Cyber engineers ‘hacked time’ to recover $3m in Bitcoin from password manager

American engineer Joe Grand and his friend Bruno discovered a loophole in an old version of the RoboForm password manager that allowed them to recover $3 million in BTC.

Hardware hacker and engineer Joe Grand, along with his friend software hacker Bruno, found a loophole in an old version of the RoboForm password manager that allowed them to recover millions worth of Bitcoin.

In a YouTube video published on May 28, Grand explained that he was contacted by European crypto owner Michael, who asked for his help in recovering millions worth of Bitcoin in 2022 and was trapped on his computer because he lost access to his 20-character password. It was created by RoboForm and stored in a file encrypted with TrueCrypt.

Grand and Bruno spent months reverse engineering the version of RoboForm Michael used in 2013 when creating the password for the Bitcoin wallet.

They both eventually discovered that one of their older versions of RoboForm had a flaw in the way the software generated passwords, making passwords predictable based on the computer’s date and time. Luckily, Michael’s password was created long before RoboForm fixed the bug.

Investigative journalist Kim Zetter noted in an .” As of press time, RoboForm has made no public statement on the matter.

This means that any of RoboForm’s 6 million current users are using RoboForm-generated passwords. @roboform Pre-2015 password managers may have passwords that could be cracked in the same way, before the company quietly fixed the bug.

— Kim Zetter (@KimZetter) May 28, 2024

The duo, who generated millions of passwords based on the time period in which Michael created his so-called password, began brute-forcing the password to find the password that would allow access to Michael’s wallet. After refining their approach, Grand and Bruno successfully discovered the password generated at 16:10:40 GMT on May 15, 2013, unlocking Michael’s 43.6 BTC, now worth approximately $3 million.

Joe Grand, founder of Grand Idea Studio, is an electrical engineer, inventor, and hardware hacker who is best known in the crypto community for hacking the Trezor One wallet in 2022, helping its owner recover $2 million worth of BTC. Grand, who goes by the hacker alias “Kingpin”, has a well-established career in hardware hacking and continues to consult with companies to improve their digital security.