Electrum: BIP-39 SHOCK: Disordered Mnemonic Unlocks LIVE Bitcoin Wallet

[Maverick Zeng]

Subject: Electrum BIP-39 Anomaly: Disordered Mnemonic Unlocks Live Wallet – Near-Zero Probability!!
As a non-programmer with a foundational understanding of Bitcoin private keys, addresses, and mnemonics, I've unexpectedly encountered a highly peculiar and seemingly improbable, yet genuinely observed, probabilistic event. This is my first time posting in this forum, so please bear with any translation inaccuracies, as my English relies entirely on Google Gemini.
I recently stumbled upon a phishing attempt on Facebook involving a publicly displayed mnemonic seed. The image presented the mnemonic in a two-column, vertically ordered format, specifically numbered 1.7.2.8.3.9.4.10.5.11.6.12 for its 12 words. The intended phishing scam required users to rearrange these words into the standard 1-12 sequential order to import them into a wallet.
（  As this is my first time posting on this forum, I'm unfamiliar with how to embed images. Please excuse any formatting issues ）
However, [a highly peculiar problem] has arisen:
Through an accidental misreading of the image, I incorrectly interpreted the mnemonic's order as a standard sequential 1.2.3.4.5... (horizontal) layout, rather than its intended 1.7.2.8.3.9... vertical arrangement.
When attempting to import this incorrectly ordered mnemonic into various mainstream wallets like Trust Wallet, MetaMask, and SafePal, they all correctly displayed "Invalid Mnemonic."
But then, astonishingly, upon importing this very same "incorrectly ordered mnemonic" into Electrum Wallet under the BIP-39 format option, it succeeded! And what emerged was a completely new, active Bitcoin wallet with recent transaction history from just a few days ago!
This means that the original phishing mnemonic (intended to be arranged correctly) and the mnemonic that successfully imported into Electrum (which was the exact same set of words, but in an incorrectly assumed sequential order) are one and the same, merely differing in their word sequence.
This should be an impossible event, yet it has inexplicably occurred.
I hope someone can shed light on my confusion and curiosity. Many thanks!

[nc50lc]

When attempting to import this incorrectly ordered mnemonic into various mainstream wallets like Trust Wallet, MetaMask, and SafePal, they all correctly displayed "Invalid Mnemonic."
But then, astonishingly, upon importing this very same "incorrectly ordered mnemonic" into Electrum Wallet under the BIP-39 format option, it succeeded! And what emerged was a completely new, active Bitcoin wallet with recent transaction history from just a few days ago!
-snip-
I hope someone can shed light on my confusion and curiosity. Many thanks!

It's rather simple: Electrum doesn't prevent the user to create a wallet from an invalid BIP39 seed phrase.
It will only show a warning below the seed (e.g.: BIP39 checksum failed) but will let the user proceed to create the wallet.

Since it's possible to proceed and create a wallet and the words are posted in public, it's highly likely that someone or the owner funded it a few days ago.

And it's not the "correct" wallet, it's created with a different master private key which is derived from a different arrangement of those words.

[Maverick Zeng]

I'm still a bit unclear. I used a scrambled, incorrect mnemonic phrase from that Facebook phishing scam, and it successfully imported into Electrum wallet using the [BIP-39] format option. However, when I tried to import it into other mainstream wallets using their BIP-39 format, they all failed!
Furthermore, the wallet address that Electrum opened after successfully importing it with the BIP-39 format option was not a newly created Electrum wallet. Instead, it was an address that someone else had been using for several years, and it even had usage records from just the past few days.
This means I inadvertently opened someone else's actively used Bitcoin wallet with a completely random and scrambled mnemonic phrase, and I can now directly control that Bitcoin wallet...
This scrambled, incorrect mnemonic phrase consists of the exact same 12 words as the phishing scam's mnemonic on Facebook, just in a completely different order. Yet, it somehow opened a third party's Bitcoin wallet..."

[nc50lc]

I'm still a bit unclear. I used a scrambled, incorrect mnemonic phrase from that Facebook phishing scam, and it successfully imported into Electrum wallet using the [BIP-39] format option. However, when I tried to import it into other mainstream wallets using their BIP-39 format, they all failed!

Read the first sentence in my previous reply for his.
That combination is not a valid BIP39 seed so other clients wont recognize it as BIP39 seed,
Electrum as well, with that warning message, but it will still let you proceed to derive a wallet based from those words.

Through an accidental misreading of the image, I incorrectly interpreted the mnemonic's order as a standard sequential 1.2.3.4.5... (horizontal) layout, rather than its intended 1.7.2.8.3.9... vertical arrangement.

Furthermore, the wallet address that Electrum opened after successfully importing it with the BIP-39 format option was not a newly created Electrum wallet. Instead, it was an address that someone else had been using for several years, and it even had usage records from just the past few days.

Those words are posted in public, that isn't a coincidence and not random.
It's just someone else did the same thing as you did and used that wallet or the poster is already aware of it.

A collision in when you randomly select from BIP39's wordlist and you created an existing wallet.

[Maverick Zeng]

The current situation is that I have successfully imported and opened a third party's Bitcoin wallet address using that scrambled mnemonic phrase, and I now have full control over it.
It's as if both you and 'Jack' have exactly the same 12 words in your mnemonic phrases, but just in a different order.
The mnemonic order 123456789101112 opens your private key.
While the mnemonic order 789101112123456 opens Jack's private key. I originally intended to open your private key, but in a random, scrambled order, I accidentally opened Jack's private key and gained full control of his Bitcoin wallet address...
I have discussed all the intricate details with both Google Gemini and Grok, and they both found it to be incredible/unbelievable/impossible!!"

[nc50lc]

I have discussed all the intricate details with both Google Gemini and Grok, and they both found it to be incredible/unbelievable/impossible!!"

Because that will never likely happen unless there's a collision with the resulting binary seed from the jumbled and properly arranged mnemonic.

It's as if both you and 'Jack' have exactly the same 12 words in your mnemonic phrases, but just in a different order.
The mnemonic order 123456789101112 opens your private key.

Have you actually tested to create the wallet with the correct order of words and checked the addresses if they matched?
Or just assumed that it's the same wallet because it has transaction history?

Are you using a legit version of Electrum? With verified signatures from its developers.

[pooya87]

It is not impossible or strange. Just think of it as a puzzle and stop thinking of it as "accidentally finding a wallet with a transaction history". The crazy person who created this "puzzle" for whatever reason, also created that wallet using the same mnemonic with wrong checksum and deposited some coins into it. They probably used Electrum themselves too.

[Maverick Zeng]

Importing the mnemonic in the 'correct' order leads to the phishing scam wallet associated with Facebook.
Using the mnemonic in the order 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 results in that scam/phishing wallet.
However, using the mnemonic in the order 1, 7, 2, 8, 3, 9, 4, 10, 5, 11, 6, 12, I tested and found a third-party Bitcoin wallet with actual transaction records.
[This should be a near-zero probability coincidence, an unreplicable event. Testing with other mnemonics consistently produces new, empty addresses.]
In other words, it was an extremely, extremely low-probability, accidental discovery.
I was using the official Electrum wallet application from the Google Play Store."
   

[pooya87]

In other words, it was an extremely, extremely low-probability, accidental discovery.

The chances of collision is so low that it is impossible only if you created the seed phrase yourself using a strong random number generator. But this is not the case here. You say you have found these words on the internet (on Facebook) and you claim it is a scam attempt.

The chances of it is actually very high to see the words used in the same order they were posted to generate a wallet with transaction history (the "scammer" did that intentionally).

[Cricktor]

Importing the mnemonic in the 'correct' order leads to the phishing scam wallet associated with Facebook.
Using the mnemonic in the order 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 results in that scam/phishing wallet.

What's the purpose to have your whole post in bold face? (Removed for sanity)

I don't care about Facebook and won't look or search there. Are the recovery words of what you label as phishing scam wallet public?
If yes, then you can disclose them here. It's just that I don't believe you. You know the drill: don't trust, verify!

However, using the mnemonic in the order 1, 7, 2, 8, 3, 9, 4, 10, 5, 11, 6, 12, I tested and found a third-party Bitcoin wallet with actual transaction records.

This is your claim and so far we can't prove your claim. I say again, I don't believe you, because first, it's, as you said, highly unlikely that the different word order produces a valid BIP39 word sequence with proper checksum. Second, why would someone else have funded addresses even partially equal to such an invalid BIP39 wallet?

I can confirm what nc50lc said, Electrum clearly warns about an invalid checksum when you change the order of a given valid BIP39 recovery word sequence but still lets you derive a wallet from the invalid sequence.

In other words, it was an extremely, extremely low-probability, accidental discovery.

Yadda, yadda, ... show proof or it didn't happen!

[ghost43]

Note that the checksum in BIP39 seeds is weak. A 12 word BIP39 seed only has a 4 bit checksum. There is a 1/16 chance that a random selection of 12 words from the wordlist is a valid seed.

[Maverick Zeng]

Note that the checksum in BIP39 seeds is weak. A 12 word BIP39 seed only has a 4 bit checksum. There is a 1/16 chance that a random selection of 12 words from the wordlist is a valid seed.

Please also note, the crux of the issue lies in this alleviation/mitigation.
That chaotic combination of mnemonic phrases is a BIP-39 seed, but it cannot be imported into other mainstream wallets like Trust Wallet, Phantom, or MetaMask, even though these wallets do support BIP-39 seed phrases!!"
"That chaotic combination of mnemonic phrases can only be successfully imported into Electrum wallet using the [BIP-39] format option, which is the strangest part."
"All I've said so far is to express my suspicion that Electrum might have some unknown mechanism that causes this result

Importing the mnemonic in the 'correct' order leads to the phishing scam wallet associated with Facebook.
Using the mnemonic in the order 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 results in that scam/phishing wallet.

What's the purpose to have your whole post in bold face? (Removed for sanity)

I don't care about Facebook and won't look or search there. Are the recovery words of what you label as phishing scam wallet public?
If yes, then you can disclose them here. It's just that I don't believe you. You know the drill: don't trust, verify!

However, using the mnemonic in the order 1, 7, 2, 8, 3, 9, 4, 10, 5, 11, 6, 12, I tested and found a third-party Bitcoin wallet with actual transaction records.

This is your claim and so far we can't prove your claim. I say again, I don't believe you, because first, it's, as you said, highly unlikely that the different word order produces a valid BIP39 word sequence with proper checksum. Second, why would someone else have funded addresses even partially equal to such an invalid BIP39 wallet?

I can confirm what nc50lc said, Electrum clearly warns about an invalid checksum when you change the order of a given valid BIP39 recovery word sequence but still lets you derive a wallet from the invalid sequence.

In other words, it was an extremely, extremely low-probability, accidental discovery.

Yadda, yadda, ... show proof or it didn't happen!

This is my first time using this forum, and I don't understand many of its functions. My English is also translated using Google Translate."
"I wrote all this just to express my curiosity, confusion, and lack of understanding regarding that event."
"Regarding what you said about importing that 'chaotic combination' into the Electrum wallet under the BIP-39 format option, the third-party Bitcoin wallet that was opened was definitively not newly created by Electrum during the import!"
"I also tried importing various combinations of other brand-new BIP-39 format mnemonic phrases into Electrum again, but the results were always empty, invalid addresses. So, my point is, was hitting and opening that third-party Bitcoin address a completely incredible coincidence/probability?"

In other words, it was an extremely, extremely low-probability, accidental discovery.

The chances of collision is so low that it is impossible only if you created the seed phrase yourself using a strong random number generator. But this is not the case here. You say you have found these words on the internet (on Facebook) and you claim it is a scam attempt.

The chances of it is actually very high to see the words used in the same order they were posted to generate a wallet with transaction history (the "scammer" did that intentionally).

Since my previous posts mentioned specific mnemonic word orders, I cannot disclose the detailed mnemonic phrases. If I did, others could use the number sequences I previously mentioned to open that third-party Bitcoin wallet, which would expose their private key and compromise their privacy. Please forgive me if my Google Translate English isn't perfectly accurate!"
"Regarding what you mentioned: if those 12 mnemonic words are combined in the normal sequence (1, 2, 3, 4... 12), the resulting wallet is that of the Facebook scammer."
"However, using the exact same 12 mnemonic words, but in an interleaved sequence like 1, 7, 2, 8, 3, 9, etc., results in that third-party Bitcoin wallet. The key point is that this third-party Bitcoin private key wallet is completely unrelated to the scammer's wallet – they share the same mnemonic words, but the order is different!"
"Most importantly: that third-party wallet, generated by the 'chaotic combination,' was not newly created by Electrum during the import process. It has existed for several years and has recent Bitcoin transaction history from the last ten-odd days. This is truly bizarre/magical."
"I'm not sure if Google Translate perfectly conveys my meaning in English, haha."

I have discussed all the intricate details with both Google Gemini and Grok, and they both found it to be incredible/unbelievable/impossible!!"

Because that will never likely happen unless there's a collision with the resulting binary seed from the jumbled and properly arranged mnemonic.

It's as if both you and 'Jack' have exactly the same 12 words in your mnemonic phrases, but just in a different order.
The mnemonic order 123456789101112 opens your private key.

Have you actually tested to create the wallet with the correct order of words and checked the addresses if they matched?
Or just assumed that it's the same wallet because it has transaction history?

Are you using a legit version of Electrum? With verified signatures from its developers.

Perhaps my Google Translate English didn't perfectly convey what I wanted to say.
I am absolutely certain that the 'chaotic combination' mnemonic and the Facebook scammer's mnemonic consist of the exact same 12 words; only their order is different.
The normal sequence (1, 2, 3, 4, 5, 6... 12) results in the scammer's wallet.
However, the interleaved, 'chaotic' sequence (1, 7, 2, 8, 3, 9...) results in that third-party Bitcoin private key wallet.
What I can definitively confirm is that this third-party Bitcoin private key wallet was not newly created by Electrum during my import process. This is because the third-party Bitcoin wallet has existed for several years and has recent Bitcoin transactions from the last ten days or so, with single transaction amounts around 0.003 Bitcoin.
I used the legitimate Electrum application from the Google Play Store, and I also downloaded it from the official Electrum website.
After saying all this, I wonder if Google can fully translate what I'm trying to express, hahaha."

[nc50lc]

-snip-
The normal sequence (1, 2, 3, 4, 5, 6... 12) results in the scammer's wallet.
However, the interleaved, 'chaotic' sequence (1, 7, 2, 8, 3, 9...) results in that third-party Bitcoin private key wallet.

Then, it's back to my my first and second reply. (if the two combinations derive different wallets)

Some additional pointers and a repeat of the important ones:

• The seed is posted in public, you can't just expect it to be empty even if the combinations are wrong.
  Before you even attempted to restore it, people had experimented on it or read it wrong like you did.
• You can restore it Electrum but not in other BIP39 wallets because Electrum doesn't prevent it to be restored/created even with bad BIP39 checksum.
• Using the same set of words doesn't necessarily mean that it should be exclusively restore that same wallet, no, it can be used to restore a different wallet if the conditions are right.
  Example1: If you managed to create another combination with a correct checksum, you'll even be able to restore it to other clients aside from Electrum.
  Example2: If the checksum isn't correct, you'll still be able to restore it to Electrum but not on other clients.
• Under the hood, Electrum passes those words on a PBKDF2 function (HMAC-SHA512) to create the binary seed which where the private keys of the wallet is based from.
  Given the examples above, you'll restore a different wallet using different combinations since the input it feed on the PBKDF2 function is different...
  But it's not even necessary to understand that a publicly posted words shouldn't be expected to be unused
  Because the owner or someone else already restored that to Electrum using that same combination and used it to receive and send bitcoins.

[ABCbits]

This is my first time posting in this forum, so please bear with any translation inaccuracies, as my English relies entirely on Google Gemini.

After saying all this, I wonder if Google can fully translate what I'm trying to express, hahaha."

Have you consider asking this question on one of local board where you speak the language? To see list of those local board, visit https://bitcointalk.org/index.php and scroll down until you see text "Local".

Note that the checksum in BIP39 seeds is weak. A 12 word BIP39 seed only has a 4 bit checksum. There is a 1/16 chance that a random selection of 12 words from the wordlist is a valid seed.

Please also note, the crux of the issue lies in this alleviation/mitigation.
That chaotic combination of mnemonic phrases is a BIP-39 seed, but it cannot be imported into other mainstream wallets like Trust Wallet, Phantom, or MetaMask, even though these wallets do support BIP-39 seed phrases!!"
"That chaotic combination of mnemonic phrases can only be successfully imported into Electrum wallet using the [BIP-39] format option, which is the strangest part."
"All I've said so far is to express my suspicion that Electrum might have some unknown mechanism that causes this result

"Electrum might have some unknown mechanism"? Other member have stated it's because other wallet doesn't let you create wallet using mnemonic phrase with invalid checksum while Electrum does.