Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years' worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required.

The heists were carried out against almost 900 accounts where the owners used passwords to generate the private encryption keys required to withdraw funds. In many cases, the vulnerable accounts were drained within minutes or seconds of going live. The electronic wallets were popularly known as "brain wallets" because, the thinking went, Bitcoin funds were stored in users' minds through memorization of a password rather than a 64-character private key that had to be written on paper or stored digitally. For years, brain wallets were promoted as a safer and more user-friendly way to secure Bitcoins and other digital currencies, although Gregory Maxwell, Gavin Andresen, and many other Bitcoin experts had long warned that they were a bad idea.

The security concerns were finally proven once and for all last August when Ryan Castellucci, a researcher with security firm White Ops, presented research at the Defcon hacker convention that showed how easy it was to attack brain wallets at scale. Brain wallets used no cryptographic salt and passed plaintext passwords through a single hash iteration (in this case, the SHA256 function), a shortcoming that made it possible for attackers to crack large numbers of brain wallet passwords at once. Worse, a form of the insecurely hashed passwords are stored in the Bitcoin blockchain, providing all the material needed to compromise the accounts.

By contrast, Google, Facebook, and virtually all other security-conscious services protect passwords by storing them in cryptographic form that's been passed through a hash function, typically tens of thousands of times or more, a process known as key stretching that greatly increases the time and resources required by crackers. The services also use cryptographic salt, a measure that requires each hash to be processed separately to prevent the kind of mass cracking Castellucci did. Security-conscious services also go to great lengths to keep password hashes confidential, a secrecy that's not possible with Bitcoin because of the transparency provided by the blockchain.

Brain drain

According to a recently published research paper, the brain wallet vulnerability was known widely enough to have been regularly exploited by real attackers going after real accounts. Over a six-year span that ended last August, attackers used the cracking technique to drain 884 brain wallet accounts of 1,806 bitcoins. Based on the value of each coin at the time the theft took place, the value of the purloined coins was $103,000.

"Our results reveal the existence of an active attacker community that rapidly steals funds from vulnerable brain wallets in nearly all cases we identify," the paper authors wrote. "In total, approximately $100K worth of bitcoin has been loaded into brain wallets, with the ten most valuable wallets accounting for over three-quarters of the total value. Many brain wallets are drained within minutes, and while those storing larger values are emptied faster, nearly all wallets are drained within 24 hours."

The paper, titled "The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets," is scheduled to be presented later this month at the Financial Cryptography and Data Security 2016 conference. Its publication comes about six months after Brainwallet.org, the most widely used Bitcoin-based brain wallet service, permanently ceased operations. The service voluntarily shut down following the Defcon presentation by Castellucci, who is one of the authors of the most recent paper.

To identify brain wallets and then crack them, the research team compiled 300 billion password candidates taken from more than 20 lists, including the Urban Dictionary, the English language Wikipedia, the seminal plaintext password leak from the RockYou gaming website, and other large online compromises. By collecting words and entire phrases from a wide body of sources, the researchers employed a technique Ars covered in 2013 that allowed them to crack words and phrases many people would have considered to be strong passwords. Cracked passphrases included "say hello to my little friend," "yohohoandabottleofrum," and "dudewheresmycar."

The researchers ran each password candidate through the SHA256 function to derive a list of potential private keys for Bitcoin addresses used by brain wallets. They then used a cryptographic operation based on elliptic curves to find the public key corresponding to each potential private key. Since the Bitcoin blockchain contains the public key of every account wallet, it was easy to know when a password guess was used by a real Bitcoin user.

The paper reported that vulnerable accounts were often drained within minutes of going live, and in an interview, Castellucci said that some accounts were liquidated in seconds. Castellucci said he suspects the speed was the result of attackers who used large precomputed tables containing millions or billions of potential passwords. While many of the attackers who drained vulnerable accounts earned paltry sums for their work, the top four drainers netted about a total of $35,000 among them. Meanwhile, the drainer who emptied the most brain wallets—about 100 in all—made $3,219.

The thefts were often chronicled in online forums, where participants would report that their Bitcoin wallets had mysteriously been emptied. For a while, people assuming the role of a digital Robin Hood claimed to crack vulnerable wallets, drain them of their contents, and then wait for the victim to publicly complain of the theft on Reddit or various bitcoin forums. The Robin Hood and Little John hackers would then claim to return the funds once the victim proved control of the compromised private key.

While plenty of people publicly warned of risks of brain wallets over the years, the vulnerability was often dismissed as theoretical by some. Brain wallets are now generally shunned by Bitcoin users, but Castellucci warned that an alternative crypto currency known as Ethereum can use a brain wallet scheme that's every bit as weak as the Bitcoin one was. He is withholding details for now in the hopes that Ethereum brain wallets will soon be abandoned.