Engineer recovers $2M in ‘lost’ crypto by hacking Trezor wallet

Dan Reich and his friend in early 2018 decided to buy a batch of Theta tokens spending $50,000 in Bitcoin. The digital coin at that time was valued at $0.21 per piece. At first, the friends held the tokens in a crypto exchange wallet based in China. But, a major crackdown on by the Chinese regulators and its government could cause the friends to lose their crypto assets. Both friends then decided to transfer their crypto assets into a Trezor One hardware wallet. They choose a PIN to keep the assets safe, went on with their lives, and neglected  the crypto wallet. 

By the end of 2018, the value of the token had dipped, it then surged for a while, and then dipped again. Considering the high volatility of the market, Reich decided he was going to cash out. But, his friend had misplaced the paper where he documented the PIN and had also forgotten the digits. They tried to guess the PIN five different times but failed at each attempt. While they kept guessing the PIN, the value of the token doubled but they failed at every attempt. After a dozen trials, they had to stop as the data on the wallet will erase automatically after 16 trials. 

Reich eventually gave up and took his mind off the money. He was ready to take his loss in good faith, but the value of the token surged rapidly once again pulling his attention to the crypto asset. From a value of about $12,000, the value of their crypto assets surged massively. As 2020 came to an end, the tokens witnessed a massive gain and had an estimated value of $3 million. 

Now with potentially millions of dollars on the line, the friends were now eager more than ever to have access into the wallet. Certainly, it would be very difficult to access the wallet without the PIN, but it was not impossible. 

In their attempts to gain access to the wallet, Reich and his friend discovered that it was possible to gain access to the wallet without the PIN. Reich, a financier in Switzerland, was able to connect with Joe Grand, a hardware hacker, and computer engineer. Grand was able to work on the wallet and was able to gain access and retrieved the tokens. 

Gaining Access to the Trezor One hardware wallet

Joe Grand is a hardware hacker and a computer engineer based in Portland and goes by his hacker alias; Kingpin. After a failed dozen attempts of trying to guess the Trezor One hard wallet PIN, Reich and his friend had to look for Grand’s help. Eventually, Grand was able to hack the Trezor One hardware wallet which contained about $2 million worth of crypto market. 

After gaining access to the wallet, Grand later uploaded a video on YouTube explaining how he executed the creative hack. 

Reich and his friend seeing the value of the crypto asset surge over time motivated them to find a hacker to crack the wallet. They got in contact ain’t Grand to give it a try. Grand, who eventually succeeded in hacking the wallet, confirmed that it took about 12 weeks to get a breakthrough, Grand found an answer to the hack when the wallet update its firmware. He discovered that the Trezor One wallets temporarily transfer the key and PIN to RAM. The key and PIN were then later transferred back to flash immediately after the firmware was updated. With more research, Grand then discovered that the version of firmware used on Reich’s wallet did not give but copied the data to RAM. This implies first if the hack fails and the RAM is deleted, the data about the key and PIN would still be available in flash. 

Grand then tried out a fault injection attack, a strategy that changes the voltage moving into the chip. With that, Grand was able to breach the security which prevented him from reading RAM. He was then able to get the PIN required to access the wallet. 

After Grand revealed his technique, Trezor took to Twitter and announced that the vulnerability which allowed the PIN to be read from RAM has been fixed.

Leave a Reply

Your email address will not be published.