Hardware hacker Joe Grand, known by his hacker handle “Kingpin,” and his friend, software hacker Bruno, have successfully recovered millions worth of Bitcoin by exploiting a flaw in an old version of the RoboForm password manager. Their discovery allowed them to assist a European crypto owner named Michael, who had lost access to his Bitcoin wallet.
In a YouTube video published on May 28, Grand recounted how Michael reached out in 2022, seeking help to recover Bitcoin stuck on his computer. Michael had lost access to his 20-character password, which RoboForm generated and stored in a TrueCrypt-encrypted file.
Grand and Bruno dedicated months to reverse-engineering the specific version of RoboForm that Michael had used in 2013. They discovered a vulnerability: older versions of RoboForm generated passwords predictably based on the computer’s date and time. This flaw existed before RoboForm patched it in 2015.
Capitalizing on this loophole, Grand and Bruno generated millions of possible passwords based on the time Michael likely created his password. They used a brute-force method to test these passwords until they found the correct one. Their efforts paid off when they cracked the password created on May 15, 2013, at 4:10:40 PM GMT, unlocking Michael’s wallet containing 43.6 BTC, valued at approximately $3 million.
Investigative journalist Kim Zetter highlighted the potential risk for current RoboForm users. In an X post, she warned that any of RoboForm’s current 6 million users who generated passwords using versions before 2015 might be vulnerable to the same flaw. RoboForm has yet to issue a public statement regarding this matter.
Joe Grand, founder of Grand Idea Studio, has a distinguished career in hardware hacking. He gained prominence in the crypto community in 2022 by hacking a Trezor One wallet to help its owner recover $2 million in BTC. Grand continues to consult with companies to improve their digital security, leveraging his extensive expertise in the field.