Thousands of BITCOINS, ETHER and Tokens are lost in wallets all around the globe. There can happen a lot of things which lead to not be able to access your funds. But, in some cases it is still possible to recover these dead wallets!
Don’t use any kind of information provided on this page for illegal activities!
How does the recovery process work?
First, the recovery only works if you have a wallet file. If not, there is no chance to recover it. Second, if you have a very strong, long and randomly generated password and no information about it, no service and no one else can recover your wallet in a reasonable time. If your password was weak, and you have some information about it, you can increase your chances to recover it enormously.
Recovery at home
First you need your wallet file often called wallet.dat. From this file you can then extract a hash with a script like bitcoin2john.py for Bitcoin or ethereum2john.py for Ethereum. This hash can then be cracked with different tools like HashCat and methods like a dictionary or brute force attack. If you have successfully recovered the password, you can then again access your wallet.
To extract the hash of your Bitcoin wallet, you need to run the python script called bitcoin2john.py. Therefore, you need to install python (2.7) first.
Download the script from github.com/openwall and run it with the following command line to create the wallet.hash from the wallet.dat file.
python bitcoin2john.py wallet.dat > wallet.hash
The wallet.hash file should then look like this.
You can also do this step via an online service from hashes.com/bitcoin2john
This script ethereum2john.py works the same as the bitcoin2john.py script just for Ethereum.
One of the best known tool for recovering a huge amount of different hash-types is HashCat.
It offers a lot of functionality, all explained on the Wiki. Some basic attack methods are shown below.
The general command to crack a given Bitcoin wallet hash with a dictionary is as follows
hashcat -m 11300 --force wallet.hash wordlist.txt
The parameter (-m 11300) defines the Bitcoin/Litecoin wallet hash mode. The parameter (–force) is only needed if GPU driver warnings occur.
The Combinator Attack simply combines words of one or more dictionaries together to create new words.
Brute Force Attack
For a Brute Force Attack you don’t need a wordlist, a brute force attack tries all possible combination for a given charset, generally starting with passwords with the length of 1 and increasing the length step by step. This approach will at some point for sure find a password. But if you do the maths and if it is a strong password, this will take weeks or even millions of years.
hashcat -a 3 -m 11300 --force wallet.hash
The parameter (-a 3) defines the attack mode, in this case a brute force attack.
A Mask Attack is an advanced brute force attack where you set a mask to specify the charsets of the different password character positions. This is very useful to decrease the overall calculation cycles. In the following example we do a brute force attack (-a 3) and we assume the password is only 7 characters long and the first 5 characters can be every possible character, but position 6 and 7 are numbers.
hashcat -a 3 -m 11300 --force wallet.hash ?a?a?a?a?a?a?d?d
The string (?a?a?a?a?a?a?d?d) represents the mask and describes at which position which charset can be.
A good overview of how to do a mask attack with a custom charset can be found on 4ARMED.
This Hybrid Attack method combines other attack methods into one.
An older tool for recovering Ethereum wallets is called pyethrecover.
Let’s try it!
You can download an already emptied wallet from here: 78.dat
Upload it to hashes.com/bitcoin2john or use the python script locally to create the hash.
Save it in a file called…, lets say, wallet.hash.
We know the password has a length of 11, so a simple brute force attack will take much too long on a regular PC.
But we assume we know something about the password: We remember, that the password started with “chpoopo” and we know that the last character was some symbol and the second and third last characters where numbers. So we can create a command with a mask like this.
hashcat -a 3 -m 11300 --force F:\#Hashing\wallets\78.hash chpoopo?a?d?d?s
After some minutes you should see the decrypted password. All decrypted passwords can be found in the hashcat.potfile in the main directory of HashCat.
You can contact us directly to help recover your lost bitcoin funds