Bitcoin Forum
November 03, 2024, 11:09:58 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: 💰💰💰 Is it possible to steal Ether from a wallet? 💰💰💰 Yes!  (Read 188 times)
Prometheu$ (OP)
Full Member
***
Offline Offline

Activity: 550
Merit: 170


View Profile
June 11, 2021, 10:41:28 AM
Merited by johhnyUA (1)
 #1

Good afternoon, dear members of the forum and colleagues. It just so happened that I, with a cognitive purpose, using some repositories in GITHUB as well as some BASIC knowledge in python, using copy-paste from different sources, created a common script.

It works as follows: It generates a private key, using this information, it generates a wallet address, and with the help of a certain service checks whether the wallet has a balance, if there is, an html file is created, with a private key, wallet address and balance!

The project was conceived with the aim of finding out if it is possible with this method to lose your crypto savings.?!

THE USE OF THIS CODE IS PERMITTED ONLY FOR EDUCATIONAL PURPOSES! STEALING ANOTHER CRYPTOACTIVES IS A CRIME! DO NOT FORGET ABOUT IT!

Source code of the script. There are several bugs in the code. So that people cannot use its functionality to harm themselves.



Code:
import secrets
import sha3
import eth_keys
from eth_keys import keys
import requests # To install from pip
import re
import colorama
from colorama importFore,Back,Style

import ctypes
colorama.init()
kernel32 = ctypes.windll.kernel32
kernel32.SetConsoleMode(kernel32.GetStdHandle(-11),7)

x =0

while x<10:
    private_key = str(hex(secrets.randbits(256))[2:])
    private_key_bytes = bytes.fromhex(private_key)
    public_key_hex = keys.PrivateKey(private_key_bytes).public_key
    public_key_bytes = bytes.fromhex(str(public_key_hex)[2:])
    keccak256_of_public_key_bytes = sha3.keccak_256(public_key_bytes).hexdigest()
    public_address = keys.PublicKey(public_key_bytes).to_address()
    checksum = keys.Public.Key(public_key_bytes).to_checksum_address()

    print(Fore.WHITE +'\n Private_key:',private_key,
          Fore.BLUE +'\n Ethereum address:',public_address)
  
    x = x+1
    url ='https://www.blockchain.com/ru/eth/address/'+ str(public_address)
    print(Fore.YELLOW ,url)
    requests.post(url, headers={'UA':'Chrome'}, data={"foo":'bar'})
    res = requests.get(url)
  
    a = str(res.text)
    match = re.findall(r'Oкoнчaтeльный бaлaнc</span></div></div><div class="sc-8sty72-0 bFeqhe"><span class="sc-1ryi78w-0 cILyoi sc-16b9dsl-1 ZwupP u3ufsr-0 eQTRKC" opacity="1">0.00000000 ETH</span>', a)
    zz= len('Oкoнчaтeльный бaлaнc</span></div></div><div class="sc-8sty72-0 bFeqhe"><span class="sc-1ryi78w-0 cILyoi sc-16b9dsl-1 ZwupP u3ufsr-0 eQTRKC" opacity="1">')
    aaaa = str(match)
    bbbb = slice(154,168)
    xxxx = aaaa[bbbb]
    print(Fore.RED, xxxx)
  
    if len(match)==0:
        f1 = open("text1.html",'a')
        f1.write('\n <br>'+ str(private_key))
        f1.write('\n <br>'+ str(public_address)+'<br> <p style="color:red">0.00000000</p> <br>')
        f1.write('\n <br><p style="color:green">+++</p><br>')
        f1.close()
TheArchaeologist
Sr. Member
****
Offline Offline

Activity: 310
Merit: 727


---------> 1231006505


View Profile WWW
June 11, 2021, 11:04:14 AM
 #2

And now you only have to wait a gazillion years for a hit. BTW: in that time blockchain.com surely will have blocked your ip for flooding!

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
Prometheu$ (OP)
Full Member
***
Offline Offline

Activity: 550
Merit: 170


View Profile
June 11, 2021, 11:07:57 AM
Last edit: June 11, 2021, 03:52:09 PM by mprep
 #3

And now you only have to wait a gazillion years for a hit. BTW: in that time blockchain.com surely will have blocked your ip for flooding!
If you have a computer farm, you don't have to wait millions of years, my friend.



I am only carrying a warning that it is possible to hack the wallet and steal funds. And I do this in order to preserve your savings. Believe me, I'm not the only person on the planet who did this and tested it. But perhaps I am the only one who told you this and showed it.

So you shouldn't blame me for trying to keep you safe.

[moderator's note: consecutive posts merged]
mocacinno
Legendary
*
Offline Offline

Activity: 3556
Merit: 5187


https://merel.mobi => buy facemasks with BTC/LTC


View Profile WWW
June 11, 2021, 11:21:45 AM
Last edit: June 11, 2021, 11:41:38 AM by mocacinno
 #4

--snip--
If you have a computer farm, you don't have to wait millions of years, my friend.

Ok, i'll bite... How many keys/second are you generating...
The thing you're doing is called bruteforcing, many, many, many have written tools for this and wasted a lot of time with no hits...


Ethereum is estimated to have 100M funded addresses (https://newsletter.thedefiant.io/p/ethereum-addresses-cross-100m-thats)

So you'll have to plug in your speed into following formula
(2^160 / 100.000.000) / speed (in checks/second) = average number of seconds to find a funded address

IF your tool would ever reach vanitygen's speed (which i doubt, since it's a GPU tool written in C++, not using any external api's), it would boil down to this:
((2^160 / 100.000.000)/20.000.000)/(60*60*24*365) = 23.171.956.451.847.141.650.870.193 years on average to find 1 private key (no matter which one).

EDITED: I actually just realised that in the example i removed from this post, i was scanning the keyspace, and not the address space, which is only 2^160.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Prometheu$ (OP)
Full Member
***
Offline Offline

Activity: 550
Merit: 170


View Profile
June 11, 2021, 06:29:30 PM
 #5

--snip--
If you have a computer farm, you don't have to wait millions of years, my friend.

Ok, i'll bite... How many keys/second are you generating...
The thing you're doing is called bruteforcing, many, many, many have written tools for this and wasted a lot of time with no hits...


Ethereum is estimated to have 100M funded addresses (https://newsletter.thedefiant.io/p/ethereum-addresses-cross-100m-thats)

So you'll have to plug in your speed into following formula
(2^160 / 100.000.000) / speed (in checks/second) = average number of seconds to find a funded address

IF your tool would ever reach vanitygen's speed (which i doubt, since it's a GPU tool written in C++, not using any external api's), it would boil down to this:
((2^160 / 100.000.000)/20.000.000)/(60*60*24*365) = 23.171.956.451.847.141.650.870.193 years on average to find 1 private key (no matter which one).

EDITED: I actually just realised that in the example i removed from this post, i was scanning the keyspace, and not the address space, which is only 2^160.

No problem, friend, no problem, I just showed the way. Many people smarter than me can improve this script or use more powerful scripts to steal funds. I just gave an example. and I don't want to prove anything to anyone.
Similificator
Sr. Member
****
Offline Offline

Activity: 882
Merit: 403


View Profile
June 11, 2021, 08:02:46 PM
 #6

This is really scary. If some guy manages to really improve this then a lot of people can be f*cked. I kinda wish somehow that I never saw this post. I am wondering though, is it possible to utilize such a tool to target a specific address or wallet? If so, it would be really scary for those who hold big bags on their wallet(s).


Maybe this issue can be fixed by the developers? I think developers would've already found out about this even before you posted it and may probably be trying to come up with ways to tighten their security? Whichever the case, it's still very scary. Specially for me who have been a victim of phishing sites back then(2017).
MishaSER
Full Member
***
Offline Offline

Activity: 1050
Merit: 103


BIB Exchange


View Profile
June 11, 2021, 09:21:34 PM
 #7

I'm sure many programmers are trying to improve, but I'm interested in whether you can run the generation of symbols in parallel to complement each other and search for different ranges. Let's say 1000 computers at the same time. This thought scares me))

███     WHITEPAPER  |    TELEGRAM    ███      BiB Exchange      ███     TWITTER     |   INSTAGRAM     ███
S e t   O f f   t h e   W e b 3   G e n e r a t i o n   N o w
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄     ►► Powered by BOUNTY DETECTIVE     ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
DireWolfM14
Copper Member
Legendary
*
Offline Offline

Activity: 2338
Merit: 4541


Join the world-leading crypto sportsbook NOW!


View Profile WWW
June 11, 2021, 10:14:15 PM
Merited by mocacinno (1)
 #8

This is really scary.

No it isn't.  As was demonstrated buy mocacinno even the fastest computers would take 23 septillion years to find just one funded address.   A bank of hundreds of the fastest GPU servers hashing thousands of possible addresses per second might reduce the time needed to just a few septillion years...  Just to find ONE potentially funded address.  To put things into perspective; 9 septillion years is about a trillion times the lifespan of our sun and solar system. 

So, yeah I think my funds are safe.

  ▄▄███████▄███████▄▄▄
 █████████████
▀▀▀▀▀▀████▄▄
███████████████
       ▀▀███▄
███████████████
          ▀███
 █████████████
             ███
███████████▀▀               ███
███                         ███
███                         ███
 ███                       ███
  ███▄                   ▄███
   ▀███▄▄             ▄▄███▀
     ▀▀████▄▄▄▄▄▄▄▄▄████▀▀
         ▀▀▀███████▀▀▀
░░░████▄▄▄▄
░▄▄░
▄▄███████▄▀█████▄▄
██▄████▌▐█▌█████▄██
████▀▄▄▄▌███░▄▄▄▀████
██████▄▄▄█▄▄▄██████
█░███████░▐█▌░███████░█
▀▀██▀░██░▐█▌░██░▀██▀▀
▄▄▄░█▀░█░██░▐█▌░██░█░▀█░▄▄▄
██▀░░░░▀██░▐█▌░██▀░░░░▀██
▀██
█████▄███▀▀██▀▀███▄███████▀
▀███████████████████████▀
▀▀▀▀███████████▀▀▀▀
█████████████LEADING CRYPTO SPORTSBOOK & CASINO█████████████
MULTI
CURRENCY
1500+
CASINO GAMES
CRYPTO EXCLUSIVE
CLUBHOUSE
FAST & SECURE
PAYMENTS
.
..PLAY NOW!..
TheArchaeologist
Sr. Member
****
Offline Offline

Activity: 310
Merit: 727


---------> 1231006505


View Profile WWW
June 12, 2021, 08:54:28 AM
 #9

If you have a computer farm, you don't have to wait millions of years, my friend.
You are right, you have to wait a lot lot longer.

But I guess you don't believe in simple math?

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
mocacinno
Legendary
*
Offline Offline

Activity: 3556
Merit: 5187


https://merel.mobi => buy facemasks with BTC/LTC


View Profile WWW
June 12, 2021, 09:30:08 AM
Merited by Similificator (2), TheArchaeologist (2)
 #10

I guess the problem isn't that people don't believe in math, the problem is that human minds are not capable of grasping numbers like 2^160 or 2^256.
They just see an number, so they deduct there IS a chance... They write a tool, and they see that technically, it would be capable of finding a private key whose public key hash was already funded. What they do not grasp is that if every human on earth would be running a 1.000.000 GPU farm for 100 years, the odds somebody somewhere finds a funded address is still smaller than 1 in 20 million.

They don't grasp they have a better chance of winning the big price in the euromillion lottery several times in their lifetime than they'd have at finding the private key to a funded address.
So, instead of trying to steal from somebody, you're (much) better off buying lottery tickets... It's legal, the odds of "winning" are MUCH higher, and the payout is much better (multiple millions vs a couple thousand dollars).

Now, there are tools that work... These tools attack flawed implementations...
For example, i know some wallets had flawed RNG's in the past, or there are people that have written tools to crack brain wallets... Just because a human mind is a terrible source of entropy (i don't know who said this, but it's not my quote), they are able to do this. But this tool just tries completely random keys, not flawed implementations, so the odds of actually finding a private key whose public key hash was funded are sooooooooooo close to 0, that in reality you could say the odds are 0.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Similificator
Sr. Member
****
Offline Offline

Activity: 882
Merit: 403


View Profile
June 12, 2021, 05:01:13 PM
Last edit: June 13, 2021, 05:32:52 AM by Similificator
 #11

I guess the problem isn't that people don't believe in math, the problem is that human minds are not capable of grasping numbers like 2^160 or 2^256.
They just see an number, so they deduct there IS a chance... They write a tool, and they see that technically, it would be capable of finding a private key whose public key hash was already funded. What they do not grasp is that if every human on earth would be running a 1.000.000 GPU farm for 100 years, the odds somebody somewhere finds a funded address is still smaller than 1 in 20 million.

They don't grasp they have a better chance of winning the big price in the euromillion lottery several times in their lifetime than they'd have at finding the private key to a funded address.
So, instead of trying to steal from somebody, you're (much) better off buying lottery tickets... It's legal, the odds of "winning" are MUCH higher, and the payout is much better (multiple millions vs a couple thousand dollars).

Now, there are tools that work... These tools attack flawed implementations...
For example, i know some wallets had flawed RNG's in the past, or there are people that have written tools to crack brain wallets... Just because a human mind is a terrible source of entropy (i don't know who said this, but it's not my quote), they are able to do this. But this tool just tries completely random keys, not flawed implementations, so the odds of actually finding a private key whose public key hash was funded are sooooooooooo close to 0, that in reality you could say the odds are 0.


Yeah you're right. I may have gotten carried away a bit because of the fact that I have experience losing funds already in the past. Also, its pretty embarrassing to admit but math really isn't my forte, so I really do not understand anything much about the codes and all from the post except for the thought of danger within it. Im glad though that a lot of people like you shared their insights and knowledge which has calmed my paranoia quite a bit. Thanks, responses like yours are the kinds of responses that deserve merit. Hence, Im sending one. Thanks again.
mocacinno
Legendary
*
Offline Offline

Activity: 3556
Merit: 5187


https://merel.mobi => buy facemasks with BTC/LTC


View Profile WWW
June 13, 2021, 10:17:27 AM
Merited by Similificator (2), tvplus006 (1)
 #12

--snip--


Yeah you're right. I may have gotten carried away a bit because of the fact that I have experience losing funds already in the past. Also, its pretty embarrassing to admit but math really isn't my forte, so I really do not understand anything much about the codes and all from the post except for the thought of danger within it. Im glad though that a lot of people like you shared their insights and knowledge which has calmed my paranoia quite a bit. Thanks, responses like yours are the kinds of responses that deserve merit. Hence, Im sending one. Thanks again.

No problem... I know all those numbers seems daunting when you look at them, and as a non-technical problem it's pretty easy to fall into a FUD-trap like this.

What you have to take away from all this is: offcourse somebody can write a tool to try to bruteforce their way into your wallet... After all, they're pretty much using exactly the same code that's used to create a wallet to begin with (they're just looping over this code again and again, and added a function to check unspent outputs funding the created address). This doesn't mean anything at all. There is no way somebody can reverse engineer your address (or your public key) to find your private key (at least, not at this point in time).  
The only thing he/she can do is try all private key(s), derive the public key from this private key, hash the public key (this hash is the address), the lookup this address into a database to see if unspent outputs are funding said address. In order to attack one specific address and have a 100% chance of robbing you, he needs to try out 2^256 private keys... That seems like it's something easy to do, but believe me, it isn't.

2^256 = 11579208923731619542357098500869000000000000000000000000000000000000000000 (rounded down).
This is the number of loops he/she has to perform... Each loop has a big cost... It's not easy to derive a public key from a private key. It's not easy to hash this public key, it's not easy to lookup the address in a database. Like i said before, if you'd give EVERY human on the planet one million latest gen GPU's and let them try to find a funded address for 100 years (continuously), there would be a 1 in 20 million chance one person on earth would find one funded address in those 100 years...

You'd think that, if hardware becomes better, these numbers would go down significantly... but no... Sombody very smart (not me) has proven that you'd need to capture all energy ever delivered by our sun (during it's complete lifetime) to power a computer to simply count to 2^256. So, eventough the number "256" or "160" seems cute and feasible, it simply isn't Smiley

Now, don't just think your money is safe all the time... You yourself say you've been phished... Next to phishing, there are also people that use flawed wallets. You have people that are reckless with their seedphrase. There are people that use brainwallets. There are people that run infected PC's. There are people that save their wallets in the cloud. There are people that buy hardware wallets from unknown sources....
Plenty of ways to get robbed or scammed... Just not by somebody randomly guessing your private key... It's not that it's technically impossible, just that it's practically impossible...

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Similificator
Sr. Member
****
Offline Offline

Activity: 882
Merit: 403


View Profile
June 13, 2021, 06:51:58 PM
 #13

--snip--


Yeah you're right. I may have gotten carried away a bit because of the fact that I have experience losing funds already in the past. Also, its pretty embarrassing to admit but math really isn't my forte, so I really do not understand anything much about the codes and all from the post except for the thought of danger within it. Im glad though that a lot of people like you shared their insights and knowledge which has calmed my paranoia quite a bit. Thanks, responses like yours are the kinds of responses that deserve merit. Hence, Im sending one. Thanks again.

No problem... I know all those numbers seems daunting when you look at them, and as a non-technical problem it's pretty easy to fall into a FUD-trap like this.

What you have to take away from all this is: offcourse somebody can write a tool to try to bruteforce their way into your wallet... After all, they're pretty much using exactly the same code that's used to create a wallet to begin with (they're just looping over this code again and again, and added a function to check unspent outputs funding the created address). This doesn't mean anything at all. There is no way somebody can reverse engineer your address (or your public key) to find your private key (at least, not at this point in time).  
The only thing he/she can do is try all private key(s), derive the public key from this private key, hash the public key (this hash is the address), the lookup this address into a database to see if unspent outputs are funding said address. In order to attack one specific address and have a 100% chance of robbing you, he needs to try out 2^256 private keys... That seems like it's something easy to do, but believe me, it isn't.

2^256 = 11579208923731619542357098500869000000000000000000000000000000000000000000 (rounded down).
This is the number of loops he/she has to perform... Each loop has a big cost... It's not easy to derive a public key from a private key. It's not easy to hash this public key, it's not easy to lookup the address in a database. Like i said before, if you'd give EVERY human on the planet one million latest gen GPU's and let them try to find a funded address for 100 years (continuously), there would be a 1 in 20 million chance one person on earth would find one funded address in those 100 years...

You'd think that, if hardware becomes better, these numbers would go down significantly... but no... Sombody very smart (not me) has proven that you'd need to capture all energy ever delivered by our sun (during it's complete lifetime) to power a computer to simply count to 2^256. So, eventough the number "256" or "160" seems cute and feasible, it simply isn't Smiley

Now, don't just think your money is safe all the time... You yourself say you've been phished... Next to phishing, there are also people that use flawed wallets. You have people that are reckless with their seedphrase. There are people that use brainwallets. There are people that run infected PC's. There are people that save their wallets in the cloud. There are people that buy hardware wallets from unknown sources....
Plenty of ways to get robbed or scammed... Just not by somebody randomly guessing your private key... It's not that it's technically impossible, just that it's practically impossible...


This is quite reassuring, thanks for this. Too bad though that scammers are pretty creative and have dozens of ways in scamming people or stealing their funds. These type of people are what I hate the most, while other people work hard to get what they have, these people just go and steal the fruits of other people's efforts. Good thing though I took special care of my wallets ever since I experienced getting phished by these scammers.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!