Get Our NewsletterWIRED’s biggest stories delivered to your inbox. The Trezor: January 4, 2016: 7. At A Deeper Look At Who Owns Bitcoin — And Why (BTC) time, it seemed an entirely worthwhile thing to do.
I had recently started working as a research director at the Institute for the Future’s Blockchain Futures Lab, and I wanted firsthand experience with bitcoin, a cryptocurrency that uses a blockchain to record transactions on its network. My experiments with bitcoin were fascinating. It was surprisingly easy to buy stuff with the cryptocurrency. I used bitcoin at Meltdown Comics in Los Angeles to buy graphic novels. By November, bitcoin’s value had nearly doubled since January and was continuing to increase almost daily.
Simulating Hardware security module
My cryptocurrency stash was starting to turn into some real money. I’d been keeping my bitcoin keys on a web-based wallet, but I wanted to move them to a more secure place. This little device is basically a glorified USB memory stick that stores your private bitcoin keys and allows you to authorize transactions without exposing those keys to the internet, where they could be seized by bad actors. When the Trezor arrived, I plugged it into my computer and went to the Trezor website to set it up.
The website instructed me to write down 24 words, randomly generated by the Trezor one word at a time. I wrote them on a piece of orange paper. Next, I was prompted to create a PIN. The Trezor website explained that these 24 words were my recovery words and could be used to generate the master private key to my bitcoin. If I lost my Trezor or it stopped working, I could recover my bitcoin by entering those 24 words into a new Trezor or any one of the many other hardware and online wallets that use the same standard key-generation algorithm.
It was important for me to keep the paper hidden and safe, because anyone could use it to steal my 7. The Mistake: March 16, 2017: 7. It was 6:30 in the morning. My 14-year-old daughter, Jane, was in London on a school trip, and my older daughter, Sarina, was at college in Colorado. My wife Carla and I were getting ready to leave for the airport to take a vacation in Tokyo. As I was rummaging through my desk drawer for a phone charger, I saw the orange piece of paper with the recovery words and PIN. What should I do with this?
Jane, if anything happens, show this paper to Cory. He’ll know what to do with it. Cory Doctorow, my friend and business partner at my website, Boing Boing. He’s not a bitcoin enthusiast, but I knew he’d be able to figure out how to retrieve the master private key from the word list. I took the paper into Jane’s bedroom, stuck it under her pillow, and we took a Lyft to LAX. The Garbage: April 4, 2017: 7.
We returned from Tokyo on March 24, and I didn’t even think about the orange piece of paper until April 4, when I remembered that I’d put it under Jane’s pillow. She’s been home more than a week and never said anything to me about it. I went into her room and looked under her pillow. I looked under her bed, dragging out the storage boxes to get a better view, using my phone as a flashlight. Did you see that orange piece of paper with my bitcoin password on it? I can’t find it in Jane’s room. Jane was in school, but I texted and asked her.
She said she never saw an orange piece of paper. We had the house cleaned while we were gone. Carla called the cleaning service we’d used and got the woman who cleaned the house on the line. She told Carla that she did indeed remember finding the orange piece of paper.
Banana-Fudge Ripple Cake
I knew the garbage had already been collected, but I put on a pair of nitrile gloves and went through the outside trash and recycling bins anyway. Nothing but egg cartons, espresso grinds, and Amazon boxes. The orange piece of paper was decomposing somewhere under a pile of garbage in a Los Angeles landfill. Carla asked if losing the paper was a big deal.
It’s just a hassle, that’s all. I’ll have to send all the bitcoins from the Trezor to an online wallet, reinitialize the Trezor, generate a new word list, and put the bitcoins back on the Trezor. It would only be bad if I couldn’t remember my PIN, but I know it. The Forgetting: April 4, 2017: 7. I plugged the Trezor into my laptop and entered 551445. I tried 551445 again, taking care to enter the digits correctly this time. I’d entered it at least a dozen times in recent months without having to refer to the paper.
I looked at the tiny monochrome display on the bitcoin wallet and noticed that a countdown timer had appeared. It was making me wait a few seconds before I could try another PIN. I went to the hardware wallet manufacturer’s website to learn about the PIN delay and read the bad news: The delay doubled every time a wrong PIN was entered. The number of PIN entry failures is stored in the Trezor’s memory.
Step 2: Choose the right Bitcoin trader
The problem was, I was the thief, trying to steal my own bitcoins back from my Trezor. After my sixth incorrect PIN attempt, creeping dread had escalated to heart-pounding panic—I might have kissed my 7. I made a few more guesses, and each time I failed, my sense of unreality grew in proportion to the PIN delay, which was now 2,048 seconds, or about 34 minutes. One hundred guesses would take more than 80 sextillion years. I broke the news to Carla. I told her I couldn’t remember the PIN and that I was being punished each time I entered an incorrect PIN.
When she asked me why, I didn’t have an answer. I knew it would be a mistake to waste a precious guess in my agitated condition. My mind had become polluted with scrambled permutations of PINs. I went into the kitchen to chop vegetables for a curry we were making for dinner. But I couldn’t think of much else besides the PIN. As I cut potatoes into cubes, I mentally shuffled around numbers like they were Scrabble tiles on a rack.
After a while, a number popped into my head: 55144545. The little shuteye I managed to get was filled with nightmares involving combinations of the numbers 1, 4, and 5. 8,000 that bothered me—it was the shame I felt for being stupid enough to lose the paper and forget the PIN. I also hated the idea that the bitcoins could increase in value and I wouldn’t have access to them. If I wasn’t able to recall the PIN, the Trezor would taunt me for the rest of my life.
The Search: April 5, 2017: 7. That morning, bleary eyed, I started looking into ways to get my bitcoins back that didn’t involve recalling my PIN or recovery words. If I’d lost my debit card PIN, I could contact my bank and I’d eventually regain access to my funds. No one owns the bitcoin transaction network. Instead, thousands of computers around the world run software that validates the system’s transactions. Feel free to ridicule me—I deserve it.
Corri Cardano – Cardano al Campo
I wrote my PIN code and recovery seed on the same piece of paper. I was planning to etch the seed on a metal bar and hide it, but before that happened my housecleaning service threw the paper away. Now I can’t remember my password and I have tried to guess it about 13 times. I now have to wait over an hour to make another guess. Very soon it will be years between guesses. Is there anything I can do or should I kiss my 7.
Huobi’s Pushes into Australia with New Crypto Exchange and Blockchain Investment
Most of the replies were sympathetic and unhelpful. One person said I should get in touch with Wallet Recovery Services, which performs brute-force decryption on encrypted Bitcoin wallets. I emailed them and asked for help. You need to either guess your PIN correctly, or find your seed.
Trezor and there are people who know how to get all the information that is needed to get your wallet working again. There is no need to try different PIN codes. You can regain possession of all your bitcoins. The other users on the subreddit thought zero404cool wasn’t on the level. I was inclined to agree with them, especially after reading about the lengths Trezor had gone to to make its device impenetrable to hackers. The manufacturer claimed with confidence that the Trezor could withstand any attempt to compromise it.
To confirm, I emailed Trezor and explained my predicament. In all these situations there is either a PIN code or recovery seed needed to get an access to your funds. Unfortunately, without knowledge of at least one of these, no one is able to get access to this particular account with the funds stored on it. Is there anything else I can help you with, Mark? The situation was starting to feel hopeless. Yes, I can help you if you are willing to accept my help. Obviously, you are not going to find these instructions anywhere online.
And it requires certain technical skills to complete them properly. A professional can extract all information just in 10 seconds. But this is not public knowledge, it’s never going to be. The problem is that I don’t know you. I don’t know if your story is real or not. I don’t even know if you are a real person who really owns a Trezor. For example, You could as easily ask this to hack into someone else’s device.
So, for this to work we have to gain each other’s trust I guess. I wrote back and told zero404cool to Google my name, to help him decide if he could trust me. He’d see that I was one of the first editors of Wired, coming on board in 1993. I founded the popular Boing Boing website, which has 5 million monthly unique readers.
I was the founding editor-in-chief of the technology project magazine, Make. Hi Mark, It seems that you are not afraid of soldering and command line programs. I guess we can proceed with this recovery as DIY project then? I hope that you are not in too much hurry to complete it?
I replied that I wasn’t in a hurry. I didn’t hear from him after that. The Hypnotist: May 25, 2017: 7. I was in a reclining chair in her Encino office, covered in a blanket, concentrating on her soothing patter.
My wife, a journalist and editor, had interviewed Michele a few years ago for an article about hypnotism in movies, and I was so desperate to recall my PIN that I made an appointment with her. Earlier in the session, Michele had me reenact the experience of writing my PIN on an orange piece of paper. She put the paper in her desk drawer and had me sit down and open the drawer and look at the paper. She explained that we were trying different techniques to trigger the memory of the PIN. The exercises didn’t cause anything to surface to my conscious mind, but Michele told me that we were just priming my subconscious for the upcoming hypnosis portion of my appointment.
She dimmed the lights and spoke in a pleasantly whispery singsong patter. She asked me to imagine going down a long, long escalator, telling me that I would fall deeper and deeper into a trance as she spoke. The ride took at least 15 minutes. I felt relaxed—but I didn’t feel hypnotized. After nearly four hours in her office, I decided the PIN was 5514455. It took me a few days to build up the nerve to try it. Every time I thought about the Trezor my blood would pound in my head, and I’d break into a sweat.
Getting ahead of the
When I tried the number, the Trezor told me it was wrong. I would have to wait 16,384 seconds, or about four and a half hours, until the device would let me try to guess again. The Final Guess: August 12, 2017: 7. I tried to stop thinking about bitcoin, but I couldn’t help myself. To make matters worse, its price had been climbing steeply over the summer with no end in sight. I couldn’t escape the fact that the only thing keeping me from a small fortune was a simple number, one that I used to recall without effort and was now hidden in my brain, impervious to hypnotism, meditation, and self-scolding. Some nights, before I went to sleep, I’d lie in bed and ask my brain to search itself for the PIN.
Carla and I were folding laundry in the evening when Sarina came in. She was home from college for the summer. I know what the bitcoin password is! Well, you sometimes use 5054 as your password, but since the Trezor doesn’t have a zero, you would have just skipped it and put nothing there.
Review: Tantus Ripple (small)
You wouldn’t have made it 5154, you would have just used 554, and added 45 to it. I sometimes append my passwords with 45 because the number has a meaning to me. I thought she might be right. If it isn’t 55445, then it’s 554455, because sometimes you add 455 at the end of your passwords. I’ll think about it overnight and if I like it, I’ll try it tomorrow.
In the morning, I decided that I’d try the numbers. I felt better about them than any other numbers I could think of. I had to wait 16,384 seconds, or about four and a half hours, before I could enter the PIN. It was a Sunday, so I did things around the house and ran a couple of errands. Once the Trezor was ready, I asked Carla, Sarina, and Jane to gather around my computer with me. I wanted them for moral support, to make sure I entered the PIN correctly, and to share in the celebration with me if the PIN happened to be right.
I sat in the chair while Jane, Sarina, and Carla stood around me. My heart was racing so hard that I could hear my head throb. I tried to keep my breathing under control. Each time I entered a digit, I waited for one of my family members to confirm that I got it right.
After entering 55445, I hovered the mouse cursor over the Enter button on the Trezor website. Carla put her hand on my shoulder. That seemed like the right thing to do. The next morning before breakfast, I went into the office by myself and tried 554455.
The Email: August 16, 2017: 7. Awareness of my forgotten PIN had become something like tinnitus—always in the background, hard to ignore, annoying. What was wrong with my brain? Would I have remembered the PIN if I was in my 20s or 30s? I was feeling sorry for myself when I saw an email from Satoshi Labs, manufacturer of the Trezor, arrive in my inbox. In order to exploit this issue, an attacker would have to break into the device, destroying the case in the process. They would also need to flash the device with a specially crafted firmware.
If your device is intact, your seed is safe, and you should update your firmware to 1. 2, this attack vector is eliminated and your device is safe. Could there be a vulnerability in Trezor’s bulletproof security, one that I could take advantage of? TREZOR to see what people were saying about it. The first thing I found was a link to a Medium post by someone who said they knew how to hack the Trezor using the exploit mentioned in the email.
Bitcoin Income Proof Mining Litecoin On Cpu
The author included photos of a disassembled Trezor and a screengrab of a file dump that had 24 key words and a PIN. The author also included a link to custom Trezor firmware but no instructions on how to use it. I read the article a couple of times before I looked at the author’s name: Doshay Zero404Cool. It was the same person I’d corresponded with on Reddit five months earlier! Hi, have you figured out your PIN code?
If not—it’s such a small amount that you have locked up there. It’s hardly even worth the recovery work. I considered accepting zero404cool’s offer to help, but I decided to first reach out to a bitcoin expert I’d gotten to know over the years named Andreas M. Antonopoulos, author of The Internet of Money. I’d interviewed Andreas a few times for Boing Boing and Institute for the Future, and he was a highly respected security consultant in the bitcoin world.
He knew more about bitcoin than anyone I’d met. 30,000 worth of bitcoins stuck on my Trezor. I asked if the vulnerability offered a chance to get my bitcoins back. The vulnerability described in the article is in fact real and it can be used to recover your seed, since you have not upgraded firmware to 1. I’m lucky I didn’t upgrade my Trezor to 1. The kid was 15 years old and his name was Saleem Rashid. Andreas had never met him, but he’d spent a lot of time hanging out with him in Slack.
Satoshi Labs, maker of the Trezor, also knew about Saleem and had even given him a couple of development Trezors to experiment with. Mark is the owner of a well-locked Trezor hoping for a miracle. Andreas outlined the plan: Saleem would initialize one of his Trezors with identical firmware as mine, practice a recovery hack on it until he perfected it, then send me the exploit program via Telegram. I would buy a second Trezor and practice installing and executing Saleem’s hack until I had it down pat. I told Saleem I wanted step-by-step video instructions on what to do. I was successful in getting my bitcoins back. If you end up spending a lot of extra time preparing the instructions, let me know and we can increase the payment accordingly.
I ordered a second Trezor on Amazon. In the meantime, Saleem told me I would need the open source operating system Ubuntu Linux. The Fee: August 24, 2017: 7. So, would it be possible to get 0. 35 BTC for the video and the exploit firmware, then 0.