A thief using software that guessed obvious passwords robbed 10,000 crypto owners between 2015 and 2016, then disappeared. Now the stolen funds are on the move.
Eight years ago, a prolific thief dubbed the "Bitcoin Bandit" began robbing crypto owners using a fairly simple tactic: Guessing weak passwords and seeing if they unlocked the private keys needed to transfer cryptocurrencies like Bitcoin and Ether.
Using a technique called "ethercombing," the thief plundered some 10,000 wallets between 2015 and 2016, accumulating 51,000 ETH and 470 BTC — currently worth about $90 million — in a single wallet.
And then nothing. The Bitcoin Bandit's rich wallet lay dormant until last week.
Between Jan. 16 and 21, blockchain intelligence firm Chainalysis said that wallet woke up and its ill-gotten gains started moving out.
The impetus, Chainalysis suspects, is related to "the recent jump in cryptoasset prices," with Ether up more than 33% so far this year and Bitcoin almost 39%.
Of course, that ETH was worth $250 million at its all-time high on Nov. 16, 2021, plus another $33 million at BTC's all-time high a few days earlier. So maybe the Bitcoin Bandit was hodling a bit too long.
"1" is Not a Good Password
As crypto thefts go, the Bitcoin Bandit's technique was pretty simple: The thief or group of thieves had written a program that began guessing very simple passwords such as "1", "2" and "3" and checking to see if they unlocked a public address — allowing the transfer of the cryptocurrency held in that wallet.
The password "1" had, in fact, worked, crypto security consultant Adrian Bednarek told Wired in 2019 — it accessed a private key connected to a public address that had once held ETH.
A search of the Ethereum blockchain showed that its contents had been moved to a new wallet, relying "on the fact that it's possible to determine an address' public key if you know its private key," Chainalysis said.
The problem is that a true private key is 78 alphanumeric characters long, making it unwieldy as an actual password. So, many wallets simplify them — sometimes too much.
That's why most security consultants recommend using long, complex passwords stored in a password management app or using a string of unrelated words, or both.
Most good hot and cold crypto wallets use a string of 10 to 25 such words as a wallet recovery phrase, also known as a seed phrase, that will allow the reconstruction of a wallet if the password is lost or, in the case of an offline cold wallet, physically destroyed.
