Some time ago I came across a YouTube video by chance with the title: "Eth Wallet Bruteforce Hack". A programmer showed a simple Python script which could generate a random private key (64 characters / 32 bytes / 256 bits). This was used to calculate the public-key and address and pass it to a blockchain explorer website like Etherscan.io to see if this wallet exists or if a transaction has already been made. The author suggested that no wallet is safe anymore.
So far no witchcraft, but in any case funny how much people celebrate such a thing. Here's some background information why this Youtube approach is crap, and what you could do if you wanted to and you have too much money and years of time. 😀
Table of contents:
- Are all Ethereum wallets now at risk, as are Bitcoin and co. Elliptic Curve Digital Signature Algorithm (ECDSA), Sha256, secp256k1 and keccak256 broken? Surely not!
- Bruteforcing Ethereum Wallets - Step 1: Preparation
- Bruteforcing Ethereum Wallets - Step 2: Try
Are all Ethereum wallets now at risk, as are Bitcoin and co. Elliptic Curve Digital Signature Algorithm (ECDSA), Sha256, secp256k1 and keccak256 broken? Surely not!
First, a few facts: The method of this "hacker" works theoretically at least technically! The problem here is, among other things, the more than slow performance of the implementation and the huge (I mean really huge!) space of possibilities in which the whole thing takes place.
The private key of each wallet consists of 32 bytes, i.e. 256 bits. This results in a maximum number of wallets and thus possibilities to guess a wallet by chance of 2^256. The number written out looks like this:
To try this enormous mass of possibilities would take forever, especially since the presented method of this YouTube allows about 1 attempt per second, since each address must be given individually to a website and must be waited for answer. Even if you do this over 10, 50 or 100 threads at the same time it is still very, very, very slow and you need (no idea 😀 ) ten thousand years? In any case very long...
Bruteforcing Ethereum Wallets - Step 1: Preparation
But since I found the approach somewhat funny, I thought about how one could put the whole thing in a more realistic light. Preparation is everything!
- Setup your own Ethereum Full Node (e.g. GETH).
- Buy High-End Computer (AMD Threadripper ) with 64 GB RAM or more.
- Learn programming (C, Python, whatever), script kiddies won't get far with that anyway.
Once you have the necessary components and your own ETH node is ready to run, you first write a small program to read in all blocks of the Ethereum block chain one by one and load the available transactions. Here you now export and save all ETH addresses (wallets). Sender, receiver and miner. Let this run for a few days or weeks until all blocks from 0 (yes, read Genesis block) to currently over 9.41 million blocks (as of February 2020) are read... This results in a database with over 66 million ETH addresses and wallets.
For faster comparison and to reduce the amount of data, I would save the addresses all in lower case and remove the prefix 0x (also when comparing later!) from each address. Saves 2 bytes per record, so today (about 66 million addresses) there was about 120 MB RAM.
Bruteforcing Ethereum Wallets - Step 2: Try
First of all, the ETH addresses recorded should be loaded directly as a database into the main memory (RAM). This is the best way to benefit from minimal access times and the really enormous speed advantage compared to loading from HDD or even SSD.
Key-value databases such as the database system Redis.io are ideal for this purpose. If you run Redis and import all data, you will be happy to have a real advantage over the YouTube hacker, because the almost 3 gigabytes in memory, which the entire Ethereum addresses only take up, can be queried and evaluated relatively quickly. Now you are able to check 250,000 to 500,000 ETH addresses (async.) per second on a relatively conventional computer, and no longer only 1-10 per second as shown in the video. At least theoretically, if you already have the corresponding private key and address pairs and don't have to generate them first.
So far so good, now you only have to write a program that generates private keys, calculates the public key, derives the ETH wallet address from it and compares it with the database to see if it exists. If so, we have a hit. (Which is still very very unlikely -> see 2^256). 😉
A corresponding software tool could look something like this:
While you're at it, you might as well set up a small UI (user interface). A few useful options are quickly integrated, like selecting the number of threads to run simultaneously and generate keys. A nice exercise for those who want to do something different with parallelization and multithreading.
When you get a hit, you simply give a message like "JACKPOT! -> 0x9980bCA3bdb37b265901f348De293933c5057B97;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1". Where the first part of the output is the address that was found, and with semicolon separators the matching private key behind it. From the beginnings of Ethereum, just like Bitcoin and many other crypto currencies, there are countless wallets which are only protected by a very, very insecure private key. 64 times f and things like that.
On a relatively conventional CPU you can quickly generate 10,000 to 20,000 data records consisting of private key and wallet address and write them to a hard disk or compare them with the Redis database. It is even faster if you use the cores of the graphics card.
In conclusion, it remains to say that this experiment was only an experiment. No more and no less. It was clear from the beginning that Sha256 was not broken, and that this Youtube puppet with its Python script did not empty heaps of Bitcoin and ETH wallets. Theoretically, bruteforcing is possible, but practically, it's virtually pointless, since you not only need endless time, but also a lot of electricity and computing power. And who knows if there's anything on the wallet that you might have calculated in years. 😀
I would like to see many more people taking a closer look at the blockchain technology and thus opening up many more areas of application. I think it will still take some time, but crypto-currencies, smart-contracts, DeFi (decentralized finance) will be indispensable at some point! 🙂
Note: If you are interested in trading crypto, futures, forex or stocks the following page might be worth a look:
This might also be interesting for youPrivacy Browser for more security and privacy
More data protection, security and above all more privacy on the Internet is demanded from all sides, and not only after the entry into force of the EU-wide data protection basic regulation (). In general one can understand this wish, because who would like to voluntarily allow large IT companies to pass on their own … Continue reading "Privacy Browser for more security and privacy"
Telegram Messenger and the Bot API
Telegram is basically a messenger similar to Whatsapp or Threema , free and easy to use. I don't want to say that it is better or worse than other messengers, but I like the Telegram Bot API so much that I want to write a little tutorial here. Table of contents:Using Telegram Messenger and the … Continue reading "Telegram Messenger and the Bot API"
3D Printers: Models, Software and Options
Not just since yesterday 3D printers are a great way of printing on the market, which is constantly evolving. Here it is possible to print whole objects using software or scanned originals. This process has proven to be extremely useful both in private use and in numerous professions. In this article I have collected some … Continue reading "3D Printers: Models, Software and Options"
self-construction - DynDNS-Alternative
If you already have your own webserver/webspace on the Internet and some programming knowledge, you can save yourself a service like DynDNS.org & Co. without much effort if you want to access parts of your home network from the road. Such services provide a host name/URL (e.g. my-home-network.dyndns.org) which is then forwarded to the IP … Continue reading "self-construction - DynDNS-Alternative"
Training equipment: Makiwara 2.0
A Makiwara is a piece of sports equipment originating from Japan, which in karate is known mainly as a wooden hitting post. In the past (and partly still today) a makiwara is made of a flexible and non-splintering wooden board. One end of the board is driven vertically into the ground, and the other end … Continue reading "Training equipment: Makiwara 2.0"