• Alister Milne planned to give away Bitcoin to anyone who could guess the mnemonic phrase of the Bitcoin address that contained 1 BTC
  • John Cantrell successfully brute-forced the Bitcoin address because Cantrell already provided the eight words in the mnemonic
  • Without prior knowledge of any word in the mnemonic, Cantrell said it would take trillions of years for a brute force attack to be successful

After successfully hacking a Bitcoin address, Lightning project developer John Cantrell assured everyone that Bitcoin addresses are safe.

On May 29, 2020, Bitcoin investor Alistair Milne tweeted his plan to give 1 BTC to anyone who could guess the private key of the Bitcoin address he gave. Milne would reveal one word in the 12-word mnemonic private seed in a span of days. Anyone who would like to brute force the Bitcoin address could try guessing all the mnemonic phrases before everyone else, using the words already tweeted as a guide.

The time required to do the work gets reduced every time Milne posted one seed word every couple of days. When eight words have already been revealed, Cantrell found out he needed to check 1.1 trillion possible mnemonics, dramatically less, considering that without knowing any of the words in the mnemonic, it would take billions of years for a brute force attack to be successful.

Cantrell initially wrote a program that could check around 1,250 mnemonics per second. However, this would mean his Macbook would take 25 years to check all possible phrases. He proceeded with a program written in OpenCL and working with GPU and eventually, a pool of GPU to perform the work faster.

“At the peak, I was testing about 40 billion mnemonics per hour,” Cantrell wrote on Medium. About 91% through the entire testing of all possibilities, he found the solution. He plugged in his hardware wallet to find the Bitcoin there.

Bitcoin mining operations can be massive, and consume large amounts of electricity
Bitcoin mining operations can be massive, and consume large amounts of electricity AFP / Lars Hagberg

While this is something to celebrate for Cantrell, he found out because of his experiment, many people concluded Bitcoin is not secure and can be brute-forced. He responded on Twitter to explain why Bitcoin is still safe.

Cantrell noted the only reason he was able to brute force it in a little over one day is that he already had knowledge of the first eight words, given by Milne. “It would take the same system that brute-forced the last 4 words of his mnemonic 837 quintillion millennium to brute force all possible 12-word mnemonics,” he continued.

Using more GPU for more computing power must not be considered as well because the hacker must also think about the cost doing so. Assuming the market cap of Bitcoin is $100 billion, it will stake trillions of years to brute force all 12 words.