Hacker turns $2 million hack into new passion
Hacker Joe Grand discusses an intense hack with cryptocurrency owner Dan Reich. Image: Joe Grand
BY KERRY TOMLINSON, AMPERE NEWS
JUNE 15, 2022
If you forget your PIN code for your bank account, you can still get in.
If you forget your PIN code for the wallet holding your cryptocurrency, you may be out of luck, your money gone forever.
"People trust their memory way more than they should," said Joe Grand, a hardware hacker with a long history of famous hacking work.
But that faulty human memory is now giving Grand a new passion and even a new business --- breaking into cryptocurrency wallets for owners who can't remember the crucial bit of info that stands between them and their crypto cash.
The journey is filled with tooth-gnashing and revelation (thank you to Grand for sharing his video with Ampere News).
Watch here:
How it started
A fellow named Dan Reich and his friend had a cryptocurrency wallet with what started out as $50,000 in digital coins. But one of them forgot the PIN to the small device, not unlike a thumb drive, that would allow them to get to the money.
If they try possible PINs too many times, the wallet erases the contents.
They searched, and ended up with Grand, a long-time hacker who was once known as 'Kingpin' and hacked with a famous collective known as L0pht Heavy Industries.
But Grand had never hacked a cryptocurrency wallet. The road is fraught with tribulations and high risk. Mess it up, and the money is gone.
"I kind of took it on just as as a challenge," Grand told Ampere News in an interview at the 2022 RSA cybersecurity conference in San Francisco in June. "It was a great opportunity for me to learn something new. And it ended up being a lot harder than I thought it would be."
"Tiny Little Details"
It took Grand three months of fiddling, tweaking and face-palming to figure out the hack. He used practice wallets to see if he could break the security of Reich-and-friend's Trezor wallet.
"The hardest thing was figuring out all of these tiny little details and intricacies of the technique I was using, which is called fault injection. And the overall concept basically is that you're trying to get an electronic device to fail in a certain way that you can use in some way to benefit from it," he explained.
At one point, he almost gave up. He had made a breakthrough but didn't recognize it until his wife suggested he examine it more closely.
"I didn't take it seriously," he said. "She kind of pushed me to figure out how that happened. And she was 100% right. I looked through the source code, I analyzed my setup and found the reason why that happened. And then I could focus on fine-tuning the attack enough to make it work."
Ready to try
Finally, in May 2021, Reich flew from New Jersey to Grand's lab in Oregon with the real wallet in hand.
Grand carefully cracked open the plastic case around the wallet to get to the microchip inside. He cleaned off the chip and soldered on wires to connect it to his own equipment.
Then he began the hack. The plan: to cause a glitch in the chip to get past security controls.
"It's just a very precise kind of knowing exactly when to kick the door in," Grand said. "Even if you have the exact spot, it doesn't work every time. I mean, it's like magic. It really is this amazing combination of successes that you need to have just to just to defeat that security one time."
He starts glitching the chip about once per second. Sixty tries. Six hundred tries. Six thousand tries, and still nothing.
"This is torture," he said.
The Long Wait
After more than three hours, a pizza delivery, and stressful, tension-filled boredom, they at last hear the alarm signaling a breakthrough. Success!
They cheered and hugged and gave each other high fives.
"I was shocked that it happened," Grand said. "It was pretty cool."
Now it's time to see if the chip still holds the crucial data --- the PIN.
They're in luck. It shows the correct PIN: 12514.
Getting paid
With cryptocurrency fluctuating in value, the contents of the wallet had gone up.
"When we when we hacked it, it was just over $2 million," Grand said. "It was pretty wild to see all those zeros in the wallet as it came up."
He received a percentage of the money. But he found something worth far more: a new passion for hacking these kinds of devices for people who have lost hope.
"There are people that have many orders of magnitude more money at stake. And a lot of them unfortunately, have no recourse to get it," he said. "It's really just like the wild west of the financial world."
Aftermath
Grand made a video of the $2 million hack in January 2022. Now, with over 5 million views, the video illustrates a current phenomenon: people forget their important passcodes, and they like to watch an OG hacker do battle with the technology to get them back.
Through the stress and pain of hacking cryptocurrency wallets, the hacker once known as Kingpin saw he could learn something new, exercise his brain and help people at the same time.
"The fact that I'm able to use my skills in some way that helps other people in an immediate fashion is pretty amazing," he said. "What other better thing is there than to help people? I wasn't expecting that to be as satisfying as as it turned out to be. And that's why I'm doing it."
If he inspires others to learn to do hardware hacking, he'll be even more satisfied.
"If you want to go in and try to hack something, you can do it," he said.
Also in the news: