Joe Grand hacked a $2 million crypto wallet. Now he’s turned it into a job
The engineer, a legend in the cyber community where he is known as ‘Kingpin,’ has found a new challenge in life: recouping money lost due to human oversight.
As Dan Reich’s friend told him: “I forgot the password”.
The password was for a wallet containing Theta, a cryptocurrency. In 2018 Reich, an electrical engineer and start-up founder in New York, had bought $50,000 worth of Theta along with this friend, and by the end of 2020, after never going above a few cents, it began to rise. In just three months the $50,000 was hovering around $2.5 million.
The friend who forgot the password is a professional poker player – it is literally his job to remember things: “He remembers the license plate numbers of our high school friends”, recounts Reich in an article on his website.
“He plays poker for a living – playing 8 tables at a time – and he remembers how dozens of different players play,”
Along with forgetting the password, Reich’s friend had another problem. The crypto wallet, which is a kind of USB stick, would self-erase after 16 failed attempts. They’d made a dozen.
As a good electronics engineer, Reich knew there had to be another solution: “The chats with our friends were getting ridiculous,” he recalls. Indeed, they decided that “if we couldn’t find a technical way to release the money, we’d find a chemical way: we’d go away for a weekend and feed him hallucinogens until he remembered the password.”
In the end, he found Joe Grand. Grand was the youngest member of the legendary L0pht group, who in 1998 appeared in the Senate with their long hair, suits and nerdy faces to answer a stellar question from a senator, “I have been informed that in just 30 minutes the seven of you could render the Internet useless to the entire country.” “Correct,” they replied. Grand now devotes himself to teaching classes and courses around the world. But, deep down, “I’m still the 16-year-old hacker who likes to annoy people”, he says in a video call conversation with EL PAÍS from his laboratory in Portland (Oregon, USA).
Dan Reich told Grand about his case in February 2021. It was pandemic time and Grand, who is a ‘hardware hacker’ – a particular category within the crypto world – took some time to try and draw out a solution.
To retrieve the information inside the wallet, the chip had to be targeted; the hack could not just be achieved with code.
In crypto, money is only accessible with your private key, which is what is kept in these wallets. Without that key, which in Reich’s case is additionally protected by a password of a few digits, nothing can be done.
Both agreed to record the entire procedure professionally on video. The recording was made in May 2021, while the video was uploaded to YouTube on January 24. Within three weeks, it had an extraordinary four million views and is now up to 4.6 million. The 32-minute video clearly explains the complexity of the technical process for accessing the wallet and the solutions Grand comes up with: “Hacking is not what you see in the movies,” Grand says in the video. “It’s a big roller coaster, solving puzzles, forcing computers and hardware to do things they weren’t expecting to do, you want them to fail their function in a way that you can control.”
Today, Reich and Grand are, along with others, partners in a new company that aims overall to help crypto owners who have lost access to their wallet. Grand does not elaborate on the phenomenal success of the video, of which The Verge published an article version: at any rate, he says, “the response to the video shows that people have problems using cryptocurrencies, it’s not a user-friendly thing,” he says. “We’re being swarmed with emails, there are hundreds and hundreds and hundreds of messages,” he adds. Some have come from Spain and Latin America.
Crypto wallets with lost money do not make up all the new company’s cases. There are people who have been scammed and are looking for help, others who have encrypted devices that they don’t know how to access. At any rate, “there are some strong, legitimate cases of problems that we can help with. It’s exciting to see this kind of response,” he says. Unlocking wallets is especially appealing because the company obtains a percentage of the money recovered.
Badges for #defcon27 are courtesy of legendary #defcon badge creator @joegrand aka #kingpin! #excited pic.twitter.com/SS46k1GN5s— DEF CON (@defcon) July 29, 2019
A widely cited report from Chainanalysis says that 20% of bitcoins – many billions of euros – in circulation have no owner.
James Howells threw away a hard drive containing his keys and kept another one just like it that did not. His case has been everywhere.
As the BBC ‘discovered’, “Howells says he wishes he hadn’t thrown away the hard drive”. (To be sure, it is probably not hard to get inside the head of someone who lives in a town in Wales and could have over €200 million and doesn’t).
The problem, according to Grand, is social, not technical. To search for the hard drive he needs permission to search through landfill. “He’s been trying to come to terms with this reality for almost 10 years,” Grand says of his talks with Howells. “I’m hopeful. I think with the right processes and the right people it can happen. It’s a good story - he threw away a hard drive. Nobody cares. The question is how to benefit the community,” he adds.
The company Grand has created is not the only one that has found an opportunity in recovering lost wallets with millions in crypto. There’s another problem in that sector: not everyone who thinks they have millions actually does. “I’ve talked to people in this business who say they live in a constant state of disappointment. They will tell you they have money and you find you have $2. A lot of people exaggerate,” Grand says.
Grand’s new business is not only technically challenging, it’s also vitally challenging. With the confinement due to the pandemic Grand asked himself bigger questions than when usually faced with computing challenges: “I got burned out. I lost energy for engineering and even hacking. I’d been traveling like crazy and designing products with really stressful 18-hour days,” he says. Those products were “passes” for accessing the famous Def Con hacker conferences. They are engineering masterpieces that come with internal challenges in electronics, hardware, code analysis or cryptography. The task gave them some prestige within the community, but the effort it requires wears thin.
“I ended up thinking about what my life is like and what people are going to remember me for. Everybody’s maybe done something memorable but nobody’s going to care; you [might] become a footnote to something. So I accepted my mortality, I think. I came to the decision to just do what I love,” he explains. Hacking crypto wallets came at just the right time.
With the calm of confinement, he was able to spend three months figuring out how to break into Dan Reich’s crypto wallet. It was made by Trezor, perhaps the most popular brand in the field.
The software was out of date, something Grand took advantage of to break in.
Equally, other challenges do not faze him. “Everything is hackable, everything,” he says. Although the old version of Trezor’s software facilitated the attack, Grand says he has resources to access new versions, but does not disclose them.
Trezor, of course, is not amused to be the subject of a video showing a wallet break-in and that has been seen by millions of people. The company rushed to confirm that the hack shown in the video had been patched and would no longer function.
Grand understands their position: “When something like this comes out, the brands don’t like it very much. And I feel bad and would love to help them,” he says. But Grand says he has bigger fish to fry: “My purpose is to make people think and see things they haven’t seen before. It’s like ‘kicking the hive’ to apply pressure and fix products or raise awareness. Being a hacker is about showing that side to life that’s maybe controversial and that people maybe don’t like.”
“People see it as magic, but it’s not,” he adds.
Grand created a card to cheat city parking meters and also garage door remote controls: each click changed the code it sent and eventually the door opened. Of the card, he says: “I promise I have never used it to do anything bad”,
“I’m an equal-opportunity hacker: I’m loyal to nobody and I question everything,” he adds. As such, Grand is a “technological minimalist”: technology is his life, but he uses it strictly only as necessary because he knows its risks. His cellphone is only enabled for calls and maps, with no social networks or email.
“I try to compartmentalize,” he says. “I know when I use a smartphone, I’m being tracked. So that’s a limitation, but I’m aware of what the technology is and what the companies that provide the phone to you are doing with your data,” he adds.
“I don’t have Amazon Echo or Alexa, because I know that even if they say it only listens when you say ‘hey, Alexa’ that’s not true, because it has to listen in order to hear you when you say ‘hey Alexa,’” he says. He adds, “I only use what I need to use, and only if it has a specific purpose. I won’t bring those things into the house unless they have a purpose.”
With his new project, Grand hopes to show the positive side of the hacker world, saying: “People like to see that there are hackers out there doing good things,” he says.