Collection of 18.509 found and used Brainwallets

[anthonytcm]

Hi,

As been discussed many times before using a Brainwallet is a bad idea. I ran some test myself and found 18.509 BTC-addresses based on a brainwallet which also has been used in the blockchain before.

I tried to compare my results with the results of other researchers but could not find any lists online at all. I found some examples but not a comprehensive list. So I published my own results over here: https://eli5.eu/brainwallet

Please note: all published addresses have a balance of 0 so this is not a list for robbers . There are also a lot of extra datasets I haven't used this far so I expect the numbers to go up once I use them as well (I'm in the middle of perfecting my own tooling and blockchain parser so this will take some more time first).

I love to get some feedback and if you have results to share which I missed in this round I'm more than happy to hear from you and include them.

TA

I went through it and though I don't understand the specifics of how you did it, I am amazed at your findings! Thanks for sharing this!

[1715404790]

1715404790

[1715404790]

1715404790

[1715404790]

1715404790

[1715404790]

1715404790

[o_e_l_e_o]

Alternate block explorer showing double spend attempts within the same couple of seconds:

https://bitaps.com/15jG7moSaWgQADbG45cbvc79sHjKBBnxBk

Nearly 1 BTC is not a small amount. Back then it was worth around $15k USD

Password is "letthegoodtimesroll"

This is crazy. Within 2 seconds of the Bitcoin being deposited to that address, 3 different people/bots tried to steal it, and 1 was successful. 1 of the failed attempts was to send it to this address:

https://bitaps.com/1GGctqw9UeUd2vUFRdz5fUvHQnmxAEiTAK

Every single one of the 104 transactions to this address is trying to empty another address within a second or two of a deposit being made. A lot of them are unsuccessful due to the funds being cleared by someone else first, but this address has still managed to steal 0.166 BTC. What's worse is you can look at pretty much any of those transactions and see two or three more addresses trying the exact same thing, all with their own extensive histories of clearing out other addresses within seconds a transaction being made.

If ever there was an argument against using a brain wallet, this is it. Your BTC will be stolen before you've even refreshed your browser and seen that your transaction has been confirmed.

[almightyruler]

What's worse is you can look at pretty much any of those transactions and see two or three more addresses trying the exact same thing, all with their own extensive histories of clearing out other addresses within seconds a transaction being made.

Hmm, that gives me an idea. It should be possible to do some basic (automated) analysis on brainwallet transactions, to find common theft destination addresses (such as https://www.blockchain.com/btc/address/1brain7kAZxPagLt2HRLxqyc3VgGSa1GR ) and then work back a level or two to find other potential compromised wallets. This may help flag wallets which were not instantly cleaned out - which is a red flag for sure - but where funds ultimately ended up at the same address as the more blatant thefts.

If ever there was an argument against using a brain wallet, this is it. Your BTC will be stolen before you've even refreshed your browser and seen that your transaction has been confirmed.

I'd say most of the people still using a brain wallet are simply not tech savvy, and see it as a low friction solution for storing their funds. No software is necessary, nor do you need to write down or print out any weird codes.

I've done Google searches for some of the plausible real brainwallets (ie not just dust intending to be found as a challenge) and often the only results are block explorer pages; no specific mention of a theft. Could it be that these non tech savvy users don't know who (or where) to ask about the theft, at least in a public forum, and so simply move on?

I suspect that in the past, and possibly even now, some services such as exchanges, block explorers, and online wallets offer a feature to withdraw directly to a brain wallet. What could be easier than storing your funds "in a password"?

Here's an article from 2013 which shows bots were active even back then: http://cointext.com/2013/11/04/brain-wallet-thefts-increasing/

[o_e_l_e_o]

I'd say most of the people still using a brain wallet are simply not tech savvy, and see it as a low friction solution for storing their funds. No software is necessary, nor do you need to write down or print out any weird codes.

Hell, even people who supposedly are "tech savvy" are using brain wallets. You see them advocated for all the time on these forums. McAfee's latest hardware wallet scam turned out to be a glorified brain wallet. It's no excuse though really - if you can figure out how to buy and transfer bitcoin, you know how to install an app on your phone and use a mobile wallet as a bare minimum. Sure it's not the best, but it's 1000x better than a brain wallet.

Brain wallets are for the brainless.

[TheArchaeologist]

Hmm, that gives me an idea. It should be possible to do some basic (automated) analysis on brainwallet transactions, to find common theft destination addresses (such as https://www.blockchain.com/btc/address/1brain7kAZxPagLt2HRLxqyc3VgGSa1GR ) and then work back a level or two to find other potential compromised wallets. This may help flag wallets which were not instantly cleaned out - which is a red flag for sure - but where funds ultimately ended up at the same address as the more blatant thefts.

I have/had the same idea. Let me know if you're going to work on this. Otherwise I will pick it up. I already have all btc transactions in a database so I guess I already have the right tool in place. Now all I need is (more) time

[almightyruler]

I'd say most of the people still using a brain wallet are simply not tech savvy, and see it as a low friction solution for storing their funds. No software is necessary, nor do you need to write down or print out any weird codes.

Hell, even people who supposedly are "tech savvy" are using brain wallets. You see them advocated for all the time on these forums. McAfee's latest hardware wallet scam turned out to be a glorified brain wallet. It's no excuse though really - if you can figure out how to buy and transfer bitcoin, you know how to install an app on your phone and use a mobile wallet as a bare minimum. Sure it's not the best, but it's 1000x better than a brain wallet.

Yeah, but the term "brain wallet" is fairly broad. We're really only discussing simple privkey = sha256("user chosen passphrase") type wallets in this thread; I've probably failed to make that important distinction when writing my own replies. Brain wallets which use a passphrase generated by a computer, representing a cryptographically strong random private key expressed in text form, are on a completely different level. Even a key-stretched user-entered passphrase with salt is significantly more secure. It's a pity that the same term continues to be used for these more secure methods, because it probably gives some credence to the original wildly insecure version.

Hmm, that gives me an idea. It should be possible to do some basic (automated) analysis on brainwallet transactions, to find common theft destination addresses (such as https://www.blockchain.com/btc/address/1brain7kAZxPagLt2HRLxqyc3VgGSa1GR ) and then work back a level or two to find other potential compromised wallets. This may help flag wallets which were not instantly cleaned out - which is a red flag for sure - but where funds ultimately ended up at the same address as the more blatant thefts.

I have/had the same idea. Let me know if you're going to work on this. Otherwise I will pick it up. I already have all btc transactions in a database so I guess I already have the right tool in place. Now all I need is (more) time

Yeah, I know what you mean about time. I've been spending a disproportionate amount of time on this, and also some cash (had to buy some extra HDs, and rent some server space). I'm probably at the point where I've grabbed most of the low hanging fruit by now, so to be honest, the buzz from finding a new (and good) passphrase and being able to trace the wallet's history is wearing off. Although it is interesting to come up with new data sources, and think about how to manipulate them into forms that may represent passphrases. Some of the user-entered data I've collected from websites I run, which have nothing to do with cryptocurrency or infosec, have resulted in SHA256 brainwallet hits.

I'm still trying to understand why someone would do this for money. Maybe in 2013 it may have worked, but these days the investment in effort (custom coding) and equipment (storage, virtual CPUs for cracking) seems to outweigh any potential benefit. Perhaps it's a criminal ego thing.

[o_e_l_e_o]

Oh for sure, but as I've mentioned before, the human brain is completely fragile. With no way to back up or recover data, and all it takes is a minor blow to make you forget you even have passphrase, let alone what it is.

Even if your brain wallet is more secure than a simple song lyric or something equally stupid, it's still a bad choice for storing your coins.

[almightyruler]

Oh for sure, but as I've mentioned before, the human brain is completely fragile. With no way to back up or recover data, and all it takes is a minor blow to make you forget you even have passphrase, let alone what it is.

Even if your brain wallet is more secure than a simple song lyric or something equally stupid, it's still a bad choice for storing your coins.

But, but... this website says I can withdraw to a password.  

(Some of the still-existing SHA256 brainwallet generator sites do not make it clear just how risky choosing to use/continue using that type of wallet is. I'd say they're partially to blame for the more recent thefts.)

---

This is an interesting slide I came across, showing a visual depiction of the 4 digit PIN space, when chosen by humans:



I can see a few obvious patterns:

1. 1234 is a popular PIN. 4321 is also up there.
2. 69 is a popular part of a PIN.
3. Repeated double digit sequences are common, eg 1717 or 6969 (the latter appears to be the most popular repeated sequence)
4. 19xx and 20xx are popular; perhaps the year of birth of the card owner, or their offspring.

I'm not sure if it would be possible to represent SHA256 brainwallets in a similar visual way, but it would be interesting if there were some way to map phrases to a two or three dimensional space.

[o_e_l_e_o]

-snip-

The darker "L" shaped region in the bottom left has an obvious cut off at 12, and also between 28-31, representing a significant portion of people use either DD/MM or MM/DD as a pin. I would wager the majority of these are probably their own date of birth.

Lots of number patterns are very obvious too - 2468, 2345, 5678, 9876, 2580/0852 (straight down/up the middle of the keypad).

In short - people are bad at security.

[almightyruler]

My system just found this wallet:

https://www.blockchain.com/btc/address/17EzdiY1PT1okKj9wnUx8a4eCXaddhgfgR

Another recent transaction, although not an immediate sweep, so hopefully not a theft. (The password is not listed in Google or haveibeenpwned.)

The funding transaction has lots of small outputs, and one large output, so I suspect this is the hot wallet of an exchange or similar payment service. Really scary that people are still making new SHA256 brain wallets. I wonder if this exchange offers that option?

[almightyruler]

This one seems to be just for fun:

"i killed the bank"

https://www.blockchain.com/btc/address/14GZ9Azv3bQqHv2pPDvyezAgHDJ7m1y9aJ

Funded with 1 Satoshi in 2012. (The transaction fee was 50000 Satoshis. )

This tiny balance was cleared out in 2015, along with the funds from at least one other brainwallet.

[almightyruler]

Doing some quick back of the envelope calculations. Consider this a thought experiment rather than anything too accurate.

My server with a 2010 era quad core CPU can check about 300,000 keys per second. It could probably be pushed further with some tweaking.

Let's say (conservatively) that a more modern quad core CPU can do 500,000 and use that as the reference. That means it can check 43.2 billion keys per day.

Brute forcing the "correct horse battery staple" space

One dictionary that includes a rank of how commonly a word appears on the web ranks the least common word "staple" at 16904.

So let's use that hint (some mild cheating) and set our limits to the 20000 most common words.

Total keys to check (20000 x 20000 x 20000 x 20000) =
160 000 000 000 000 000
And a server can check this many keys in a day:
         43 200 000 000

So in this instance, we would need approximately 10,000 servers running for a year to brute force every combination of those 20000 words. Not practical, but certainly not impossible.

But what if we use only the most common 1000?

Total keys to check (1000 x 1000 x 1000 x 1000) =
     1 000 000 000 000
And a server can check this many keys in a day:
        43 200 000 000

In this case, we only need about 23 server days (one server running for 23 days, or 23 servers running for one day) to cover the space.

And if we try the top 500:

Total keys to check (500 x 500 x 500 x 500) =
        62 500 000 000
And a server can check this many keys in a day:
        43 200 000 000

Now a single server can cover the whole space in about one and a half days. That's actually (much) less time than to brute force a simple 6 character password.

I'm not suggesting that everyone's four-word-wallet can be cracked wide open in a day, but it does mean that low hanging fruit - think simple, common words - will be quickly found.

Blockchain+SHA256 brainwallets: the world's biggest encrypted password file...

[almightyruler]

I'm doing a writeup on why SHA256 brainwallets are bad, and I'm working on a list of particularly bad passphrase choices:

- Using a single dictionary word. [Funds will be stolen instantly.]
- Using two to four dictionary words in sequence, such as the famous example "correct horse battery staple". [This does not imply that five or more words is necessarily secure.]
- Basing your passphrase on a pop culture reference, such as a quote from a movie, or a meme, or song lyrics.
- Repeating a dictionary word (or common string such as "123456789") multiple times to form a longer passphrase.
- Preprending or appending a few extra letters, numbers, or other characters, to the passphrase.
- Converting certain letters to form l33t speak (eg "hello" -> "h3ll0").
- Typing a sentence, or short sequence of random dictionary words, without spaces.
- Repeating a simple sequence of characters to form a longer passphrase.
- Any patterns related to keyboard layout, such as "qwerty" or "qazwsx".
- Part or all of a well known number, such as Pi, or the speed of light.

Any other suggestions?

[ebliever]

I wonder, is there any way to estimate the % of brainwallets (either by number of accounts created or amount of funds deposited) that have been compromised? This would take more than just blockchain research but I'm curious as to whether researchers have taken a stab at understanding just how bad use of brainwallets really has been. 1%, 10%, 90% lost?

[almightyruler]

I wonder, is there any way to estimate the % of brainwallets (either by number of accounts created or amount of funds deposited) that have been compromised? This would take more than just blockchain research but I'm curious as to whether researchers have taken a stab at understanding just how bad use of brainwallets really has been. 1%, 10%, 90% lost?

There's really no way to know how many SHA256 (or similar type) brainwallets exist, because the public information (the address, and possibly public key) looks just as random as something generated by a more traditional wallet client. It's not until you crack the passphrase that you know it's a SHA256 brainwallet.

As I've surmised previously in the thread, I suspect that a lot of thefts do not go reported, publicly anyway, because the typical person who uses a SHA256 brainwallet is probably not very technically minded, and may not think to find a forum such as BCT where they can ask for help. Pride may also play a part. I imagine there's a fair few exchange support tickets asking about a withdraw that "didn't work".

I think that showing how funds can be stolen within literally seconds is a pretty powerful indicator of the potential risk of using a SHA256 brainwallet ... but those same non technically minded people may never find that information.

[almightyruler]

I saw someone mentioned in an earlier thread that their SHA256 brainwallets were also swiped on testnet, so I just tried a test transaction, sending to 50 random dictionary words that also appear as SHA256 wallets in the main blockchain:

https://testnet.blockchain.info/tx/8956ca8164d08087627e42eb6895984ac4960e61af3a04983de5bd0edbd100e8

This block explorer shows spent outputs:

https://live.blockcypher.com/btc-testnet/tx/8956ca8164d08087627e42eb6895984ac4960e61af3a04983de5bd0edbd100e8/

As I write this, only a few minutes after sending, the only output which hasn't been spent appears to be the change (which is a random wallet generated key). All of the SHA256 derived keys were swept within seconds, just like the bots do on mainnet.

I was planning to write a very simple bot to demonstrate (on testnet) how quickly funds can be stolen, but it looks like I don't need to bother. Mine would have been a clunky hack that took five or ten minutes to sweep the funds back to the testnet faucet... but it seems there's already something more sophisticated listening in!

These are the words I sent to:

disparities
aggrandize
perfectionists
genuinely
creations
earthworms
intimidated
lengthened
conquered
decrementing
gianni
astronomer
inapproachable
sterilizations
interruption
insulation
nationalize
demographic
cocoana
retransmitted
ammunition
antagonize
vacationing
complexion
trickiness
housebroken
embarrassing
distraught
brownness
juxtaposing
trigonometry
pernicious
arrowhead
scratchers
tempestuously
pornographer
luxuriant
geometrical
inorganic
reinserting
refinement
approachable
screening
broadcasted
normalize
superposed
formulating
screenplay
cannibalizing
glorifies

[aplistir]

I saw someone mentioned in an earlier thread that their SHA256 brainwallets were also swiped on testnet, so I just tried a test transaction, sending to 50 random dictionary words that also appear as SHA256 wallets in the main blockchain:

As I write this, only a few minutes after sending, the only output which hasn't been spent appears to be the change (which is a random wallet generated key). All of the SHA256 derived keys were swept within seconds, just like the bots on mainnet.

I was planning to write a very simple bot to demonstrate (on testnet) how quickly funds can be stolen, but it looks like I don't need to bother. Mine would have been a clunky hack that took five or ten minutes to sweep the funds back to the testnet faucet... but it seems there's already something more sophisticated listening in!

LOL that is funny. Some criminal mastermind is trying to get rich by stealing testnet coins
I have to try it out with my testnet coins.

Has anyone searched brainwallet addresses with those same words, but doing the sha256 more than once? Would be interesting to know how many addresses have been made with 2*sha256, or 4*sha256

[almightyruler]

LOL that is funny. Some criminal mastermind is trying to get rich by stealing testnet coins
I have to try it out with my testnet coins.

I guess that's the best way to confirm your bot works. Wouldn't be surprised if some of the funds sent to those addresses (and maybe even their mainnet counterparts) originated from the wallets of the bot authors.

I had a quick look at a few of the destination addresses and did note that one transaction sends everything to an address which has been reused multiple times, whereas the others use newly created addresses. So just like mainnet, it's possible there's two or more bots competing in order to sweep the funds first.

Has anyone searched brainwallet addresses with those same words, but doing the sha256 more than once? Would be interesting to know how many addresses have been made with 2*sha256, or 4*sha256

I did some basic dictionary checks and only found a few results (on mainnet) :

hello (4 rounds)
sender (2 rounds)
receiver (2 rounds)
my property (2 rounds)
dupa (1000 rounds)

[almightyruler]

Doing some research on other networks, it turns out there are four SHA256 brainwallet passphrases (those that I know of) which are common to all 3 of the Bitcoin, Litecoin, and Dogecoin blockchains. The first two are no surprise:

1. <empty string>
2. correct horse battery staple

But the remaining two are odd:

3. 16fawJbgd3hgn1vbCb66o8Hx4rn8fWzFfG
4. 16fawJbgd3hgn1vbCb66o8Hx4rn8fWzFfG11

16fawJbgd3hgn1vbCb66o8Hx4rn8fWzFfG is a valid Bitcoin address that has been used, it appears in the "sending to sha256 of blockchain data" pastebin, and is tagged "xsimple" on blockchain: https://www.blockchain.com/btc/address/16fawJbgd3hgn1vbCb66o8Hx4rn8fWzFfG

As a SHA256 brainwallet passphrase on the Bitcoin blockchain it's not that odd - it's one of many - but why is that passphrase also being used for Dogecoin and Litecoin? And what does xsimple mean?

[odolvlobo]

If anything, this thread shows definitively that no brain wallet based on any kind of memorized passphrase is safe.