Experiment: Hacking Ethereum Wallets - Bruteforce

Some time ago I came across a YouTube video by chance with the title: "Eth Wallet Bruteforce Hack". A programmer showed a simple Python script which could generate a random private key (64 characters / 32 bytes / 256 bits). This was used to calculate the public-key and address and pass it to a blockchain explorer website like Etherscan.io to see if this wallet exists or if a transaction has already been made. The author suggested that no wallet is safe anymore.

So far no witchcraft, but in any case funny how much people celebrate such a thing. Here's some background information why this Youtube approach is crap, and what you could do if you wanted to and you have too much money and years of time. 😀

Table of contents:

Are all Ethereum wallets now at risk, as are Bitcoin and co. Elliptic Curve Digital Signature Algorithm (ECDSA), Sha256, secp256k1 and keccak256 broken? Surely not!

First, a few facts: The method of this "hacker" works theoretically at least technically! The problem here is, among other things, the more than slow performance of the implementation and the huge (I mean really huge!) space of possibilities in which the whole thing takes place.

The private key of each wallet consists of 32 bytes, i.e. 256 bits. This results in a maximum number of wallets and thus possibilities to guess a wallet by chance of 2^256. The number written out looks like this:


To try this enormous mass of possibilities would take forever, especially since the presented method of this YouTube allows about 1 attempt per second, since each address must be given individually to a website and must be waited for answer. Even if you do this over 10, 50 or 100 threads at the same time it is still very, very, very slow and you need (no idea 😀 ) ten thousand years? In any case very long...

Bruteforcing Ethereum Wallets - Step 1: Preparation

kraken.jpgBut since I found the approach somewhat funny, I thought about how one could put the whole thing in a more realistic light. Preparation is everything!

  1. Setup your own Ethereum Full Node (e.g. GETH).
  2. Buy High-End Computer (AMD Threadripper AMD Threadripper) with  64 GB RAM or more.
  3. Learn programming (C, Python, whatever), script kiddies won't get far with that anyway.

Once you have the necessary components and your own ETH node is ready to run, you first write a small program to read in all blocks of the Ethereum block chain one by one and load the available transactions. Here you now export and save all ETH addresses (wallets). Sender, receiver and miner. Let this run for a few days or weeks until all blocks from 0 (yes, read Genesis block) to currently over 9.41 million blocks (as of February 2020) are read... This results in a database with over 66 million ETH addresses and wallets.

For faster comparison and to reduce the amount of data, I would save the addresses all in lower case and remove the prefix 0x (also when comparing later!) from each address. Saves 2 bytes per record, so today (about 66 million addresses) there was about 120 MB RAM.

Bruteforcing Ethereum Wallets - Step 2: Try

kraken.jpgFirst of all, the ETH addresses recorded should be loaded directly as a database into the main memory (RAM). This is the best way to benefit from minimal access times and the really enormous speed advantage compared to loading from HDD or even SSD.

Key-value databases such as the database system Redis.io are ideal for this purpose. If you run Redis and import all data, you will be happy to have a real advantage over the YouTube hacker, because the almost 3 gigabytes in memory, which the entire Ethereum addresses only take up, can be queried and evaluated relatively quickly. Now you are able to check 250,000 to 500,000 ETH addresses (async.) per second on a relatively conventional computer, and no longer only 1-10 per second as shown in the video. At least theoretically, if you already have the corresponding private key and address pairs and don't have to generate them first.

So far so good, now you only have to write a program that generates private keys, calculates the public key, derives the ETH wallet address from it and compares it with the database to see if it exists. If so, we have a hit. (Which is still very very unlikely -> see 2^256). 😉

A corresponding software tool could look something like this:

Ethereum Wallet Bruteforce Tool

While you're at it, you might as well set up a small UI (user interface). A few useful options are quickly integrated, like selecting the number of threads to run simultaneously and generate keys. A nice exercise for those who want to do something different with parallelization and multithreading.

When you get a hit, you simply give a message like "JACKPOT! -> 0x9980bCA3bdb37b265901f348De293933c5057B97;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1". Where the first part of the output is the address that was found, and with semicolon separators the matching private key behind it. From the beginnings of Ethereum, just like Bitcoin and many other crypto currencies, there are countless wallets which are only protected by a very, very insecure private key. 64 times f and things like that.

On a relatively conventional CPU you can quickly generate 10,000 to 20,000 data records consisting of private key and wallet address and write them to a hard disk or compare them with the Redis database. It is even faster if you use the cores of the graphics card.

kraken l.jpg

In conclusion, it remains to say that this experiment was only an experiment. No more and no less. It was clear from the beginning that Sha256 was not broken, and that this Youtube puppet with its Python script did not empty heaps of Bitcoin and ETH wallets. Theoretically, bruteforcing is possible, but practically, it's virtually pointless, since you not only need endless time, but also a lot of electricity and computing power. And who knows if there's anything on the wallet wallet that you might have calculated in years. 😀

I would like to see many more people taking a closer look at the blockchain technology and thus opening up many more areas of application. I think it will still take some time, but crypto-currencies, smart-contracts, DeFi (decentralized finance) will be indispensable at some point! 🙂

Note: If you are interested in trading crypto, futures, forex or stocks the following page might be worth a look:

Author: Sascha from Tinkering-Sascha.com

Author: Sascha

Some words about myself. My name is Sascha - i'm a software developer, trader and martial artist from germany. Besides programming, trading and martial arts some of my interests and hobbies are cooking, fitness and hearing loud heavy metal music. :D

This might also be interesting for you

Trading-Journal: Crypto Trading Bot for Kraken

Every halfway professional trader should of course keep a trading journal to record his trades and to be able to evaluate them later. Some good trading software offers already integrated solutions, but that didn't stop me from programming my own software for our Project Smart-Trading-Systems.de and connecting it to our trading system. In addition to … Continue reading "Trading-Journal: Crypto Trading Bot for Kraken"

Smart Home V1 - Do it yourself

I've been planning my smart home for some time now. Besides the cost factor for all the great things I imagine, I often lack the necessary time for detailed planning and implementation. So I decided to start somewhere and write down this DIY project in parallel...let's see where it leads...I ask for your indulgence if … Continue reading "Smart Home V1 - Do it yourself"

Program your own Screen Recorder / Capture Software

While searching for an easy to use screen recorder tool, I stumbled across all kinds of free and paid software solutions. From my point of view, pretty much all of them were either completely overloaded, difficult or complicated to use. Others were just expensive in relation to the functionality. My conclusion: Program yourself! Table of … Continue reading "Program your own Screen Recorder / Capture Software"

Training equipment: Makiwara 2.0

A Makiwara is a piece of sports equipment originating from Japan, which in karate is known mainly as a wooden hitting post. In the past (and partly still today) a makiwara is made of a flexible and non-splintering wooden board. One end of the board is driven vertically into the ground, and the other end … Continue reading "Training equipment: Makiwara 2.0"

Arduino Fitnessboard v1 - Experiment

On the weekend I fortunately had some time for handicrafts and a nice idea for a fitness board for training at home, which is operated from the push-up position. A video can be found further down in this article and on the Youtube channel of tedokai.de. Table of contents:Building  an Arduino Fitness BoardFitnessboard - RequirementsFitnessboard … Continue reading "Arduino Fitnessboard v1 - Experiment"

One thought on “Experiment: Hacking Ethereum Wallets - Bruteforce”

Leave a Reply

Your email address will not be published. Required fields are marked *

I have read and accepted the privacy policy!