Hardware hacker Joe Grand, also known as Kingpin, along with a partner from Germany, successfully cracked into a 10-year-old crypto wallet by utilizing a flaw in the password manager RoboForm, as requested by the wallet's owner. Since losing access to his wallet in 2013, the owner finally has access to his 43.6 Bitcoins, now worth over $3 million.
Joe Grand, or Kingpin — not to be confused with EVGA legend Kingpin — was first requested to break into this Bitcoin wallet by Michael (last name unknown per Wired) in 2022 after Grand went viral for breaking into another wallet. Grand turned down this first request; Kingpin's skills are in the world of hardware hacking, so his initial break into a hardware wallet was a far cry from Michael's request for help with his software wallet. But the second time the call was issued in 2023, Grand had the help of his friend Bruno, a software hacker, and got to work.
The problem with the wallet arose from Michael's redundant security failing. When creating his cryptocurrency digital wallet, Michael generated a password using RoboForm's password manager and then stored the password in a file encrypted with TrueCrypt rather than RoboForm. The TrueCrypt file corrupted soon after creation, and with no secondary storage for the password, Michael found himself locked out of his 43.6 Bitcoins.
Thankfully for Michael, RoboForm releases pre-2015 have a major flaw: their randomly generated passwords are not actually random. RoboForm used to link its random generation software to the date and time when the password was created, meaning anyone who can reverse engineer the software and determine the date and time a password was generated can recreate a password. Grand and Bruno did precisely this. Following some pains in determining the date and time the password was created, Grand and Bruno gave Michael access to his account in November 2023, when the unlocked Bitcoin wallet was worth $1.6 million (roughly $38,000 per Bitcoin versus the $68,000 current price). Grand and Bruno reserved a percentage of the unlocked Bitcoin wallet for their services before handing over the password.
Kingpin's greatest takeaway from the months-long ordeal is the potential danger behind old passwords made with RoboForm. Any password generated before RoboForm version 7.9.14, released in 2015, is vulnerable to the same exploit and should be replaced immediately. "We know that most people don't change passwords unless they're prompted to do so," said Grand. "I'm still not sure I would trust [RoboForm] without knowing how they actually improved the password generation in more recent versions."
Bitcoin will forever be linked with stories of lost passwords and corrupted wallets — though a recent $25 million Ethereum heist cut out the middleman to acquire crypto straight from the tap of mining rigs. If you want to improve your password safety with less risk of losing them forever, check out our list of the best password managers (RoboForm didn't make the cut even before this discovery). However, be careful when typing those passwords in, as recent research reveals that noisy keystrokes can reveal your passwords to nefarious ne'er-do-wells.
