Three ways to hack Bitcoin

A properly set up and used Bitcoin address is virtually impossible to hack. The vastness of possible private keys ensures that it is practically impossible to bruteforce one (or several) Bitcoin addresses. Humans are not machines, however, and humans do make mistakes.

Here, we will list a couple of disasters that have led to compromised private keys and resulted in Bitcoin theft. Consider this a list of how to not produce and use private keys. And maybe as a source of inspiration for finding other exploitable weaknesses when it comes to human handling of private keys.

A good private key should be perfectly random, and until we devise a machine that can output true randomness (if such a thing even exists), we are bound to rely on so-called pseudorandom functions to create private keys. Bitcoin wallet software uses pseudorandomness to create new keys, and until this day, it has worked out very well, which strongly suggests that these methods are good enough. In fact, there is not a single known collision in the history of Bitcoin, i.e. an accidental keypair generation that has led to person A being able to control peron B’s coins. In other words, when your wallet software or your script outputs a new keypair, looking up that the resulting public addresses have been used before is unnecessary and is typically never done.

There are thousands of articles describing the art of creating cryptographically safe private keys. You don’t have to read any of them. With a single line of code in Bash (“sudo apt-get install openssl” first, if necessary)

openssl rand -hex 32

you will produce a 64 character hexadecimal string (256 bits or 32 bytes, if you will) such as


which can be used as an unbreakable private key. Our example is synonymous with these two private keys


that, in turn, control these four public addresses


The point here is that there isn’t, and will likely never be, enough computational power in the universe to bruteforce these, so unless we hadn’t just written out the private keys, you could never have hacked these public addresses.

Now on to the title list, in order of appearance:

1. Google and the cloud

Until 2014 or so, it was fairly easy to find a decent amount of unencrypted Bitcoin Core wallet files that had unspent Bitcoin in them using a simple Google search phrase, such as “ wallet.dat”. At the time, all Dropbox accounts came with a public folder, so that everything you put there was exposed to the web, and much of it was picked up and indexed by Google. People were sloppy (or just plain stupid?), and more than one person decided this folder was the perfect place to store a backup of their Bitcoin wallet in. Let us be redundantly clear: saving your wallet file in a public folder, unencrypted too, accessible in any browser, is a really bad idea.

It doesn’t matter that Bitcoin Core has always produced cryptographically safe keypairs, when users make them public online. For the record, another popular search phrase was “inurl:’index of’ wallet.dat”, which would take you to webpages under construction and lists of all files in certain folders. Typically, you never want to make your folder structures open on the web, and this was probably the result of misconfigured web servers.

Nevertheless, why some people decided to upload their wallet files to their webpages in the first place is still an unsolved mystery; we can just conclude that it happened a number of times.

By now in 2020, it seems that Google has finally decided to strike down on these ridiculously simple hacks, and to the best of our knowledge, such search phrases will no longer help you find wallet files. If you know of other search phrases, perhaps using other search engines than Google, that still work, please let us know! We would not be surprised if there still were wallet files to be found on the web that you could right-click and “save as.”

2. Bitcoin ATMs and social media

Bitcoin ATMs are fantastic and will hopefully make the average person more curious and less skeptical about Bitcoin. Since Bitcoin is a digital currency, what you get when you buy Bitcoin in an ATM is not a stack of bills, but rather a simple receipt containing – you guessed it – a private key, practically enough in the form of a QR-code.

Remember when teenagers could get VISA cards and when #MyFirstCreditCard was a thing on Instagram? Same thing here again. Some people are so proud that they just bought their first pieces of a Bitcoin and can’t wait to tell the world. This would be all good if it wasn’t for the fact that enthusiastic newcomers snap photos of their receipts, in which you can clearly see the QR code, and post them on Facebook and Twitter.

Here is one such example, image courtesy Twitter:

Bitcoin ATM receipt

Bitcoin ATM receipt

Let’s hope that is was the rightful owner who spent the coins from


Unfortunately, this is far from the only example we are aware of. Take home message: Do not take photographs of your private keys, and if you do, don’t post them on social media unless you are asking to be robbed in a matter of minutes.

3. Brainwallets

Alright, the story goes something like this. Until 2015, there was a webpage called, that took any password, calculated its SHA256 hash, and used that as the private key (and it was kind enough to print the corresponding public address). What’s so wrong with that? Using this method you can create keypair that you can easily regenerate – “store them in your brain.” Well, many things are wrong. Humans suck at choosing good and memorable passwords or passphrases. The human brain is terrible with what we call entropy. Tech researcher Ryan Castellucci and co-worker has a splendid talk about it, which we warmly recommend you to watch.

Even though one site ceased operations, the web is littered with similar services still (which we will not link to). Do not use brainwallets! Computers are good at entropy, humans suck, OK? Do not try and store private keys in your brain. We would even say that using a private key that is the hash of something known is a terrible idea.

We have played around with Ryan’s tool Brainflayer and come to the conclusion that people are still using such services or solutions to create keypairs.

One, out of more than 20,000, that we found ourselves is (we don’t think that it has been published elsewhere)

SHA256(“the crow flies at midnight”)

In summary, stay away from brainwallet. Let computers do the computing. Use safe private key generation, as in the beginning of this artkce and you are as safe as can be.

Other methods

Your turn! What else do we have? Of course, there are more attack vectors than these. A relatively recent scientific publication gives us additional leads. But there must be even more. Show us what you got!

One more thing!

Consider the donation address at the bottom of the page. We re-invest all contributions into new projects for Help us create new content and remain ad-free forever. Thank you.

4 Replies to “Three ways to hack Bitcoin”

  1. Weak generated private keys can also be bruteforced using brainflayer/bitcrack. Some of the guys also using pollard rho to find private keys using public key (see bitcoin talk), of course you would need to know the correct range the keys reside for this to be effective.. also need the compute power to pull off such tasks.


  2. By the way, if you want to use Python instead to produce a cryptographically safe private key (HEX), it can be done with two lines of code

    >>> import binascii, os
    >>> binascii.hexlify(os.urandom(32)).decode()


  3. February 14, 2021 at 5:38 PM

    Please contact me, I need to do some work with btc.


  4. Dear Sir or Madam
    Hello, I hope you are well and healthy wherever you are in the world.
    I hope you are successful in your work and life.
    I am in Iran, if you have a good financial situation, please help me financially.
    Finally, I am honest, I am married and have two children and I live in a rented house.
    I am not in a good financial position, I am living in hardship due to severe US sanctions and unemployment caused by the Corona virus.
    Please note, we know and everyone knows this world is a mortal world.
    We know and everyone knows that what will remain stable in the sight of God Almighty is goodness and humanity and helping the weak and poor people.
    We know, and everyone knows, that these are governments that oppose each other and cause livelihoods and economic problems for the general public.
    I wish that one day governments would make peace with each other and nations would have a good life together in peace of mind and away from the problems of livelihood and income.
    Please note, my letter is to those who are rich and live in prosperity and peace.
    My letter is addressed to those who have great financial ability.
    So that they can help me financially and I can buy a house.
    I will not hesitate to do you any service I can.
    I desperately ask you not to hesitate to help me financially if you are rich.
    I thank you in advance for your humanity and respect.
    I will be indebted to your service and love for a lifetime.

    Bitcoin wallet address for donation:


    Yours Faithfully, H.M
    My Gmail Address:


Leave a Reply

Your email address will not be published.