Two years ago, a European cryptocurrency owner named "Michael" contacted hardware hacker Joe Grand for help. Michael had stored about $3 million worth of Bitcoin in an encrypted digital wallet. He created a 20-character password using RoboForm Password Manager and then encrypted it with TrueCrypt. Unfortunately, the encrypted file became corrupted and he was unable to access his 43.6 Bitcoins.

Michael does not store his passwords in RoboForm due to security concerns. This paranoia has led to his current predicament.

Joe Grand, the hacker who recovers lost cryptocurrency, started his journey back when he was 10 years old; he began hacking computing hardware. By 2008, he co-hosted the Discovery Channel show Prototype This, showcasing his skills. Today, he uses his expertise to provide consulting services to companies, helping them protect their digital systems from hardware hackers. In 2022, his techniques enabled him to crack a Trezor wallet, revealing its password and recovering a large amount of cryptocurrency.

This achievement attracted national attention. Many people sought his help to recover lost cryptocurrency, especially after he helped a person who forgot his password recover $2 million. Despite many requests, "Kingpin" (his hacker name) often denied these requests for various reasons.

Cracking Michael's lost Bitcoin password

Michael's cryptocurrencies were stored in a software wallet, so Grand's hardware skills couldn't help them. They considered brute-forcing the passwords, but that was impractical. Grand suspected that RoboForm Password Manager had a flaw, but he couldn't be sure.

In desperation, Michael contacted various cryptography experts, who all told him that recovery was impossible. But in June, he contacted Grand again. This time, Grand agreed to try, and teamed up with his friend Bruno in Germany, who was also good at hacking digital wallets.

Grand and Bruno spent months reverse engineering the version of RoboForm Michael was using. They discovered a major flaw in the pseudo-random number generator in RoboForm versions prior to 2015. The program tied generated passwords to the date and time on the user's computer, making them predictable. Knowing the date, time, and other parameters allowed them to recreate any password generated at that time.

Finding the correct password

Michael cannot remember the exact date he created his password. He knows he transferred bitcoins to his wallet on April 14, 2013. Grand and Bruno try to generate a 20-character password between March 1 and April 20, 2013 using the parameters Michael used, but fail. They then expand the time range to June 1, 2013, but still have no success.

Michael was repeatedly asked about the password parameters. Frustrated, he provided other passwords he had generated in 2013. It turned out that some of these passwords did not contain special characters. Grand and Bruno adjusted their methods and contacted Michael again in November. This time, they found the correct password, which was generated on May 15, 2013 at 4:10:40 PM GMT and had no special characters.

RoboForm's Risks on Bitcoin

RoboForm is one of the first password managers developed by Siber Systems. In 2015, the company fixed the flaw, but the exact fix was unclear. The changelog only mentioned increased randomness. Without knowing the specific details of the fix, Grand is still cautious about trusting the updated version.

After recovering the password, Grand and Bruno took a portion of Michael's Bitcoin as their compensation. At the time, Bitcoin was worth $38,000 per coin. When Bitcoin reached $62,000 per coin, Michael sold some of his Bitcoin. He now owns 30 Bitcoins, worth $3 million, and plans to sell again when Bitcoin reaches $100,000 per coin.

Michael recalled his experience.