Steal our Bitcoin – Again

Since the first round resulted in Bitcoin theft within seconds, we have decided to step up the game for the second round. Again, we have transferred 0.0001 BTC each to 10 different unsafe segwit addresses. Here is the transaction:

c94be241769a2b95f0f14780c7c1612d0e86208e263f0b8e185110aa76f572c8

Again, all these public addresses can be considered brainwallets, as their private keys are single-round SHA-256 hashes of passwords or passphrases that we think humans could and would choose. In other words, they are not crazy and random strings of special characters, such as these, but rather memorable and human-like.

Put differently, “W)q|e9r?M%I|AdCaynz7*J_OSG” is not at all what any of these passwords would look like; something much closer would be “DragonDeath22”, but for obvious reasons, this is not one of the correct answers.

For the record, this time around we searched for all our generated SHA-256 hashes on hashes.org, and got 0 of 10 hits. We didn’t check with other sources, so some of them may very well have been published elsewhere.

We think that this challenge is significantly harder than the first, but by no means unbeatable. All passwords used are words or phrases that aren’t super-uncommon in plain text on the web. With password-lists and maybe with the addition of tools like hashcat, it should be possible to crack all 10.

The public addresses we allow and encourage you to empty are thus:

35BL7Bm2dSVXnJ8ddrr3jBDGwTX5ZW1Q4K
39CYmS8mfgMK4LC4dxAzBrSRPWwQak8tku
34xSSBz68NzgeLK9utkV5krs2qT3xe8gXj
36cSwyoKhfpiWUxAycNRG8iQAQe7hdbM5L
3QouzFjY9ti93D5TgvbTK5d6pzSisEoWDV
bc1qzf2x5v0stgheduw2shvdyy98lww6qkdwej3ca4
bc1qn6jx292y29y7ufsley9rlryhu4sgjkuc56h7yw
bc1qng06jn49mxcwj4q5cqc69t0d2wka24ahzs7glq
bc1qkw5m9gst3mrq58qv2z2lm9809luvqrd280cv73
bc1q856phefcga58hcmd0et2mx78v6q54egj2ulhfl

We wish you the best of luck, and we will of course update this post with all details, just as in the previous example, when all addresses have been compromised.

In the unlikely event that not all addresses are cracked within 7 days, we reserve the right to transfer back the coins to our own public address. And in this case too, we will of course update this post with the solutions.

We believe in you. Show us you can do it!

Comments or questions?

One more thing!

Consider the donation address at the bottom of the page. We re-invest all contributions into new projects for btcleak.com. Help us create new content and remain ad-free forever. Thank you.

7 Replies to “Steal our Bitcoin – Again”

  1. Here is another layer to the experiment. To check whether bots or humans even read these pages. As only two of the SHA256(passphrase)-generated were swept immediately, we’ll leave you will the complete list. With these, you can empty the remaining 8. Now or never – you have 24 hours 🙂

    1) btcleaks.com
    2) Raw like sushi.
    3) alpha tango bravo delta
    4) GREED IS GOOD
    5) [_d^^b_]
    6) YoMama!
    7) I had a dream.
    8) —GUESSWHAT—
    9) 420-StonersUnite
    10) TheEarthIsFlat

    Reply

  2. Looks like number 8 is bugged 🙂

    Reply

  3. Btw this is my first ever bitcoin! thankyou heaps for this i am surprised i got it before anyone else!

    Reply

    1. Congrats! Yay.

      Hm, yeah, number 8 is off. Crap. Now we need to crack our own riddle in order to reclaim the coins 🙂

      Pretty sure the word is right, but maybe the hyphens are not “-” but “—”, minus sign vs em-dash, something like that. Or the equal (“=”) sign. Try and play around a little with those, and see if you can solve it.

      Also, would you mind telling the crowd about your methods, what tools did you use? Thanks!

      Reply

  4. The method itself was pretty simple, as you guys had already disclosed the answers more or less it was just a matter of generating the Private Keys.
    I used:
    https://segwitaddress.org/bech32/
    and
    https://segwitaddress.org/
    to generate the private keys using the brainwallet section then electrum with the:
    p2wpkh:
    p2wpkh-p2sh:
    To sweep the keys into my wallets.

    Once again thankyou for the puzzle, i will tinker with #8 for a little or maybe someone is lucky enough to beat me to it 🙂

    Reply

    1. Great, many thanks!

      We have figured no. 8 out; the problem is a WordPress “feature”, it translates certain _seqences_ of characters into one.

      (The reason your comment was delayed was that it contained hyperlinks; we have fixed that now, 2 links are OK.)

      Reply

      1. Great thanks! got it will sweep when im home if im not too late!

        Reply

Leave a Reply

Your email address will not be published.