Here’s How $2 Million Worth Of Theta Was Recovered From A Trezor Wallet

The crypto-verse is a tricky place but there are a few things that don’t change for anyone like lost crypto wallet keys that can never be recovered, or at least that’s what the notion was until now.

Recently, a computer engineer and hardware hacker revealed how he managed to crack a Trezor One hardware wallet containing more than $2 million worth of cryptocurrency in funds.

One of a Kind Hack

The New York-based entrepreneur and crypto enthusiast Dan Reich was finally relieved after a hardware hacker helped him recover over $2 million from his Trezor One hardware wallet. In 2018, Reich along with a friend decided to spend $50,000 worth of Bitcoin on Theta tokens, which were valued at just 21 cents back then.

Initially, the tokens were held on a China-based exchange but within weeks after a broad crackdown on cryptocurrency by the Chinese government, they had to transfer everything to a hardware wallet.

That’s when Reich and his friend chose a Trezor One hardware wallet to set up a PIN, but a couple of years down the lane the unthinkable happened — The two forgot their PIN.

After 12 unsuccessful attempts to recover the PIN, the two decided to quit before the wallet automatically wiped itself after 16 incorrect guesses. However, last year after the price of Theta token hit an all-time high above $15 and their initial investment briefly rose above $3 million, Reich decided to renew their attempts to get access to the wallet.

Without a wallet’s seed phrase or PIN, the only way to retrieve the tokens is through hacking, here’s where Joe Grand, a Portland-based hardware hacker, comes into the picture.

Breaching Trezor Security

In a YouTube video, Grand explained that Trezor One wallets temporarily moved the PIN and key to the RAM during a firmware update and once the update is complete, the information is moved back to flash.

Grand found that in the version of firmware installed on Reich’s wallet this information was not moved but copied to the RAM, this meant that if the hack fails and RAM is erased the information about the PIN could be stored in flash.

Thus, Grand uses a fault injection attack — a technique that alters the voltage going to the chip. Since Grand could surpass the security the microcontrollers had to prevent hackers from reading RAM and this helped him obtain the PIN needed to access the wallet and the funds.

The hacker further explained:

“We are basically causing misbehavior on the silicon chip inside the device in order to defeat security. And what ended up happening is that I was sitting here watching the computer screen and saw that I was able to defeat the security, the private information, the recovery seed, and the pin that I was going after popped up on the screen.”

While the hack must’ve left Reich and his friend ecstatic, not everyone was pleased with the vulnerability found in Trezor wallets, and the same led to some panic.

Hi, we just want to add that the vulnerability was already fixed, and all new devices are shipped with a fixed bootloader. Thanks to @saleemrash1d for his security audit. Learn more about our Security approach and responsible disclosure program here👇https://t.co/pyV1Ya6X8b

— Trezor (@Trezor) January 24, 2022

In response to this, Trezor Tweeted that this vulnerability that allows it to read from the wallet’s RAM is an older one that has already been fixed for newer devices.