Hackers have made about $103,000 cracking bitcoin wallets that were “secured” using BrainWallet.
Not too long after a group of researchers published a paper about efficiently cracking bitcoin BrainWallets, it was revealed in a paper that there are a group of hackers who have already taken advantage of these weaknesses and have drained every wallet they could.
“Surprisingly, after excluding activities by researchers, we identified just 884 brain wallets worth around $100K in use from September 2011 to August 2015. We find that all but 21 wallets were drained, usually within 24 hours but often within minutes. We find that around a dozen “drainers” are competing to liquidate brain wallets as soon as they are funded”
A brainwallet “refers to the concept of storing Bitcoins in one’s own mind by memorization of a passphrase. As long as the passphrase is not recorded anywhere, the Bitcoins can be thought of as existing nowhere except in the mind of the holder. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever.”
BrainWallets were created by turning passphrases into a 256-bit private key by hashing the passphrase with SHA256, that private key is then used to created a bitcoin address. Keep in mind that these aren’t salted and are only hashed once. You can easily run an offline password cracking attack on the private key since it’s no different than a password hash in a leaked database. Once you’ve cracked it, you essentially own the bitcoin address.
In the paper, the researchers describe how the hackers found new brain wallets and how they drained them so quickly.
“Drainers lurk over the blockchain, ready to pounce as soon as new brain wallets are established.”
“Many bots monitor for new transactions depositing into known brain wallets. These drainers quickly send the money to their own addresses, often with a sizable fee to encourage miners to pick up the transaction quickly.”
Because this is a group of hackers, one would think they would all closely profited the same amount, but this is not the case.
“Nonetheless, we confirmed at least 14 drainers targeting multiple brain wallets, corroborated by reports on discussion forums.
A few drainers are very successful while the rest do not make very much. The top 4 drainers have netted the equivalent of $35,000 between them. The drainer who has emptied the most brain wallets — 100 in all — has earned $3219 for the
effort. But other drainers have stolen very little money. For example, one drainer
stole from 78 different brain wallets but netted only $62 worth of bitcoin.”
The paper that details these findings, “The Bitcoin Brain Drain: A Short Paper on the
Use and Abuse of Bitcoin Brain Wallets” is scheduled to be presented at the Financial Cryptography and Data Security 2016 conference.