American engineer Joe Grand, along with his colleague Bruno, uncovered a loophole in an older version of the RoboForm password manager that allowed them to retrieve $3 million in BTC.
In a recent YouTube video, Grand shared how he was contacted in 2022 by Michael, a European cryptocurrency owner who needed help recovering millions in Bitcoin. Michael had lost access to his 20-character password, which was stored in a TrueCrypt-encrypted file generated by RoboForm.
After months of work, Grand and Bruno reverse-engineered the 2013 version of RoboForm that Michael had used to create his password. They discovered a flaw in the software’s password generation process that made it possible to predict passwords based on the computer’s date and time. Fortunately for Michael, his password was created before RoboForm fixed the issue.
Investigative journalist Kim Zetter highlighted that current RoboForm users who generated passwords before the 2015 patch may also be at risk of having crackable passwords. Despite this, RoboForm has not issued any public statements on the matter.
Using their findings, Grand and Bruno began a brute force attack to uncover Michael’s password. After refining their methods, they successfully cracked the password created on May 15, 2013, at 4:10:40 PM GMT, granting access to Michael’s 43.6 BTC, now valued at $3 million.
Joe Grand, founder of Grand Idea Studio, is an electrical engineer, inventor, and hardware hacker renowned in the crypto community for his work. Known as “Kingpin” in hacking circles, he gained recognition for assisting a Trezor One wallet owner in recovering $2 million in BTC in 2022. Grand continues to work with companies to improve their digital security measures.