Despite being touted as a safe way for individuals to store Bitcoin, BitMEX Research has shown the weakness of relying on so-called “Brain Wallets.”
It concludes that deriving private keys from hashed phrases using popular culture references is not suitable for safe storage. Among them were the Bitcoin whitepaper, classic literature, and popular song lyrics.
Pop Culture “Brain Wallets” Sweeped in Seconds
A much-lauded quality of Bitcoin is its unconfiscatability. Those who champion the digital currency often claim that a user can use nothing more than their own mind to store the cryptocurrency in a way that gives no clues of BTC ownership.
Simply remembering either a private key, pneumonic seed phrase, or data to derive a private key in one’s head alone is known as a brain wallet. Many Bitcoin proponents reason that such a storage method can provide financial security to vulnerable people around the world – particularly, refugees.
The problem, however, is that a private key (essentially a long string of letters and numbers) isn’t the kind of thing humans are good at remembering. A seed phrase (list of 12 or 24 random words) is somewhat easier but still not perfect. Writing down the key or phrase or storing it digitally invites the risk of confiscation.
One potential solution is to derive a private key from existing text. A favorite song lyric or introduction to a popular work of fiction, when hashed using SHA-256, provides what, at first glance, may appear to be a strong private key.
When an individual needs to use their Bitcoin, they can hash the text again, find their private key, and make a transaction. However, a BitMEX Research study has shown that private keys formed in such a way are actually incredibly weak.
In one case, it took around two-thirds of a second to sweep funds from a brain wallet derived from a popular work of fiction.
Call me Ishmael
8 Bitcoin brainwallets were created, using passphrases from popular works of fiction. All the funds were quickly swept away & in one case the funds were taken in 0.67 seconds
— BitMEX Research (@BitMEXResearch) October 13, 2020
Malicious Actors Anticipate Pop Culture Private Keys
The BitMEX Research study involved the creation of eight Bitcoin private keys. Each used the hash of a popular culture reference to arrive at its private key.
The researcher formed the wallets using hashes from the likes of Moby Dick by Herman Melville, the chorus lyrics to Bob Dylan’s “Blowin’ in the Wind,” a passage from the Bible, and even a quotation from the BTC whitepaper.
Each of the wallets received 0.005 BTC to test their security. All of the funds quickly disappeared.
The weakest of the private keys was derived from the beginning of Moby Dick. The hash of the famous opening line “Call me Ishmael” took just 0.67 seconds to sweep.
Two other wallets were also emptied before the blockchain even confirmed the deposit transaction. The remaining five wallets took less than a day to empty.
The analysis showed that the transactions sweeping the wallets used very high fees relative to the average cost of transacting. The researcher suggested that whoever was behind the sweep was aware of other “hackers” attempting to take the funds using similar methods. They, therefore, bumped their own fee up to ensure their transaction succeeded.
The speed with which the funds disappeared from the brain wallets suggests the existence of servers constantly scanning the network for weak wallets.
The researcher reasons that those behind the attack rely on a vast list of private keys derived from popular culture stored in a database. It’s then simply a matter of testing these against wallets appearing in the Bitcoin transaction memory pool.
Are Brain Wallets Useless?
The BitMEX study concludes that using unmodified text from popular culture is a very poor method of generating a private key. However, it does cite a similar experiment that did not result in lost funds.
Wallets with private keys derived from best-selling novels using “a reasonably obvious pattern” remain unsweeped more than a year after creation.
The researcher identifies that the difference between the two experiments is that the more recent one used “unmodified text” from books. They do, however, state that such a method should still not be considered absolutely safe.
That said, the introduction of additional randomicity, when employed by someone with a solid understanding of both risks and the way hackers operate, may enable the creation of a secure brain wallet derived from pop culture references.
Combinations of text sources, used with personal data like dates of births and additional random characters, could result in a secure wallet.
The researcher concludes:
“… if you need to use a brainwallet, based on the data on this report, don’t choose anything simple or poetic. I found out the hard way.”