Hacker Helps Recover $2 Million in THETA from Trezor Wallet

Hacks don’t typically have a happy ending. Fortunately, for one New York-based crypto investor who forgot the PIN to his Trezor One hardwallet, a hacker was able to help him recover over US$2 million in THETA.

The Story

In 2018, Dan Reich and his friend Jesse decided to make a concentrated bet on a new crypto. They both cashed out around US$25,000 in BTC and and bought US$50,000 in THETA at a time when it was trading at just 21 cents.

Jesse was going to custody the THETA and things were going swimmingly, until word spread of China cracking down on exchanges. This prompted them to transfer their THETA to a safer alternative, a Trezor One hardware wallet.

Then came the infamous crypto winter, which saw their investment annihilated. Dan wanted out but Jesse had forgotten the PIN to the Trezor One, which would self-destruct if they guessed the PIN incorrectly too many times. He had also somehow misplaced the piece of paper with the 24-word seed phrase that could have otherwise restored his wallet.

After writing off the investment, the pair then watched their investment recover and soar, eventually to over US$1 million and, at one point, touching US$3 million. After contacting a range of international experts, they settled on a reputable hacker, Joe “Kingpin” Grand, who claimed he could assist.

Kingpin to the Rescue

Kingpin spent the better part of 12 weeks trying to hack the Trezor One and, remarkably, found a way to recover the lost PIN.

According to Grand, the key to his success related to the hardware wallet’s firmware update that temporarily moved the PIN and key to RAM, only to later move them back to flash once the firmware was installed. For the particular firmware on Reich’s wallet, the information about the PIN was stored in flash.

After using a technique altering the voltage of the chip, known as a “fault injection attack”, Grand surpassed the security of the microcontrollers and obtained the PIN needed to access the wallet and the funds. Grand explained:

We are basically causing misbehaviour on the silicon chip inside the device in order to defeat security. And what ended up happening is that I was sitting here watching the computer screen and saw that I was able to defeat the security, the private information, the recovery seed, and the pin that I was going after popped up on the screen.

Joe “Kingpin” Grand, hacker

No doubt proud of his effort, Kingpin later created a video in which he provided a full account of how he managed the feat:

For its part, Trezor expressed relief for Grand having been able to access the funds but noted that the vulnerability identified had already been fixed:

Hi, we just want to add that the vulnerability was already fixed, and all new devices are shipped with a fixed bootloader. Thanks to @saleemrash1d for his security audit. Learn more about our Security approach and responsible disclosure program here👇https://t.co/pyV1Ya6X8b

— Trezor (@Trezor) January 24, 2022

What’s the lesson here? Remember your 4-digit PIN (make it hard to forget), write down your seed phrase and put it somewhere safe, and also keep your hardware’s firmware updated. If you happen to be one of those unfortunate souls who have lost their crypto, it could be worse – you could be the guy who is still looking for his 7,500 BTC.

For Australians keen to up their crypto security game, Crypto News Australia recommends Coinstop as its preferred hardware wallet provider. Users can get A$5 off their order with the code CRYPTONEWS.