1. Introduction
Cryptocurrencies are digital assets that operate on cryptographically secure distributed ledgers. The global cryptocurrency market cap exceeds USD 829.3 billion [
1]. The cryptocurrency market has consistently grown since Bitcoin emerged [
2]. On 14 November 2023, Bitcoin’s (BTC) market capitalization exceeded USD 71 billion [
3]. Cryptocurrencies are no longer confined to the virtual realm and are actively utilized in actual asset transactions. Many investors collect cryptocurrencies, and countries like El Salvador now recognize them as legal tender [
4].
Cryptocurrency operates based on public key algorithms [
5], using private keys to prove ownership or conduct transactions. However, the length and randomness of private keys make them hard to remember, leading to the emergence of cryptocurrency wallets to facilitate the convenient use of digital assets. Cryptocurrency wallets protect and manage sensitive data using a user-defined password, including mnemonic codes and the user’s private key. Utilizing a cryptocurrency wallet enables convenient management of digital assets and facilitates transactions.
As the value of digital assets has increased, the threats to digital assets have also grown [
6,
7]. According to Chainalysis, cryptocurrency thefts resulted in approximately USD 3.8 billion in losses in 2022, significantly increasing thefts and hacking incidents [
8]. Atomic Wallet, with over five million users, fell victim to a hack in June 2023. Many users are suffering forced withdrawals of virtual assets from their accounts. Estimated losses exceed USD 35 million [
9]. In July 2023, a cryptocurrency theft occurred in the ETH, TRX, and BTC hot wallets of the cryptocurrency payment platform Alphapo, resulting in losses of at least USD 31 million. This incident is suspected to have been caused by a private key leak [
10].
The threat to cryptocurrency wallets is increasing. However, since cryptocurrency is not legally recognized in most countries, cryptocurrency management applications are not subject to the stringent regulations that apply to traditional financial applications. This makes cryptocurrency wallets more vulnerable compared to traditional financial applications [
11]. Given that virtual assets are increasingly regarded as part of tangible assets, cryptocurrency theft threatens individuals’ financial stability and undermines trust in the digital economy.
Desktop cryptocurrency wallets are software applications downloaded and installed on a user’s computer. These wallets store sensitive information such as private keys, transaction history, and account information as local files on the device [
12]. Since wallet-related local files can be accessed at any time within the device, there is a risk of physical theft if the device is compromised by malware. Attackers can access the desktop to obtain local databases, logs, and key-related files. Insecure data storage is one of the common threats to digital wallets [
13]. Additionally, even if the data are encrypted, brute-force attacks can occur because attackers can still access wallet-related files [
14].
Passwords can be vulnerable to guessing attacks for various reasons. Typically, when cryptographic keys and related materials are derived from or protected by passwords, they become susceptible to these attacks [
15]. For example, encryption tools like BitLocker derive encryption keys from user passwords [
16]. If data protected by these keys are stolen, the strength of the password becomes critical to security. The same applies to desktop cryptocurrency wallets. Although they use robust cryptographic algorithms, the private keys are protected by encryption keys derived from passwords. Thus, weaknesses can arise from password policies and the storage methods of sensitive data [
11,
13].
In this paper, we conducted a security analysis of desktop cryptocurrency wallets against password brute-force attacks based on local data. We scrutinized the private key management mechanism to construct a password verification oracle. Leveraging this, we conducted practical brute-force attacks on three wallets: Sparrow, Etherwall, and Bither. We then evaluated their security. Furthermore, since password brute-force attacks are fundamentally possible on desktop cryptocurrency wallets, we propose a generally applicable methodology for analyzing resistance to brute-force attacks based on our findings. This universal analysis methodology is expected to help improve the overall security of cryptocurrency wallets, a crucial area of concern in the digital age.
Our contributions are as follows:
We performed a security analysis of three cryptocurrency wallets—Sparrow, Etherwall, and Bither—for the first time.
We propose a general approach for the cryptocurrency wallet security analysis of brute-force attacks on passwords.
Through experiments, we showed that the implementation design flaws can compromise security and demonstrated the gap between theoretical and practical security.
In
Section 2, we review the security analysis research on cryptocurrency wallets through relevant studies. In
Section 3, we establish a methodology for analyzing the security against brute-force attacks on passwords.
Section 4 analyzes the wallet’s implementation flaws from a security perspective.
Section 5 conducts brute-force attack experiments in a practical perspective according to the methodology described in
Section 3. We then conclude the paper in
Section 6.
2. Related Work
Research on the security of local data in cryptocurrency wallets can be categorized into studies focusing on mobile and desktop environments, as well as memory and disk storage. On mobile wallets, Trevor Haigh et al. [
17] analyzed seven Android cryptocurrency wallets and identified some vulnerabilities. Binance, Xapo, and Coinbase were excluded as they do not store wallet-related data on physical devices. However, four of the target wallets allowed the acquisition of sensitive data. Mycelium encrypts all wallet-related data, but decryption was possible. In BitcoinWallet, all related data, including private keys, were accessible in plaintext. Bitpay and Coinpayments stored wallet keys in plaintext. Notably, Coinpayments also stored user passwords in plaintext, demonstrating significant vulnerability.
Ashish Rajendra Sai et al. [
11] evaluated the security of Android wallets based on the OWASP top 10 risk factors. They divided 48 apps into three groups according to the number of downloads and conducted an initial analysis using automated tools like DroidSafe. Subsequently, they manually analyzed the four most downloaded cryptocurrency applications and four traditional banking applications in detail. The analysis revealed that cryptocurrency applications had a higher frequency of security vulnerabilities compared to banking applications. The primary issues identified were inadequate encryption and insecure data-storage methods.
Md Shahab Uddin [
18] developed a semi-automated security evaluation framework for analyzing Android cryptocurrency wallets and used it to analyze 311 cryptocurrency wallet apps. Additionally, he manually examined the top 18 apps from the Google Play Store. The results revealed that 111 cryptocurrency wallets stored key-related information in plaintext. Among the top 18 apps, three stored key-revealing information in plaintext, and four encrypted key-related information using easily decipherable keys. Furthermore, many apps were found to be vulnerable to dictionary attacks and exhibited both cryptographic and generic vulnerabilities.
On desktop wallets, Wiebe Koerhuis et al. [
19] investigated the data left in volatile memory, network traffic, and hard disks by the privacy-focused cryptocurrencies Monero and Verge. Using volatility to analyze memory, they obtained the wallet passphrase and mnemonic seed from Monero and the wallet passphrase from Verge. Additionally, analysis with the Bulk Extractor revealed that, when using Monero, it was possible to extract wallet addresses, transaction IDs, and transaction amounts from the disk. When using Verge, they could extract wallet addresses and public keys from the disk.
Tejaswi Volety et al. [
20] conducted mnemonic seed cracking on the Multibit HD and Electrum cryptocurrency wallets. They used memory scanning to extract valid mnemonic candidates and created a dictionary. Then, they performed offline brute-force attacks to recover 12-seed combination mnemonic codes. The experiments successfully recovered mnemonic codes in some cases.
Purthani Praitheeshan et al. [
21] analyzed the security of the keystore file, commonly used in Ethereum wallets, and demonstrated its vulnerabilities through experiments. If an attacker obtains the keystore file and password, he/she can access the associated Ethereum account fully. Thus, the keystore file becomes the primary target of all attacks on Ethereum. Ref. [
21] used Hashcat to perform brute-force and dictionary attacks on the keystore file, achieving partial password recovery. Additionally, they found a high success rate when using brute-force attacks with masking techniques or passwords from a dictionary.
Stephan Zollner et al. [
22] conducted live and postmortem forensic analyses on Bitcoin-supporting wallets, including Armory, Multibit HD, Electrum, mSIGNA, Bitpay, Copay, Bither, Bitcoin Core, and Bitcoin Knots. They successfully extracted wallet login information and mnemonic code words through real-time memory analysis. They also effectively located Bitcoin-related files on the system using file signatures and keyword searches.
The analysis results for mobile and desktop platforms, disk files, and memory are summarized in
Table 1. “Data Source” refers to the location from which the data used in the analysis was obtained. This can be inferred from local disk and memory. “Data Acquisition Windows” indicates the periods when wallet-related data can be obtained. “Always” means that data can be obtained regardless of the program’s runtime. In contrast, “Temporary” means that data can only be acquired while the program is running or immediately after it has been executed. “Private Key Acquisition” denotes whether the private key or mnemonic code was obtained as a result of the analysis. “Attack Execution” refers to whether the study performed simple analysis or conducted attack experiments to obtain the private key.
As previously noted, many studies attempt to extract sensitive data, such as mnemonic codes, from memory in cryptocurrency wallets. However, due to the high volatility of memory data, the window for obtaining wallet-related information is very limited. Additionally, for a comprehensive security analysis, it is essential to consider the feasibility of simple extraction and the resistance to attacks such as brute-force. For mobile cryptocurrency wallets, pre-rooting and physical access using tools like Android Debug Bridge (ADB) are essential for analysis. Therefore, security analysis research based on local files of desktop cryptocurrency wallets is needed, as data extraction is relatively easier. In this paper, we verified whether desktop cryptocurrency wallets securely store data and conducted a security analysis against brute-force attacks.
3. Methodology for Security Analysis against Brute-Force Attacks on Password
In this section, we establish a methodology for analyzing the security of desktop cryptocurrency wallets against attacks utilizing local data storage:
3.1. Analysis of Implementation Flaws in Wallets from a Security Perspective
Desktop cryptocurrency wallets have to encrypt keys and data on user devices to prevent information leakage and subsequent wallet hacking [
23]. Therefore, it is necessary to inspect the implementation flaws in the wallets from a security perspective. Phases 1—(1), (2), and (3) in
Figure 1 each show the following essential inspection points:
Are wallet-related data stored securely?
Is an appropriate password management policy used?
Are sufficiently secure encryption algorithms used to protect the data storage?
First, locate the wallet’s package path, and determine whether the data stored there are encrypted. The package path is where data related to application execution are stored and varies for each application. It is commonly located in the user’s “AppData” directory or in the “Program Files” directory. After finding the package path, identify the types and forms of wallet-related data present and whether these data are encrypted. Wallet-related data can exist in various forms, such as databases or log files.
Next, inspect the target wallet’s password policy. First, determine the minimum and maximum lengths of passwords that can be used. Then, analyze the size of the input space based on the password input method and encoding scheme. The encoding scheme commonly used for processing user input data is UTF-16. In this case, the input space for a single character in the password is 1,111,934 characters, approximately
, which excludes 2178 control characters [
24]. Password input methods can be divided based on whether copy–paste is allowed. If copy–paste is not allowed, only 94 characters can be entered via the keyboard (excluding the space). In this case, the input space for a single character in the password is approximately
.
Finally, analyze whether the wallet uses sufficiently secure algorithms to protect data storage. We need to identify the wallet’s data encryption mechanism to perform this. Source code examination, storage data analysis, and reverse engineering can be performed.
3.2. Analysis of Wallet Resistance to Brute-Force Attacks
Desktop cryptocurrency wallets use a user-defined password for security. This section proposes a methodology to analyze resistance to brute-force attacks targeting passwords. The methodology is shown in Phase 2 in
Figure 1.
First, a password verification oracle must be established to verify passwords. The password verification mechanism is derived from the data encryption mechanism analyzed in
Section 3.1. In Phase 1—(1), we identify data within the wallet-related data that can be used as password validation values. If this value can be used to verify the password-based private key management mechanism derived in Phase 1—(3), the verification process is the password verification mechanism. Detailed examples of mechanism derivation can be found in
Section 5. Additionally, variables and constants must be identified to implement an oracle that performs repetitive verification. For example, in the password verification process, IV and Salt are constants, the password is a variable, and HMAC is influenced by the variable.
Next, calculate the computational effort required for brute-forcing passwords. This involves identifying the input space of the internal variables of the oracle, utilizing the password input space analyzed in Phase 1—(2). Once the internal variables and their respective input spaces are identified, the computational effort required for a password brute-force attack can be calculated.
The computational effort can be compared with the intended security level of the cryptographic algorithm used to protect the data storage. If the calculated security is lower than the intended security, it is necessary to analyze which elements of each mechanism or variable have weakened the security.
The computational effort required for password brute-forcing can be represented using the input space size
, password length
x, and time
taken for a cracking attempt. Since the computation for exhaustive search grows exponentially, computing cost
C can be expressed as a (
1)
6. Conclusions
As interest in cryptocurrencies grows and their value increases, the security of cryptocurrency wallets becomes even more critical. Password brute-force attacks can fundamentally occur on any cryptocurrency wallet that uses passwords. Therefore, wallet design must consider this threat and implement secure methods for storing sensitive data and managing passwords. In this paper, we examined the security of Sparrow, Etherwall, and Bither’s resistance to password brute-force attacks based on local data and proposed practical guidelines for securely designing desktop cryptocurrency wallets. Our study is more practical than related research focused on memory analysis because it utilizes local data, making data acquisition easier.
Our investigation uncovered that all three wallets publicly retain sensitive parameters and nonce values used for private key encryption and need more password management policies. As a result, it is possible to implement a password verification oracle, making the security of the cryptocurrency wallets reliant on user passwords. Therefore, all wallets should enforce the NIST-recommended minimum password length of eight characters and allow copying–pasting of passwords to increase input space. Additionally, for Etherwall, it is recommended that keystore files containing all sensitive data be encrypted.
Our findings are particularly significant for open-source wallets with publicly available source code. Before deploying or selecting a desktop cryptocurrency wallet, the proposed analysis methodology in this paper can be used to evaluate the wallet’s security. We expect our work to improve the overall security of cryptocurrency wallets. Additionally, the research findings can be utilized in investigations from a digital forensics perspective.
The research findings only cover desktop cryptocurrency wallets. Future research should expand the scope to analyze more cryptocurrency wallets across various operating systems, including mobile platforms. Additionally, it is necessary to perform security analysis from the memory perspective during program execution. The research can also include artifact analysis of wallet usage from a digital forensics perspective.