Topic: 💰💰💰 Is it possible to steal Ether from a wallet? 💰💰💰 Yes! (Read 188 times)

This is quite reassuring, thanks for this. Too bad though that scammers are pretty creative and have dozens of ways in scamming people or stealing their funds. These type of people are what I hate the most, while other people work hard to get what they have, these people just go and steal the fruits of other people's efforts. Good thing though I took special care of my wallets ever since I experienced getting phished by these scammers.

No problem... I know all those numbers seems daunting when you look at them, and as a non-technical problem it's pretty easy to fall into a FUD-trap like this.

What you have to take away from all this is: offcourse somebody can write a tool to try to bruteforce their way into your wallet... After all, they're pretty much using exactly the same code that's used to create a wallet to begin with (they're just looping over this code again and again, and added a function to check unspent outputs funding the created address). This doesn't mean anything at all. There is no way somebody can reverse engineer your address (or your public key) to find your private key (at least, not at this point in time).  
The only thing he/she can do is try all private key(s), derive the public key from this private key, hash the public key (this hash is the address), the lookup this address into a database to see if unspent outputs are funding said address. In order to attack one specific address and have a 100% chance of robbing you, he needs to try out 2^256 private keys... That seems like it's something easy to do, but believe me, it isn't.

2^256 = 11579208923731619542357098500869000000000000000000000000000000000000000000 (rounded down).
This is the number of loops he/she has to perform... Each loop has a big cost... It's not easy to derive a public key from a private key. It's not easy to hash this public key, it's not easy to lookup the address in a database. Like i said before, if you'd give EVERY human on the planet one million latest gen GPU's and let them try to find a funded address for 100 years (continuously), there would be a 1 in 20 million chance one person on earth would find one funded address in those 100 years...

You'd think that, if hardware becomes better, these numbers would go down significantly... but no... Sombody very smart (not me) has proven that you'd need to capture all energy ever delivered by our sun (during it's complete lifetime) to power a computer to simply count to 2^256. So, eventough the number "256" or "160" seems cute and feasible, it simply isn't

Now, don't just think your money is safe all the time... You yourself say you've been phished... Next to phishing, there are also people that use flawed wallets. You have people that are reckless with their seedphrase. There are people that use brainwallets. There are people that run infected PC's. There are people that save their wallets in the cloud. There are people that buy hardware wallets from unknown sources....
Plenty of ways to get robbed or scammed... Just not by somebody randomly guessing your private key... It's not that it's technically impossible, just that it's practically impossible...

Yeah you're right. I may have gotten carried away a bit because of the fact that I have experience losing funds already in the past. Also, its pretty embarrassing to admit but math really isn't my forte, so I really do not understand anything much about the codes and all from the post except for the thought of danger within it. Im glad though that a lot of people like you shared their insights and knowledge which has calmed my paranoia quite a bit. Thanks, responses like yours are the kinds of responses that deserve merit. Hence, Im sending one. Thanks again.

I guess the problem isn't that people don't believe in math, the problem is that human minds are not capable of grasping numbers like 2^160 or 2^256.
They just see an number, so they deduct there IS a chance... They write a tool, and they see that technically, it would be capable of finding a private key whose public key hash was already funded. What they do not grasp is that if every human on earth would be running a 1.000.000 GPU farm for 100 years, the odds somebody somewhere finds a funded address is still smaller than 1 in 20 million.

They don't grasp they have a better chance of winning the big price in the euromillion lottery several times in their lifetime than they'd have at finding the private key to a funded address.
So, instead of trying to steal from somebody, you're (much) better off buying lottery tickets... It's legal, the odds of "winning" are MUCH higher, and the payout is much better (multiple millions vs a couple thousand dollars).

Now, there are tools that work... These tools attack flawed implementations...
For example, i know some wallets had flawed RNG's in the past, or there are people that have written tools to crack brain wallets... Just because a human mind is a terrible source of entropy (i don't know who said this, but it's not my quote), they are able to do this. But this tool just tries completely random keys, not flawed implementations, so the odds of actually finding a private key whose public key hash was funded are sooooooooooo close to 0, that in reality you could say the odds are 0.

You are right, you have to wait a lot lot longer.

But I guess you don't believe in simple math?

No it isn't.  As was demonstrated buy mocacinno even the fastest computers would take 23 septillion years to find just one funded address.   A bank of hundreds of the fastest GPU servers hashing thousands of possible addresses per second might reduce the time needed to just a few septillion years...  Just to find ONE potentially funded address.  To put things into perspective; 9 septillion years is about a trillion times the lifespan of our sun and solar system. 

So, yeah I think my funds are safe.

I'm sure many programmers are trying to improve, but I'm interested in whether you can run the generation of symbols in parallel to complement each other and search for different ranges. Let's say 1000 computers at the same time. This thought scares me))

This is really scary. If some guy manages to really improve this then a lot of people can be f*cked. I kinda wish somehow that I never saw this post. I am wondering though, is it possible to utilize such a tool to target a specific address or wallet? If so, it would be really scary for those who hold big bags on their wallet(s).


Maybe this issue can be fixed by the developers? I think developers would've already found out about this even before you posted it and may probably be trying to come up with ways to tighten their security? Whichever the case, it's still very scary. Specially for me who have been a victim of phishing sites back then(2017).

No problem, friend, no problem, I just showed the way. Many people smarter than me can improve this script or use more powerful scripts to steal funds. I just gave an example. and I don't want to prove anything to anyone.

Ok, i'll bite... How many keys/second are you generating...
The thing you're doing is called bruteforcing, many, many, many have written tools for this and wasted a lot of time with no hits...


Ethereum is estimated to have 100M funded addresses (https://newsletter.thedefiant.io/p/ethereum-addresses-cross-100m-thats)

So you'll have to plug in your speed into following formula
(2^160 / 100.000.000) / speed (in checks/second) = average number of seconds to find a funded address

IF your tool would ever reach vanitygen's speed (which i doubt, since it's a GPU tool written in C++, not using any external api's), it would boil down to this:
((2^160 / 100.000.000)/20.000.000)/(60*60*24*365) = 23.171.956.451.847.141.650.870.193 years on average to find 1 private key (no matter which one).

EDITED: I actually just realised that in the example i removed from this post, i was scanning the keyspace, and not the address space, which is only 2^160.

If you have a computer farm, you don't have to wait millions of years, my friend.

---

I am only carrying a warning that it is possible to hack the wallet and steal funds. And I do this in order to preserve your savings. Believe me, I'm not the only person on the planet who did this and tested it. But perhaps I am the only one who told you this and showed it.

So you shouldn't blame me for trying to keep you safe.

[moderator's note: consecutive posts merged]

And now you only have to wait a gazillion years for a hit. BTW: in that time blockchain.com surely will have blocked your ip for flooding!