Author

Topic: Multisig Addrss UTXO spent (hacked) (Read 2388 times)

legendary
Activity: 1260
Merit: 1019
August 26, 2014, 05:35:22 AM
#19
Quote
using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P
Quote
How would a computer guess the above password?

How would human remember the password above?  Roll Eyes
It will be more easy to remember the private key in hex/wif format itself
full member
Activity: 157
Merit: 100
August 26, 2014, 04:54:48 AM
#18
Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough.
Not likely. Humans are a terrible source of entropy.
Anything you come up with that you think seems random, a computer can guess easier than actually trying to find it randomly.


How would a computer guess the above password?
member
Activity: 73
Merit: 10
August 26, 2014, 02:00:58 AM
#17
Quote
Did you select my Multisig address manually or do you have a script that tries combinations of public keys?

There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hash
Do you think it is possible to check them manually?  Grin

Not manually one by one, but if you knew mine and tried to get the public keys values from the redeem script.
legendary
Activity: 1260
Merit: 1019
August 26, 2014, 01:47:24 AM
#16
Quote
Did you select my Multisig address manually or do you have a script that tries combinations of public keys?

There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hash
Do you think it is possible to check them manually?  Grin
member
Activity: 73
Merit: 10
August 26, 2014, 01:42:18 AM
#15
Please do share your knowledge, the Bitcoin community will thank you for doing so.
legendary
Activity: 1260
Merit: 1019
August 26, 2014, 01:36:51 AM
#14
Quote
Soon before you tried to steal my funds Tongue

I do not like the words "my" & "steal". Bitcoins belong the person who knows private keys. I know.
Let us say that you have bought some knowledge for small price. And I can sell you more.
Just ask me. I will be happy to share my knowledge with everyone else.

Quote
I made a TX with no fee and now these funds seem to be blocked or lost.

Bitcoins can not be lost such way. The game is not over.
member
Activity: 73
Merit: 10
August 26, 2014, 01:15:29 AM
#13
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

Multisig redeem script contains public keys.

this was your transaction:

https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806
public keys are:

Code:
"043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"

it was not too difficult to check associated private keys for these public keys  Grin

two of three to redeem:
Code:
  { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
  { "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },

Quote
Any bitcoins sent to such an address or public key are very likely to be quickly stolen.
Unfortunately, my script had a bug  Roll Eyes No luck yet





Did you select my Multisig address manually or do you have a script that tries combinations of public keys?
Soon before you tried to steal my funds Tongue I made a TX with no fee and now these funds seem to be blocked or lost.
hero member
Activity: 1073
Merit: 666
August 26, 2014, 12:17:48 AM
#12
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

Multisig redeem script contains public keys.

this was your transaction:

https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806
public keys are:

Code:
"043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"

it was not too difficult to check associated private keys for these public keys  Grin

two of three to redeem:
Code:
 { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
  { "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },

Quote
Any bitcoins sent to such an address or public key are very likely to be quickly stolen.
Unfortunately, my script had a bug  Roll Eyes No luck yet

how? by brute force?
legendary
Activity: 1260
Merit: 1019
August 25, 2014, 11:17:28 PM
#11
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

Multisig redeem script contains public keys.

this was your transaction:

https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806
public keys are:

Code:
"043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"

it was not too difficult to check associated private keys for these public keys  Grin

two of three to redeem:
Code:
  { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
  { "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },

Quote
Any bitcoins sent to such an address or public key are very likely to be quickly stolen.
Unfortunately, my script had a bug  Roll Eyes No luck yet



member
Activity: 73
Merit: 10
August 25, 2014, 02:58:28 PM
#10
Well I think you're right, I might need to generate new addresses for my bitcoins...
legendary
Activity: 3472
Merit: 4801
August 25, 2014, 02:28:55 PM
#9
Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password?

Brute force?  Yes.

But, because humans are VERY bad at doing things in a completely random way, a program can be written to take advantage of biases in human thought and human behavior.  Such a program could significantly reduce the search space necessary to find the password used.

At the moment, an arbitrarily long password might be sufficient for short term storage, but since private keys can be randomly generated, why bother with such long and indecipherable passwords (which may fall to weaknesses in the future)?  Wouldn't it be simpler to just randomly generate a private key?
member
Activity: 73
Merit: 10
August 25, 2014, 02:24:04 PM
#8
Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password?
member
Activity: 114
Merit: 12
August 25, 2014, 02:23:25 PM
#7
Much better off just making a wallet with mnemonics, and memorizing the word list. 

legendary
Activity: 2576
Merit: 1186
August 25, 2014, 02:06:38 PM
#6
Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough.
Not likely. Humans are a terrible source of entropy.
Anything you come up with that you think seems random, a computer can guess easier than actually trying to find it randomly.
member
Activity: 73
Merit: 10
August 25, 2014, 02:04:14 PM
#5
Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough.
legendary
Activity: 2576
Merit: 1186
August 25, 2014, 01:56:56 PM
#4
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.
It's pretty easy, and he can attack all multisigs at once.
This is why brainwallets are the dumbest idea ever...
member
Activity: 73
Merit: 10
August 25, 2014, 01:55:49 PM
#3
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.
legendary
Activity: 3472
Merit: 4801
August 25, 2014, 01:50:12 PM
#2
Hello,

My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs).
https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE
Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys?

Either you accidentally leaked the private keys, or you didn't use randomly generated private keys.

I used very simple passwords to generate the public keys.

Rainbow tables have been created for all private/public key pairs generated from simple passwords.  Any transaction that uses a public key or bitcoin address that was generated from a password instead of being generated randomly should be considered insecure.  Any bitcoins sent to such an address or public key are very likely to be quickly stolen.

Could this person have used an application that uses multiple private keys to test and build a valid TX?

yes.

This was all explained to you already in the past:

I used very simple passwords to generate the bitcoin addresses
yeah, that's probably it.
many easy keys have some bots, that capture money from them as it comes.
as well as many stolen keys - such are definitely being monitored for a potential theft and robbed immediately as they receive any coins.
member
Activity: 73
Merit: 10
August 25, 2014, 01:45:11 PM
#1
Hello,

My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs).
https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE
Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys? I used very simple passwords to generate the public keys. Could this person have used an application that uses multiple private keys to test and build a valid TX?

Thanks
Jump to: