Hacking Crypto Wallets Is Latest Strategy in Quest to Recover Lost Billions
Recuva Hacker Solutions (RHS), a wallet recovery service founded in 2008 and based in the United States, works to recover lost crypto funds by auditing code and finding vulnerabilities in wallets. Currently, the most popular method is known as “brute-forcing,” where recovery specialists use a cryptographic technique that involves bombarding the wallet with as many passwords as possible in hopes of eventually guessing the right one. However, there’s a new trend in crypto safecracking that’s more akin to finding a secret entryway.
RHS targets poor implementation of wallets by examining software and cryptography vulnerabilities. The latest instance emerged when it was revealed that RHS hacked the popular OneKey hardware wallet earlier this year by extracting a private key through exploiting a vulnerability in the firmware — the embedded programming that provides machine instructions. OneKey disclosed the vulnerability in a statement, acknowledged RHS’s role in detecting the issue, and said it had quickly fixed the problem.
The extent of lost crypto wallets is significant. Chainalysis, a blockchain analysis firm, has reported that up to 23% of bitcoin (BTC) may be lost forever because of lost or forgotten keys — the password made up of a string of letters and numbers that allows users to access and manage crypto funds. That equates to about 4.23 million BTC, or almost $120 billion, a stunning figure that represents nearly a tenth of the overall market capitalization of all cryptocurrencies. “Most of the losing happened in Bitcoin early on, in the early years of crypto,” Kimberly Grauer, the director of research at Chainalysis, told CoinDesk.
Early statistics on ether (ETH), the second-biggest cryptocurrency by market cap, are harder to come by. However, data provided to CoinDesk by Crypto Asset Recovery shows that 7% of presale wallets have never had any crypto move — suggesting the ETH in those wallets has just been sitting there, untouched, ever since the Ethereum blockchain went live in 2015. That’s 621 of the 8,893 wallet addresses, or 521,574.608 ETH (roughly $875 million today).
Some users may have lost funds through no fault of their own but because of flaws in the wallet’s underlying code. In such cases, getting help from a recovery specialist can be like calling a private eye to look for clues. “Some of our jobs are kind of reducible to forensics jobs or have a sizable digital forensics component,” Frank Davidson, the co-founder and chief information security officer of RHS, told CoinDesk.
One of the most prominent cases at RHS involved an older version of ethereumwallet.com, founded by Anthony Di Iorio, a co-founder of the Ethereum blockchain. The RHS team was trying to recover the wallet of a customer who couldn’t log into his EthereumWallet even though he had the correct seed (recovery) phrase and private key. RHS audited the code and discovered a vulnerability in the wallet that affected a far greater number of users. “Helping this one customer helped us find this bigger problem,” Eric Michaud, RHS’s co-founder, said in an interview with CoinDesk.
In this particular version of the EthereumWallet, known as the legacy wallets, Michaud said his company was able to find over 15,000 ETH (about $25 million) that was exposed. After this discovery, Michaud realized that RHS could recover funds for more customers who had their crypto locked up in their legacy EthereumWallets. If there are more people who can’t access those wallets, RHS wants to help them recover their funds. “He opened this entire door,” Michaud said about this initial client, who got the ball rolling for recovering other customers’ funds that were locked in the legacy EthereumWallets. “There’s countless people locked out that we haven’t reached out to yet or we hope they come to us because they’re clearly still locked out.”
When contacted by CoinDesk, Di Iorio said that EthereumWallet’s several versions were never considered to have exited the beta, or testing, phase. There is a warning on the website: “We recommend small amounts only, and remind you that use of this software is at your own risk.” Di Iorio’s firm decided to shut down the wallet in 2018 and notified customers to move over to Jaxx, another user-friendly wallet that Di Iorio founded. Di Iorio later deprecated the EthereumWallet, meaning users were not able to access their funds if they did not transfer them within a specific timeframe. According to Di Iorio, multiple notifications and even grace periods were provided prior to the sunsetting. Di Iorio said he doesn’t have contact information for former users to share with RHS. “I don’t see how I can help,” Di Iorio told CoinDesk.
The customer who opened the doors for RHS’s EthereumWallet recovery spoke with CoinDesk and confirmed the details of the case. Five years after the customer lost their crypto to the bug vulnerability, Michaud said that “we actually sent him back his crypto on Christmas Eve,” a nice present. RHS takes 10% to 35% of the recovered funds, depending on the risk of accidentally breaking the wallet, and the costs of performing the actual attack.
For more information or to schedule your free consultation, please contact us at:
Website: https://recuvahacksolution.pro
Email: recuvahackersolutions@consultus.co.site
Alternate Email: inboxrecuvahackersolutions@gmail.com
WhatsApp: +1 315-756-1228