Author

Topic: 💰💰💰 Is it possible to steal Ether from a wallet? 💰💰💰 Yes! (Read 191 times)

sr. member
Activity: 882
Merit: 403
--snip--


Yeah you're right. I may have gotten carried away a bit because of the fact that I have experience losing funds already in the past. Also, its pretty embarrassing to admit but math really isn't my forte, so I really do not understand anything much about the codes and all from the post except for the thought of danger within it. Im glad though that a lot of people like you shared their insights and knowledge which has calmed my paranoia quite a bit. Thanks, responses like yours are the kinds of responses that deserve merit. Hence, Im sending one. Thanks again.

No problem... I know all those numbers seems daunting when you look at them, and as a non-technical problem it's pretty easy to fall into a FUD-trap like this.

What you have to take away from all this is: offcourse somebody can write a tool to try to bruteforce their way into your wallet... After all, they're pretty much using exactly the same code that's used to create a wallet to begin with (they're just looping over this code again and again, and added a function to check unspent outputs funding the created address). This doesn't mean anything at all. There is no way somebody can reverse engineer your address (or your public key) to find your private key (at least, not at this point in time).  
The only thing he/she can do is try all private key(s), derive the public key from this private key, hash the public key (this hash is the address), the lookup this address into a database to see if unspent outputs are funding said address. In order to attack one specific address and have a 100% chance of robbing you, he needs to try out 2^256 private keys... That seems like it's something easy to do, but believe me, it isn't.

2^256 = 11579208923731619542357098500869000000000000000000000000000000000000000000 (rounded down).
This is the number of loops he/she has to perform... Each loop has a big cost... It's not easy to derive a public key from a private key. It's not easy to hash this public key, it's not easy to lookup the address in a database. Like i said before, if you'd give EVERY human on the planet one million latest gen GPU's and let them try to find a funded address for 100 years (continuously), there would be a 1 in 20 million chance one person on earth would find one funded address in those 100 years...

You'd think that, if hardware becomes better, these numbers would go down significantly... but no... Sombody very smart (not me) has proven that you'd need to capture all energy ever delivered by our sun (during it's complete lifetime) to power a computer to simply count to 2^256. So, eventough the number "256" or "160" seems cute and feasible, it simply isn't Smiley

Now, don't just think your money is safe all the time... You yourself say you've been phished... Next to phishing, there are also people that use flawed wallets. You have people that are reckless with their seedphrase. There are people that use brainwallets. There are people that run infected PC's. There are people that save their wallets in the cloud. There are people that buy hardware wallets from unknown sources....
Plenty of ways to get robbed or scammed... Just not by somebody randomly guessing your private key... It's not that it's technically impossible, just that it's practically impossible...


This is quite reassuring, thanks for this. Too bad though that scammers are pretty creative and have dozens of ways in scamming people or stealing their funds. These type of people are what I hate the most, while other people work hard to get what they have, these people just go and steal the fruits of other people's efforts. Good thing though I took special care of my wallets ever since I experienced getting phished by these scammers.
legendary
Activity: 3612
Merit: 5297
https://merel.mobi => buy facemasks with BTC/LTC
--snip--


Yeah you're right. I may have gotten carried away a bit because of the fact that I have experience losing funds already in the past. Also, its pretty embarrassing to admit but math really isn't my forte, so I really do not understand anything much about the codes and all from the post except for the thought of danger within it. Im glad though that a lot of people like you shared their insights and knowledge which has calmed my paranoia quite a bit. Thanks, responses like yours are the kinds of responses that deserve merit. Hence, Im sending one. Thanks again.

No problem... I know all those numbers seems daunting when you look at them, and as a non-technical problem it's pretty easy to fall into a FUD-trap like this.

What you have to take away from all this is: offcourse somebody can write a tool to try to bruteforce their way into your wallet... After all, they're pretty much using exactly the same code that's used to create a wallet to begin with (they're just looping over this code again and again, and added a function to check unspent outputs funding the created address). This doesn't mean anything at all. There is no way somebody can reverse engineer your address (or your public key) to find your private key (at least, not at this point in time).  
The only thing he/she can do is try all private key(s), derive the public key from this private key, hash the public key (this hash is the address), the lookup this address into a database to see if unspent outputs are funding said address. In order to attack one specific address and have a 100% chance of robbing you, he needs to try out 2^256 private keys... That seems like it's something easy to do, but believe me, it isn't.

2^256 = 11579208923731619542357098500869000000000000000000000000000000000000000000 (rounded down).
This is the number of loops he/she has to perform... Each loop has a big cost... It's not easy to derive a public key from a private key. It's not easy to hash this public key, it's not easy to lookup the address in a database. Like i said before, if you'd give EVERY human on the planet one million latest gen GPU's and let them try to find a funded address for 100 years (continuously), there would be a 1 in 20 million chance one person on earth would find one funded address in those 100 years...

You'd think that, if hardware becomes better, these numbers would go down significantly... but no... Sombody very smart (not me) has proven that you'd need to capture all energy ever delivered by our sun (during it's complete lifetime) to power a computer to simply count to 2^256. So, eventough the number "256" or "160" seems cute and feasible, it simply isn't Smiley

Now, don't just think your money is safe all the time... You yourself say you've been phished... Next to phishing, there are also people that use flawed wallets. You have people that are reckless with their seedphrase. There are people that use brainwallets. There are people that run infected PC's. There are people that save their wallets in the cloud. There are people that buy hardware wallets from unknown sources....
Plenty of ways to get robbed or scammed... Just not by somebody randomly guessing your private key... It's not that it's technically impossible, just that it's practically impossible...
sr. member
Activity: 882
Merit: 403
I guess the problem isn't that people don't believe in math, the problem is that human minds are not capable of grasping numbers like 2^160 or 2^256.
They just see an number, so they deduct there IS a chance... They write a tool, and they see that technically, it would be capable of finding a private key whose public key hash was already funded. What they do not grasp is that if every human on earth would be running a 1.000.000 GPU farm for 100 years, the odds somebody somewhere finds a funded address is still smaller than 1 in 20 million.

They don't grasp they have a better chance of winning the big price in the euromillion lottery several times in their lifetime than they'd have at finding the private key to a funded address.
So, instead of trying to steal from somebody, you're (much) better off buying lottery tickets... It's legal, the odds of "winning" are MUCH higher, and the payout is much better (multiple millions vs a couple thousand dollars).

Now, there are tools that work... These tools attack flawed implementations...
For example, i know some wallets had flawed RNG's in the past, or there are people that have written tools to crack brain wallets... Just because a human mind is a terrible source of entropy (i don't know who said this, but it's not my quote), they are able to do this. But this tool just tries completely random keys, not flawed implementations, so the odds of actually finding a private key whose public key hash was funded are sooooooooooo close to 0, that in reality you could say the odds are 0.


Yeah you're right. I may have gotten carried away a bit because of the fact that I have experience losing funds already in the past. Also, its pretty embarrassing to admit but math really isn't my forte, so I really do not understand anything much about the codes and all from the post except for the thought of danger within it. Im glad though that a lot of people like you shared their insights and knowledge which has calmed my paranoia quite a bit. Thanks, responses like yours are the kinds of responses that deserve merit. Hence, Im sending one. Thanks again.
legendary
Activity: 3612
Merit: 5297
https://merel.mobi => buy facemasks with BTC/LTC
I guess the problem isn't that people don't believe in math, the problem is that human minds are not capable of grasping numbers like 2^160 or 2^256.
They just see an number, so they deduct there IS a chance... They write a tool, and they see that technically, it would be capable of finding a private key whose public key hash was already funded. What they do not grasp is that if every human on earth would be running a 1.000.000 GPU farm for 100 years, the odds somebody somewhere finds a funded address is still smaller than 1 in 20 million.

They don't grasp they have a better chance of winning the big price in the euromillion lottery several times in their lifetime than they'd have at finding the private key to a funded address.
So, instead of trying to steal from somebody, you're (much) better off buying lottery tickets... It's legal, the odds of "winning" are MUCH higher, and the payout is much better (multiple millions vs a couple thousand dollars).

Now, there are tools that work... These tools attack flawed implementations...
For example, i know some wallets had flawed RNG's in the past, or there are people that have written tools to crack brain wallets... Just because a human mind is a terrible source of entropy (i don't know who said this, but it's not my quote), they are able to do this. But this tool just tries completely random keys, not flawed implementations, so the odds of actually finding a private key whose public key hash was funded are sooooooooooo close to 0, that in reality you could say the odds are 0.
sr. member
Activity: 310
Merit: 727
---------> 1231006505
If you have a computer farm, you don't have to wait millions of years, my friend.
You are right, you have to wait a lot lot longer.

But I guess you don't believe in simple math?
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
This is really scary.

No it isn't.  As was demonstrated buy mocacinno even the fastest computers would take 23 septillion years to find just one funded address.   A bank of hundreds of the fastest GPU servers hashing thousands of possible addresses per second might reduce the time needed to just a few septillion years...  Just to find ONE potentially funded address.  To put things into perspective; 9 septillion years is about a trillion times the lifespan of our sun and solar system. 

So, yeah I think my funds are safe.
full member
Activity: 1050
Merit: 103
BIB Exchange
I'm sure many programmers are trying to improve, but I'm interested in whether you can run the generation of symbols in parallel to complement each other and search for different ranges. Let's say 1000 computers at the same time. This thought scares me))
sr. member
Activity: 882
Merit: 403
This is really scary. If some guy manages to really improve this then a lot of people can be f*cked. I kinda wish somehow that I never saw this post. I am wondering though, is it possible to utilize such a tool to target a specific address or wallet? If so, it would be really scary for those who hold big bags on their wallet(s).


Maybe this issue can be fixed by the developers? I think developers would've already found out about this even before you posted it and may probably be trying to come up with ways to tighten their security? Whichever the case, it's still very scary. Specially for me who have been a victim of phishing sites back then(2017).
full member
Activity: 550
Merit: 170
--snip--
If you have a computer farm, you don't have to wait millions of years, my friend.

Ok, i'll bite... How many keys/second are you generating...
The thing you're doing is called bruteforcing, many, many, many have written tools for this and wasted a lot of time with no hits...


Ethereum is estimated to have 100M funded addresses (https://newsletter.thedefiant.io/p/ethereum-addresses-cross-100m-thats)

So you'll have to plug in your speed into following formula
(2^160 / 100.000.000) / speed (in checks/second) = average number of seconds to find a funded address

IF your tool would ever reach vanitygen's speed (which i doubt, since it's a GPU tool written in C++, not using any external api's), it would boil down to this:
((2^160 / 100.000.000)/20.000.000)/(60*60*24*365) = 23.171.956.451.847.141.650.870.193 years on average to find 1 private key (no matter which one).

EDITED: I actually just realised that in the example i removed from this post, i was scanning the keyspace, and not the address space, which is only 2^160.

No problem, friend, no problem, I just showed the way. Many people smarter than me can improve this script or use more powerful scripts to steal funds. I just gave an example. and I don't want to prove anything to anyone.
legendary
Activity: 3612
Merit: 5297
https://merel.mobi => buy facemasks with BTC/LTC
--snip--
If you have a computer farm, you don't have to wait millions of years, my friend.

Ok, i'll bite... How many keys/second are you generating...
The thing you're doing is called bruteforcing, many, many, many have written tools for this and wasted a lot of time with no hits...


Ethereum is estimated to have 100M funded addresses (https://newsletter.thedefiant.io/p/ethereum-addresses-cross-100m-thats)

So you'll have to plug in your speed into following formula
(2^160 / 100.000.000) / speed (in checks/second) = average number of seconds to find a funded address

IF your tool would ever reach vanitygen's speed (which i doubt, since it's a GPU tool written in C++, not using any external api's), it would boil down to this:
((2^160 / 100.000.000)/20.000.000)/(60*60*24*365) = 23.171.956.451.847.141.650.870.193 years on average to find 1 private key (no matter which one).

EDITED: I actually just realised that in the example i removed from this post, i was scanning the keyspace, and not the address space, which is only 2^160.
full member
Activity: 550
Merit: 170
And now you only have to wait a gazillion years for a hit. BTW: in that time blockchain.com surely will have blocked your ip for flooding!
If you have a computer farm, you don't have to wait millions of years, my friend.



I am only carrying a warning that it is possible to hack the wallet and steal funds. And I do this in order to preserve your savings. Believe me, I'm not the only person on the planet who did this and tested it. But perhaps I am the only one who told you this and showed it.

So you shouldn't blame me for trying to keep you safe.

[moderator's note: consecutive posts merged]
sr. member
Activity: 310
Merit: 727
---------> 1231006505
And now you only have to wait a gazillion years for a hit. BTW: in that time blockchain.com surely will have blocked your ip for flooding!
full member
Activity: 550
Merit: 170
Good afternoon, dear members of the forum and colleagues. It just so happened that I, with a cognitive purpose, using some repositories in GITHUB as well as some BASIC knowledge in python, using copy-paste from different sources, created a common script.

It works as follows: It generates a private key, using this information, it generates a wallet address, and with the help of a certain service checks whether the wallet has a balance, if there is, an html file is created, with a private key, wallet address and balance!

The project was conceived with the aim of finding out if it is possible with this method to lose your crypto savings.?!

THE USE OF THIS CODE IS PERMITTED ONLY FOR EDUCATIONAL PURPOSES! STEALING ANOTHER CRYPTOACTIVES IS A CRIME! DO NOT FORGET ABOUT IT!

Source code of the script. There are several bugs in the code. So that people cannot use its functionality to harm themselves.



Code:
import secrets
import sha3
import eth_keys
from eth_keys import keys
import requests # To install from pip
import re
import colorama
from colorama importFore,Back,Style

import ctypes
colorama.init()
kernel32 = ctypes.windll.kernel32
kernel32.SetConsoleMode(kernel32.GetStdHandle(-11),7)

x =0

while x<10:
    private_key = str(hex(secrets.randbits(256))[2:])
    private_key_bytes = bytes.fromhex(private_key)
    public_key_hex = keys.PrivateKey(private_key_bytes).public_key
    public_key_bytes = bytes.fromhex(str(public_key_hex)[2:])
    keccak256_of_public_key_bytes = sha3.keccak_256(public_key_bytes).hexdigest()
    public_address = keys.PublicKey(public_key_bytes).to_address()
    checksum = keys.Public.Key(public_key_bytes).to_checksum_address()

    print(Fore.WHITE +'\n Private_key:',private_key,
          Fore.BLUE +'\n Ethereum address:',public_address)
  
    x = x+1
    url ='https://www.blockchain.com/ru/eth/address/'+ str(public_address)
    print(Fore.YELLOW ,url)
    requests.post(url, headers={'UA':'Chrome'}, data={"foo":'bar'})
    res = requests.get(url)
  
    a = str(res.text)
    match = re.findall(r'Oкoнчaтeльный бaлaнc
0.00000000 ETH', a)
    zz= len('Oкoнчaтeльный бaлaнc
')
    aaaa = str(match)
    bbbb = slice(154,168)
    xxxx = aaaa[bbbb]
    print(Fore.RED, xxxx)
  
    if len(match)==0:
        f1 = open("text1.html",'a')
        f1.write('\n
'+ str(private_key))
        f1.write('\n
'+ str(public_address)+'

0.00000000


')
        f1.write('\n

+++


')
        f1.close()
Jump to: