User story: The brainwallet family

TL;DR: A customer created a Bitcoin brainwallet in 2012 using their family's names in Hebrew as the passphrase, then iterated the private key five times through SHA-256. After 1.5 billion failed attempts using every combination we could think of, recovery came down to one missing ingredient: the family pet's name appended to the end. The exact combination of spaced names plus the pet name had never been generated in any previous wordlist.

What is a brainwallet?

Before we get into the story, a quick explanation for those unfamiliar with brainwallets. A brainwallet is a Bitcoin wallet where the private key is derived by hashing a passphrase with SHA-256. You pick a phrase, hash it, and the resulting 256-bit number becomes your private key. No wallet file, no seed phrase, no backup — just a passphrase you remember.

Brainwallets were popular in Bitcoin's early days (2011–2013) through sites like bitaddress.org. The idea was appealing: your Bitcoin is secured by something only you know. The problem is that humans are terrible at choosing random passphrases. If someone can guess your phrase, they can steal your coins. Thousands of brainwallets have been swept by automated scanners that test common phrases against the blockchain.

The flip side of this problem is what brings customers to us: if you forget your own passphrase, you are locked out just as thoroughly as any attacker. And unlike an encrypted wallet file, there is nothing to crack — you need the exact passphrase, character for character.

The case

A customer contacted us about a brainwallet they had created in 2012 using bitaddress.org. They remembered the general idea behind their passphrase — it was built from their family members' names in their native language — but could not remember the exact format.

They also told us something that made the case more complex: after generating the initial private key from the passphrase, they had iterated it. Meaning they took the resulting private key (in WIF format), fed it back into SHA-256 as a new passphrase, and repeated this process multiple times. They believed they had done this around five times, but were not certain.

This is a technique some early Bitcoin users employed as an extra layer of security. It means that even if someone guesses your base passphrase, they also need to know how many times you iterated and in what format (compressed or uncompressed WIF) at each step.

The first 1.5 billion attempts

We built a custom brainwallet solver in Rust that could handle the iteration logic: take a passphrase, hash it to a private key, convert to WIF, feed the WIF back in as a passphrase, repeat, and check the resulting Bitcoin address at each iteration against the target.

For the wordlist, we started with the family names the customer provided and generated every combination we could think of:

• Names in the original language, concatenated and spaced
• English transliterations with different spellings
• Subsets of names (three names, four names, all five)
• Names with common suffixes (numbers, punctuation, years)
• Keyboard layout mishaps (typing in the wrong input language)
• Hashcat rule mutations (best66 + dive rules, producing millions of unique base candidates)

Each candidate was tested across iterations 0 through 5, with both compressed and uncompressed WIF formats, and with various "what went wrong" modes we built into the solver: whitespace errors from copy-pasting, the possibility that the customer used the raw hex private key (instead of the WIF-encoded version) when feeding it back into SHA-256 at each iteration step, and even the chance they had accidentally used the Bitcoin address instead of the private key for a step.

After all of this — over 1.5 billion total permutations — nothing matched.

The missing piece

We went back to the customer for a follow-up interview. This time, we asked broader questions: not just about the family members, but about anything else that was important to the family at the time. Pets, places, dates, inside jokes.

That is when they mentioned the family pet. A name we had seen in our early wordlists, but only in isolation — never combined with the full spaced family name pattern.

The problem was subtle. Our wordlists had two things that were individually correct but never combined:

1. The family names with spaces between them — but without the pet name
2. The pet name as a suffix — but only after concatenated (unspaced) names

The actual passphrase was the family names in their native language, separated by spaces, with the pet's name appended at the end. This exact combination had fallen through the cracks of our wordlist generation.

The recovery

We generated a new expanded wordlist specifically targeting this gap: every variation of the family name pattern with the pet name, surname, year suffixes, and extended iteration counts. This produced about 23,000 new candidates.

We provisioned a fleet of three EC2 instances to run the attack in parallel. Within minutes, the solver found the match: the original passphrase was the five family names in Hebrew with spaces, followed by the pet's name. Iterated five times through uncompressed WIF.

The total compute cost for the final distributed attack was under a dollar. The real cost was the investigative work to identify the one missing piece.

Lessons from brainwallet recovery

This case illustrates several things we see repeatedly in brainwallet recovery:

The passphrase is always more personal than you think. Customers often remember the "idea" behind their passphrase but forget small details — a suffix, a separator, a trailing space. These details are invisible to memory but critical to SHA-256.

Follow-up interviews are essential. Our first wordlist was comprehensive by any standard. But the winning combination only emerged after asking the right questions in a second conversation. Many of our most successful recoveries come from the second or third round of interviews.

Iteration adds complexity exponentially. Each iteration step multiplies the search space by the number of format variations (compressed vs uncompressed WIF). Five iterations with two format options means 32 possible paths per candidate. Combined with a large wordlist, this creates a genuinely difficult search problem.

Custom tooling matters. Standard password cracking tools like hashcat cannot handle brainwallet iteration logic. We build custom solvers in Rust for cases like this, purpose-built for the specific wallet type and iteration scheme. For this case, we also needed to handle non-Latin character encodings correctly — getting a single byte wrong in the passphrase means a completely different private key.

Need help with a brainwallet?

If you created a brainwallet using bitaddress.org or a similar tool, and you remember the general idea behind your passphrase but cannot access your funds, contact us for a free assessment. We have built specialized tools for brainwallet recovery and handle the full range of iteration schemes, character encodings, and key formats.

Our fee is 15% of recovered funds, only if recovery is successful. If we cannot recover your wallet, you pay nothing.

For more about how our recovery process works, see our step-by-step recovery process page.