Some time ago I came across a YouTube video by chance with the title: "Eth Wallet Bruteforce Hack". A programmer showed a simple Python script which could generate a random private key (64 characters / 32 bytes / 256 bits). This was used to calculate the public-key and address and pass it to a blockchain explorer website like Etherscan.io to see if this wallet exists or if a transaction has already been made. The author suggested that no wallet is safe anymore.
So far no witchcraft, but in any case funny how much people celebrate such a thing. Here's some background information why this Youtube approach is crap, and what you could do if you wanted to and you have too much money and years of time. 😀
Table of contents:
- Are all Ethereum wallets now at risk, as are Bitcoin and co. Elliptic Curve Digital Signature Algorithm (ECDSA), Sha256, secp256k1 and keccak256 broken? Surely not!
- Bruteforcing Ethereum Wallets - Step 1: Preparation
- Bruteforcing Ethereum Wallets - Step 2: Try
Are all Ethereum wallets now at risk, as are Bitcoin and co. Elliptic Curve Digital Signature Algorithm (ECDSA), Sha256, secp256k1 and keccak256 broken? Surely not!
First, a few facts: The method of this "hacker" works theoretically at least technically! The problem here is, among other things, the more than slow performance of the implementation and the huge (I mean really huge!) space of possibilities in which the whole thing takes place.
The private key of each wallet consists of 32 bytes, i.e. 256 bits. This results in a maximum number of wallets and thus possibilities to guess a wallet by chance of 2^256. The number written out looks like this:
To try this enormous mass of possibilities would take forever, especially since the presented method of this YouTube allows about 1 attempt per second, since each address must be given individually to a website and must be waited for answer. Even if you do this over 10, 50 or 100 threads at the same time it is still very, very, very slow and you need (no idea 😀 ) ten thousand years? In any case very long...
Bruteforcing Ethereum Wallets - Step 1: Preparation
- Setup your own Ethereum Full Node (e.g. GETH).
- Buy High-End Computer (AMD Threadripper ) with 64 GB RAM or more.
- Learn programming (C, Python, whatever), script kiddies won't get far with that anyway.
Once you have the necessary components and your own ETH node is ready to run, you first write a small program to read in all blocks of the Ethereum block chain one by one and load the available transactions. Here you now export and save all ETH addresses (wallets). Sender, receiver and miner. Let this run for a few days or weeks until all blocks from 0 (yes, read Genesis block) to currently over 9.41 million blocks (as of February 2020) are read... This results in a database with over 66 million ETH addresses and wallets.
For faster comparison and to reduce the amount of data, I would save the addresses all in lower case and remove the prefix 0x (also when comparing later!) from each address. Saves 2 bytes per record, so today (about 66 million addresses) there was about 120 MB RAM.
Bruteforcing Ethereum Wallets - Step 2: Try
First of all, the ETH addresses recorded should be loaded directly as a database into the main memory (RAM). This is the best way to benefit from minimal access times and the really enormous speed advantage compared to loading from HDD or even SSD.
Key-value databases such as the database system Redis.io are ideal for this purpose. If you run Redis and import all data, you will be happy to have a real advantage over the YouTube hacker, because the almost 3 gigabytes in memory, which the entire Ethereum addresses only take up, can be queried and evaluated relatively quickly. Now you are able to check 250,000 to 500,000 ETH addresses (async.) per second on a relatively conventional computer, and no longer only 1-10 per second as shown in the video. At least theoretically, if you already have the corresponding private key and address pairs and don't have to generate them first.
So far so good, now you only have to write a program that generates private keys, calculates the public key, derives the ETH wallet address from it and compares it with the database to see if it exists. If so, we have a hit. (Which is still very very unlikely -> see 2^256). 😉
A corresponding software tool could look something like this:
While you're at it, you might as well set up a small UI (user interface). A few useful options are quickly integrated, like selecting the number of threads to run simultaneously and generate keys. A nice exercise for those who want to do something different with parallelization and multithreading.
When you get a hit, you simply give a message like "JACKPOT! -> 0x9980bCA3bdb37b265901f348De293933c5057B97;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1". Where the first part of the output is the address that was found, and with semicolon separators the matching private key behind it. From the beginnings of Ethereum, just like Bitcoin and many other crypto currencies, there are countless wallets which are only protected by a very, very insecure private key. 64 times f and things like that.
On a relatively conventional CPU you can quickly generate 10,000 to 20,000 data records consisting of private key and wallet address and write them to a hard disk or compare them with the Redis database. It is even faster if you use the cores of the graphics card.
In conclusion, it remains to say that this experiment was only an experiment. No more and no less. It was clear from the beginning that Sha256 was not broken, and that this Youtube puppet with its Python script did not empty heaps of Bitcoin and ETH wallets. Theoretically, bruteforcing is possible, but practically, it's virtually pointless, since you not only need endless time, but also a lot of electricity and computing power. And who knows if there's anything on the wallet that you might have calculated in years. 😀
I would like to see many more people taking a closer look at the blockchain technology and thus opening up many more areas of application. I think it will still take some time, but crypto-currencies, smart-contracts, DeFi (decentralized finance) will be indispensable at some point! 🙂
This might also be interesting for you3D Printers: Models, Software and Options
Not just since yesterday 3D printers are a great way of printing on the market, which is constantly evolving. Here it is possible to print whole objects using software or scanned originals. This process has proven to be extremely useful both in private use and in numerous professions. In this article I have collected some … Continue reading "3D Printers: Models, Software and Options"
Privacy Browser for more security and privacy
More data protection, security and above all more privacy on the Internet is demanded from all sides, and not only after the entry into force of the EU-wide data protection basic regulation (). In general one can understand this wish, because who would like to voluntarily allow large IT companies to pass on their own … Continue reading "Privacy Browser for more security and privacy"
Programming: PHP image captcha code
pi_robot - Playing with Raspberry Pi, iPad and some Code
The Raspberry Pi is still one of the most popular mini computers, not only among hobbyists. Cost-effective (about 30 to 40,- EUR depending on the model), flexible in the field of application and at the latest since the equipped with enough CPU power and memory to solve even more complex tasks. With the 1.2 GHz … Continue reading "pi_robot - Playing with Raspberry Pi, iPad and some Code"
Smart Home V1 - Do it yourself
I've been planning my smart home for some time now. Besides the cost factor for all the great things I imagine, I often lack the necessary time for detailed planning and implementation. So I decided to start somewhere and write down this DIY project in parallel...let's see where it leads...I ask for your indulgence if … Continue reading "Smart Home V1 - Do it yourself"