Researchers discovered that most of the roughly 1,000 brain wallets used by Bitcoin owners to store their digital money have been looted by malicious actors.
Brain wallet, or brainwallet, is the concept of storing the private keys used to make Bitcoin transactions in an individual’s memory. Brain wallets are derived from passwords chosen by the user and they were initially considered more secure than traditional Bitcoin wallets because they could not be compromised by malware.
However, it has been demonstrated that brain wallets are not efficient for the secure storage of Bitcoins because the passwords can be easily cracked. Researcher Ryan Castellucci gave a talk at the DEF CON conference last year about cracking brain wallet passphrases, which led to the Brainwallet.org service being shut down.
A research paper published this month presented a new method that can be used to crack brain wallet passwords 2.5 times faster compared to the method presented by Castellucci at DEF CON.
An analysis conducted by researchers at the University of Tulsa, Stanford University and the Southern Methodist University found that brain wallets have in most cases failed to protect Bitcoins from getting stolen.
An evaluation of roughly 300 billion passwords generated using a wide range of word lists revealed that only less than 1,000 brain wallets had been set up between September 2011 and August 2015.
The 300 billion passwords were derived from words found in dictionaries, Wikipedia, song lyrics, passwords leaked as a result of major data breaches, and other sources. The passwords were then compared to a list of all used Bitcoin addresses to determine which of them were associated with brain wallets.
Experts identified 884 brain wallets storing 1,806 BTC (worth approximately $100,000), and determined that only 21 of them, representing 2 percent of the total, were not drained by cybercriminals.
According to researchers, many wallets were drained within minutes, while most were emptied within 24 hours. Wallets loaded with at least $100 worth of cryptocurrency were looted faster than ones storing less funds, and there is no evidence that users storing larger amounts of money selected stronger passwords.
An analysis of the Bitcoin transactions involving brain wallets showed that at least 14 individuals or groups are responsible for the attacks.
“A few drainers are very successful while the rest do not make very much,” researchers wrote in their paper. “The top 4 drainers have netted the equivalent of $35,000 between them. The drainer who has emptied the most brain wallets — 100 in all — has earned $3,219 for the effort. But other drainers have stolen very little money. For example, one drainer stole from 78 different brain wallets but netted only $62 worth of bitcoin.”
