Securing a wallet properly is a skill that everyone who wants to store their BTC themselves should be familiar with. This applies, of course, not only to Bitcoin but to all cryptocurrencies. Most investors educate themselves and follow the common rules when it comes to the security of their wallets.
However, there are cases where users lose control of their assets or data. Bitcoin wallets are offered for sale on the internet, particularly on the so-called darknet, but those wallets are not decrypted.
We have looked at these offers in more detail and would like to give you an assessment of what to make of those offers.
The Offers Are Mostly Fraud
Why would someone sell a wallet, let alone a whole collection of wallet files at a dumping price? Often, the sellers even make statements about how much BTC is on a wallet or how the password is constructed.
You get the impression that there is a jackpot and all you have to do is buy the wallets and then find the right password. We will look at password cracking in more detail later. For now, just this much: It is usually not possible to crack a password if it has been created securely. The fraudsters make easy money with the gullibility of their customers, who are often overwhelmed by greed when they imagine a fortune in the form of Bitcoin, Ethereum, Dogecoin or other cryptocurrencies.
They create the wallets themselves, set complex passwords and after they have sold their wallet files, they sometimes even withdraw amounts from the wallets later. We also know of cases of fake wallet files that show a BTC balance but do not contain the private keys. In the end, the buyer of such wallets goes empty-handed even if they find the password.
Digital Theft Is Also a Crime
If we assume that these are not cases of fraud, in which the wallets have been created and filled with BTC or even faked by the seller, then only one other option remains: The offered goods are data sets that have been stolen in a hack.
Wallet files can be obtained in different ways. Phishing is a method that is very frequently used. Another source are so-called dumps in which, for example, a security gap in a NAS is exploited and massive amounts of data are exposed. In the end, this data ends up on the net and can be searched. Occasionally, wallet files are found here that have been extracted by criminals and then offered for sale.
At this point, the light should hopefully dawn on most of our readers as the acquisition and possession of stolen data is a crime in Germany and in many other countries. If you were to enjoy success with such a wallet file and obtain Bitcoin, that would also be a crime and could have serious consequences. However, this typically does not happen anyway and the reason is very simple.
Let’s suppose that we have received a wallet that contains BTC and that we could potentially crack it. Why would someone sell it rather than cracking it themselves? We have to assume that the probability is extremely low that it is a wallet with a weak password.
It is generally true that a completely unknown password can be found. There is special software for this, in which the target file is included and the computer then performs millions of operations and tries all possible combinations for the password one after the other. This method is also called a brute force attack because it tries to crack a password with raw “computing power”. But you not only need the software, but also the relevant knowledge as well as experience and above all one thing: as much computing power as possible.
However, even if you have all of this there is no guarantee for success. The longer and more complex the password, the less likely it becomes to succeed. Here is a small insight into how long it takes, for example, to crack a Bitcoin Core password by brute force attack using an RTX3090.
Password length | Characters Used | Time needed |
---|---|---|
7 | Lowercase letters | 6,3 days |
7 | Lowercase- and uppercase letters, numbers | 7,5 years |
7 | Lowercase- and uppercase letters, numbers & special characters | 150 years |
8 | Lowercase letters | 163 days |
8 | Lowercase- and uppercase letters, numbers | 467 years |
8 | Lowercase- and uppercase letters, numbers & special characters | 13 042 years |
These are only approximate figures, of course,and the result may be faster or slower depending on the computing power used.
If you use a password generator that works with 20 or more characters and uses uppercase and lowercase letters, numbers and special characters, you have no chance of success. If the password of a stolen wallet is cracked, then the thief is very likely to have done it himself, or otherwise it is fraud.
Aside from that, we would like to give one last piece of advice to anyone who feels like trying anyway. The law enforcement agencies have built up capacities in Germany and Europe to trace stolen cryptocurrencies using blockchain analysis. This has been standard practice on exchanges for some time. As soon as the victim of a theft reports it, any attempt to convert Bitcoin into Euros will be stopped and a criminal proceeding will be initiated. Therefore: honesty is the best policy.