Your Bitcoin Brainwallet Can Be Swept Even Without Reading Your Mind
If you’re considering setting up a “brainwallet” to secure your bitcoin (BTC), you might want to think twice and learn from a recent experiment. It showed that BTC might be stolen in less than a second.
Contrary to a paper wallet, where a BTC owner has their seed phrase written, brainwallet means that this kind of a passphrase is memorized, which is especially important for refugees and others afraid of wealth confiscation.
“Refugees need to carry nothing with them, all they would need to do is remember a Bitcoin wallet passphrase. Funds, potentially millions of US dollars, can therefore be effectively stored inside of one’s mind,” a researcher at BitMEX Research said in a recent blog post about a curious experiment.
The reseacher experimented with eight brainwallets, created by using popular works of fiction, musical lyrics or academic literature, including all-time classics such as Herman Melville’s Moby Dick, and Jane Austen’s Pride and Prejudice, but also Satoshi Nakamoto’s Bitcoin: A Peer-to-Peer Electronic Cash System. The experiment’s results were far from optimistic for brainwallet users.
“All the funds were swept away within a day and the 0.04 BTC I spent on this exercise were lost, potentially forever. Remarkably, three of the deposits were swept away before our transaction even got confirmed into the blockchain. In one case, an independently run Bitcoin node witnessed the transaction sweeping away funds occur just 0.670 seconds after it saw the original transaction enter its memory pool. This extremely fast sweep applied to the address with the passphrase ‘Call me Ishmael’, the opening line from the novel Moby-Dick,” the researcher said.
But how is this possible?
The author suggested that these hackers have servers up online 24/7 scanning the blockchain and their respective memory pools for weak brainwallets to hack.
“These servers are likely to have pre-generated many hundreds of thousands of Bitcoin addresses, using text from thousands of published works, music, books, academic papers, magazines, blogs, tweets and other media and then stored these in a database,” the researcher said.
In a similar experiment around a year ago, the researcher used “a reasonably obvious pattern deep inside some of the world’s best selling novels” in order to generate new addresses and the funds still have not been stolen.
“These funds are still sitting in the blockchain today and have not been stolen. The key difference appears to be that these passphrases were not directly generated from unmodified text in the books, therefore the funds sit there unredeemed and the hackers have not yet found the passphrases,” the experimenter said, stressing that “one should absolutely not consider this a safe way of storing funds.”
In conclusion, the report advised crypto owners not to use a brainwallet generated from published materials. However, “by combining many different categories of information, a secure brainwallet may be possible.”
“In a real-world scenario, if someone (including a refugee) has access to Bitcoin, they probably also have access to the internet and therefore a more secure way of storing coins could be to email yourself an encrypted backup of your private key,” the researcher said, adding that, in the longer term, it’s also risky as the email can be compromised too.