Also, couldn't realise that this can be done within few minutes - to scan the whole PC for the text files, which contains something looking like SEED phrase - I still can't understand - how techincally it can happen. I have 1 Tb of files here.
All the attacker needs is to write a script that searches for specific patters for seed phrases or private keys or wallet files.
Be it in binary or plain text (
eg.: "04ckey" or "03key" for keys in wallet.dat files), depending on how and what he prefers to search.
Reading a 1TB drive wont be as slow as writing something on it, specially the newer models.
One example of such script is pywallet's
--recover tool that'll search the entire drive or parts of it for wallet files or private keys.
searching a 1TB drive wont take hours with that tool and it even search for deleted files, it'll be much faster if a script is designed to search only existing files.
Now, all he need is deploy a script like that with a malware or something, then remove the traces is necessary.
For the jumbled seed phrase, its falls under the limitation of the jumbled 12-words which only has possible
12! combinations.
With scripts like btcrecover's "
seedrecover.py" tool and an address from your wallet which is easy to get, it can be arranged even with a home PC.
Example, I just rearranged a jumbled 12-word electrum seed phrase in just 22 minutes with a 9-year old processor (
with luck):
seedrecover.py --tokenlist testseed_scramble12_electrum.txt --mnemonic-length 12 --language en --addrs bc1qsaly.....4t7p --addr-limit 2 --dsw --no-eta
Starting seedrecover 1.9.0-CryptoGuide, btcrecover 1.9.0-Cryptoguide on Python 3.11.4 64-bit, 21-bit unicodes, 64-bit ints
Using the 'en' wordlist.
2023-10-13 12:42:42 : Phase 1/1: up to 12 mistakes, 12 of which can be an entirely different seed word.
Warning: --no-eta without --no-dupchecks can cause out-of-memory failures while searching
2023-10-13 12:42:43 : Using 8 worker threads
2023-10-13 13:04:37 : ***MATCHING SEED FOUND***, Matched on Address at derivation path: m/0'/0/0
| 209083649 elapsed: 0:21:50 rate: 162.08 kP/s
2023-10-13 13:04:37 : Search Complete
It'll be significantly faster with the latest models and/or with GPU.
