that money.

If noone takes the money after a week, I will send it back to walletrecoveryservices and we can be pretty sure his method doesn't enable him him to steal customer money.

[walletrecoveryservices]

Scammer Fails So Hard

Ok, let's harden the assumption he can't scam us.

I accept your challenge, Molecular.!!!
I have transferred 1.00 BTC to that address, 19xTYJg3i1YuoHtYqtNhXcer65K9wZ1n4b
You have published the details of that wallet above, so everyone reading this now knows the same details as the walletrecoveryservices.com website is asking for when it tries to decode a wallet.
There is 1.00 BTC in that wallet.
I can't steal it, and I do not believe that anyone else can either. Prove me wrong, skeptics!
If you think that the concept behind the wallet password recovery service is flawed, here is your chance to prove it, and earn some cash.

Here is the record of the 1.00BTC transaction: https://blockchain.info/address/19xTYJg3i1YuoHtYqtNhXcer65K9wZ1n4b

I'm trusting Molecular to return my 1 BTC at the end of this exercise... sometimes you have to show some trust to earn some trust...

[molecular]

Scammer Fails So Hard

Ok, let's harden the assumption he can't scam us.

I accept your challenge, Molecular.!!!
I have transferred 1.00 BTC to that address, 19xTYJg3i1YuoHtYqtNhXcer65K9wZ1n4b
You have published the details of that wallet above, so everyone reading this now knows the same details as the walletrecoveryservices.com website is asking for when it tries to decode a wallet.
There is 1.00 BTC in that wallet.
I can't steal it, and I do not believe that anyone else can either. Prove me wrong, skeptics!
If you think that the concept behind the wallet password recovery service is flawed, here is your chance to prove it, and earn some cash.

Here is the record of the 1.00BTC transaction: https://blockchain.info/address/19xTYJg3i1YuoHtYqtNhXcer65K9wZ1n4b

I'm trusting Molecular to return my 1 BTC at the end of this exercise... sometimes you have to show some trust to earn some trust...

Cool.

Money has arrived:

[J35st3r]

Of course walletrecoveryservices could be a sock of molecular 

But what am I saying, given molecular's level of trust that would be a good thing, nay?

Time to brush up on my hacking skills, only a week to get that coin. But only a 1 in a gazillion chances of success!
...  cos otherwise bitcoin is toast 

[WiW]

Just a few months ago when I thought I forgot the password to 300 mili, I thought of a service exactly like this along with pricing models. In fact, I thought that this kind of service would demand trust and reputation. Kind of like John of these forums does for escrow.

Awesome to see an actual service for this stuff available.

[molecular]

Of course walletrecoveryservices could be a sock of molecular  

That's true.

It's pretty easy to become confident the info doesn't allow stealing of the money when one takes a look and thinks for a bit. Even just looking at my post above and thinking about how one would go about stealing the money should suffice.

It might be more effective to show people 1 BTC that doesn't move instead of asking them to go through some process and think.

[molecular]

Just a few months ago when I thought I forgot the password to 300 mili, I thought of a service exactly like this along with pricing models. In fact, I thought that this kind of service would demand trust and reputation. Kind of like John of these forums does for escrow.

Awesome to see an actual service for this stuff available.

Actually it doesn't demand trust at all.

[WiW]

Actually it doesn't demand trust at all.

Either you pay per work or you pay per job.

• If you pay per work you need a mechanism to gauge how much work was done even if there are no resulting passwords brute-forced. I could only think of an auditable system building trust.
• If you pay per job, he needs to trust you that the password is not impossible to brute-force or else you can get him to waste computing power for nothing.

[molecular]

Actually it doesn't demand trust at all.

Either you pay per work or you pay per job.

• If you pay per work you need a mechanism to gauge how much work was done even if there are no resulting passwords brute-forced. I could only think of an auditable system building trust.
• If you pay per job, he needs to trust you that the password is not impossible to brute-force or else you can get him to waste computing power for nothing.

ok, true. I was still narrowly focussing on the "money stealing" aspect.

the service is bro-bono anyway, right? I guess someone regaining access to his funds will be grateful enough to donate generously.

[walletrecoveryservices]

the service is bro-bono anyway, right? I guess someone regaining access to his funds will be grateful enough to donate generously.

Hi
Yes, I have been thinking about the best charging model:
If I make the service purely success-based, then I am at the mercy of people who send in false information and cause me to waste CPU cycles (money) for no reason.
If I make the service purely pay-as-you-go, (based on CPU time used), then I cannot charge 'high-end' customers more money than the average.
It may be that some combination of both charging models will be required in the long term - for instance a basic cost-recovery pay-as-you-go model, plus a % recovery fee, or similar.

However for now, yes, it is a pro-bono service.
I'm currently working on several wallet decryptions.
Cheers
Dave

[ibminer]

I don't understand why people establish multiple identities/accounts here. Who is the true owner of the account?  Why hide it?    

If I had such a great idea, I'd want to be recognized for it, rather than starting a blank account and trying to sell something... it seems easier to sell things here when you have some type of history, unless the person already has a tarnished record and wants to start over or just get some quick coins out of a scam?

In the end, I will just consider this a scam until I need to recover my password...    

[Abdussamad]

Another thing is that they should create an opensource script that grabs the portions from the wallet that they need for a safe decryption. Because the script will be opensource people will have confidence that it is doing exactly what it is supposed to do and not anything else.

[QuestionAuthority]

You say it yourself:

If you have no idea at all of your passphrase, and it was more than a handful of characters long, then we cannot help you. No-one in the world, including the NSA, CIA, D-Wave or anyone else can crack the encryption used in the bitcoin wallet if the passphrase is more than 15 fairly random characters. The bitcoin wallet encryption is strong by design. There are no known flaws in the implementation, and many people have tried to break it!

You cannot crack a good passphrase. Stupid people should be punished. If they lose one time they will be more careful or lose money again. It's a learning experience. I almost don't want you to provide this service because it will rob users of the valuable experience. People can now be lazy and make a simple password. If they forget it they can just come to you and all is well.

Also, have you thought about the possibility that a thief might use your service to crack a stolen wallet. Bots are easy to set up and can even be spread simply. If I were a bot operator and found that a few zombies had wallets I might be tempted to just have you crack all the wallets that I can find instead of setting up my own system to do it.

[walletrecoveryservices]

Another thing is that they should create an opensource script that grabs the portions from the wallet that they need for a safe decryption. Because the script will be opensource people will have confidence that it is doing exactly what it is supposed to do and not anything else.

Er... Have you looked at the instruction at walletrecoveryservices.com ?
The script to grab the required portion of the wallet is specifically open-source!

[walletrecoveryservices]

You say it yourself:

If you have no idea at all of your passphrase, and it was more than a handful of characters long, then we cannot help you. No-one in the world, including the NSA, CIA, D-Wave or anyone else can crack the encryption used in the bitcoin wallet if the passphrase is more than 15 fairly random characters. The bitcoin wallet encryption is strong by design. There are no known flaws in the implementation, and many people have tried to break it!

You cannot crack a good passphrase. Stupid people should be punished. If they lose one time they will be more careful or lose money again. It's a learning experience. I almost don't want you to provide this service because it will rob users of the valuable experience. People can now be lazy and make a simple password. If they forget it they can just come to you and all is well.

Also, have you thought about the possibility that a thief might use your service to crack a stolen wallet. Bots are easy to set up and can even be spread simply. If I were a bot operator and found that a few zombies had wallets I might be tempted to just have you crack all the wallets that I can find instead of setting up my own system to do it.

Yes, I've thought about the bad guys using this service to crack other people's stolen wallets. I hate the idea of the site being used for evil. However, as you rightly quote from the walletrecoveryservices.com website, that would be a completely futile exercise unless the bad guy knows 'most' of the wallet password. Probably if they done a key-logging, then they know all the password already. If I move to using a pay-as-you-go model for the cracking service, I'm happy for them to try. But only the most stupid, basic passwords have any chance of being cracked when the user has no idea of the forgotten passphrase and I don't think many people are silly enough to have a super weak password. (oh, well, maybe some are...)
If I was to detect some user submitting many wallets for decryption, then I would stop them using the wallet recovery services.
Cheers,
Dave

[QuestionAuthority]

You say it yourself:

If you have no idea at all of your passphrase, and it was more than a handful of characters long, then we cannot help you. No-one in the world, including the NSA, CIA, D-Wave or anyone else can crack the encryption used in the bitcoin wallet if the passphrase is more than 15 fairly random characters. The bitcoin wallet encryption is strong by design. There are no known flaws in the implementation, and many people have tried to break it!

You cannot crack a good passphrase. Stupid people should be punished. If they lose one time they will be more careful or lose money again. It's a learning experience. I almost don't want you to provide this service because it will rob users of the valuable experience. People can now be lazy and make a simple password. If they forget it they can just come to you and all is well.

Also, have you thought about the possibility that a thief might use your service to crack a stolen wallet. Bots are easy to set up and can even be spread simply. If I were a bot operator and found that a few zombies had wallets I might be tempted to just have you crack all the wallets that I can find instead of setting up my own system to do it.

Yes, I've thought about the bad guys using this service to crack other people's stolen wallets. I hate the idea of the site being used for evil. However, as you rightly quote from the walletrecoveryservices.com website, that would be a completely futile exercise unless the bad guy knows 'most' of the wallet password. Probably if they done a key-logging, then they know all the password already. If I move to using a pay-as-you-go model for the cracking service, I'm happy for them to try. But only the most stupid, basic passwords have any chance of being cracked when the user has no idea of the forgotten passphrase and I don't think many people are silly enough to have a super weak password. (oh, well, maybe some are...)
If I was to detect some user submitting many wallets for decryption, then I would stop them using the wallet recovery services.
Cheers,
Dave

I'm glad to see you say that and don't discount the stupidity of the average person. 

[Abdussamad]

Another thing is that they should create an opensource script that grabs the portions from the wallet that they need for a safe decryption. Because the script will be opensource people will have confidence that it is doing exactly what it is supposed to do and not anything else.

Er... Have you looked at the instruction at walletrecoveryservices.com ?
The script to grab the required portion of the wallet is specifically open-source!

pywallet is opensource but there is no script to grab the exact portions YOU need. Instead you are asking people to do it manually. I recommend creating an opensource script that grabs the parts you need so that non-techies don't have to muck about with pywallet.

Yes these non-techies will need assurances from techies that the script does what it says on the tin and nothing more. So maybe you can do this in the future when you have enough of a following that somebody reputable will take the time to look at the code and say it is safe.

[molecular]

However for now, yes, it is a pro-bono service.
I'm currently working on several wallet decryptions.

Cool. Do they look like they have a chance of success, i.e. did the users provide helpful enough info?