A systems architect cracked a seed phrase and earned a reward of 100,000 satoshis, or 0.001 Bitcoin (BTC), about $29, in just under half an hour. Cointelegraph spoke with Andrew Fraser in Boston, who underlined how important it is to keep the seed phrase of a Bitcoin wallet secure and offline.
A seed phrase or recovery phrase is a series of random words generated when creating a cryptocurrency wallet that can grant access to it, similar to a master key. Fraser forced a 12-word seed phrase that Bitcoin educator “Wicked Bitcoin” shared on Twitter:
Anyone want to try and brute force this 12-word seed phrase securing 100,000 sats? I’ll give you all 12 words but in no particular order. Standard derivation path m/84’/0’/0’…no fancy tricks. GL.https://t.co/c9FyMv3HYM pic.twitter.com/nPGTB9bX2g
— Wicked (@w_s_bitcoin) April 26, 2023
As shown, Wicked’s tweet challenged users to figure out the correct order of the 12-word seed phrase.
“Anyone want to try forcing this 12 word seed phrase by securing 100,000 satoshis? I’ll give you all 12 words but in no particular order. Standard derivation path m/84’/0’/0’… no fancy tricks. Good luck”.
It only took 25 minutes to get 100,000 satoshis. The incident serves as a timely reminder for Bitcoin users and cryptocurrency enthusiasts to take the security of their digital assets seriously.
Fraser cracked the code using BTCrecover, a software application available on GitHub. The software offers a number of tools that can determine seed phrases with lost or scrambled mnemonics and passphrase cracking utilities. Via Twitter direct messages, Fraser told Cointelegraph:
“My gaming GPU was able to determine the correct order of the seed phrase in about 25 minutes. Although a more capable system would do it much faster.”
He noted that anyone with a basic understanding of running Python scripts, using the Windows shell, and understanding the Bitcoin protocol—particularly BIP39 mnemonics—should be able to replicate his success.
Cointelegraph asked Fraser about the security of 12-word seed keys. Fraser explained that they are “perfectly safe if the words remain unknown to an attacker or there is a ’13th seed word’ used in the wallet bypass path.”
In addition, he highlighted the greater security of the 24-word seed phrases.
“Even if an attacker knew the unordered words in your 24-word seed key, they would never have any hope of discovering the correct order.”
Fraser broke down the entropy calculations to explain the difference in security between the two types of seed phrases. A 12-word seed has approximately 128 bits of entropy, while a 24-word seed has 256 bits. When an attacker knows the scrambled words of a 12-word seed, there are only about 500 million possible combinations, which is relatively easy to test with a decent GPU. However, a 24-word seed has about 6.24^24 possible combinations, and that’s a lot of zeros.
Even the probability of an attacker cracking a 12-word seed phrase borders on the absurd. A 24-word seed phrase may be superior, but as Wicked points out in a postmortem of the seed phrase challenge, “it’s not going to get hacked, to be honest.”
In the off chance that someone finds your seed phrase cut up and out of order, then yes lol.
— Wicked (@w_s_bitcoin) April 27, 2023
Ultimately, this is a timely reminder to readers to ensure that seed phrases are never published or shared on the Internet. That means seed phrases shouldn’t be stored in a password manager or cloud storage solution, much less typed on a phone.
Fraser also stressed the importance of keeping seed phrases secret and leveraging a working passphrase as part of the bypass path. And the 100,000 satoshis that Fraser took home? Fraser tweeted that he had spent on dinner that night: chicken marsala. Speaking of circular economy.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.