Cyber engineers ‘hacked time’ to recover $3m in Bitcoin from password manager

As a researcher, I find Joe Grand’s story fascinating. His expertise in hardware hacking and engineering, combined with his friend Bruno’s software hacking skills, led them to an impressive discovery: a loophole in the older version of RoboForm password manager that enabled them to recover millions worth of Bitcoin.

American engineer Joe Grand and his companion Bruno uncovered a vulnerability in an older edition of the RoboForm password manager, allowing them to retrieve approximately $3 million worth of Bitcoin.

As a security analyst, I’ve come across an intriguing finding by hardware hacker and engineer Joe Grand and his software hacking counterpart, Bruno. They discovered a vulnerability in an older version of the RoboForm password manager that allowed them to access vast amounts of Bitcoin, estimated to be worth millions.

In a YouTube video released on May 28th, Grand recounted an incident from 2022 where he was contacted by Michael, a European crypto investor. Michael urgently required Grand’s assistance to regain access to his vast fortune in Bitcoin, which had become inaccessible due to losing the password for his RoboForm-generated 20-character key. The encrypted file containing this password was stored using TrueCrypt.

For several months, Grand and Bruno worked on deciphering the specific RoboForm setup that Michael utilized in the year 2013 to generate the password for his Bitcoins’ wallet.

I uncovered the fact that an older version of RoboForm contained a defect in its password generation process. This issue made the generated passwords foreseeable based on the computer’s date and time. Fortunately, my password had been created prior to RoboForm addressing this vulnerability.

According to investigative journalist Kim Zetter’s post on X, approximately 6 million RoboForm users who generated passwords using the software before 2015 may have weak passwords that could be cracked due to a previously undisclosed vulnerability. At the time of reporting, RoboForm had not issued any public statements regarding this issue.

As a crypto investor, I’d put it this way: If I were one of RoboForm’s 6 million users who generated passwords using their password manager before 2015, I might be using weak passwords that could be easily cracked by hackers. The flaw in the system was fixed silently by the company back then, but until then, my passwords may have been vulnerable.

— Kim Zetter (@KimZetter) May 28, 2024

As a crypto investor, I’ve generated millions of potential passwords based on the alleged creation date and time of a wallet belonging to an individual named Michael. Working with a partner, we employed brute force methods to find the correct password that would grant access to this wallet. After fine-tuning our approach, we were successful in discovering the password created on May 15, 2013, at 16:10:40 GMT, unlocking Michael’s stash of 43.6 Bitcoins, now worth approximately $3 million.

Joe Grand, the founder of Grand Idea Studio, is an electrical engineer, inventor, and skilled hardware hacker. He gained significant recognition within the crypto community for successfully hacking a Trezor One wallet in 2022, helping its owner retrieve $2 million worth of Bitcoin. Known by his hacker handle “Kingpin,” Grand boasts an impressive background in hardware hacking and continues to provide consultation services to companies seeking to strengthen their digital security.

Read More

2024-05-29 13:05