- Joe Grand is a hacker who helps recover lost cryptocurrency.
- He says you can keep your crypto safe by distributing your funds across wallets.
- This is his story, as told to the writer Thomas Maxwell.
This as-told-to essay is based on a conversation with Joe Grand, 46, a hacker who helps people recover their lost bitcoin. Most recently, Grand recovered $2 million from a Trezor One hardware wallet. Grand shared his journey to becoming a white-hat hacker and his tips for keeping your cryptocurrency safe.
I started tinkering with electronics when I was around 7 years old. By age 17, I joined a hacker collective called The L0pht, which some say is one of the first “white hat” hacking groups.
We were the good guys, spreading the good side of what hackers can do. I had gotten arrested when I was 16 over a computer-related incident; I can’t say much more than that. But The L0pht really helped show me a better side to hacking. We tinkered with our own computers and other equipment to create gadgets, like a universal garage-door opener, which could cycle through combinations to open any door. We would sell these kits to individuals, but the ultimate goal was informing the public on vulnerabilities and improving hardware security for everyone.
I love talking to and teaching people about hardware hacking, and how to make their devices more secure, and, possibly more importantly, how attackers would go and attack their devices.
The most common way your cryptocurrency wallets can be vulnerable to hacking
In the case of cryptocurrency, hardware wallets can be particularly vulnerable if you haven’t updated them for years.
You throw it in your drawer, maybe for years — you're not constantly trading. Vulnerabilities that might be patched by the manufacturer might not have been patched by the user.
If I find new vulnerabilities in a hardware wallet, I usually report them. The only people that hoard vulnerabilities are governments and criminal organizations hoping to make money. Making money is great, but my sole purpose is to help people recover their locked cryptocurrency — not only helping people recover their funds, but helping people eventually have more secure products. I'm cutting my own foot off by reporting vulnerabilities, but it's going to make hacking harder, and that means people will be more secure and more comfortable using technology like cryptocurrency.
One of the most popular cryptocurrency wallets, for example, is especially vulnerable to an attack called voltage glitching. Think about it like this: If you flip a light on and off really fast, you eventually get a power surge or a brownout. We're doing this to the Trezor microcontroller to cause it to glitch.
If you get it just right, it can affect the decision-making process of the chip. Say there's a piece of the code in the chip that says, "Is my security enabled? Yes or no?" You want to trip that section of the code to say no.
This can help a lot of people get their cryptocurrency back.
It takes a long time for manufacturers of devices like Trezor to update their hardware to patch issues, and some vulnerabilities are so deeply embedded in the chipsets that not even Trezor itself can fix them.
The same exploits I use to help recover people's money can be used by malicious hackers
The attacks I was using were based on old versions of firmware for the Trezor device. Those have been patched in later versions, which is great.
But what I've found from years with hardware projects is that just because there's a more secure version that's out there doesn't mean that people have upgraded. That's why ransomware is so huge.
With security, it's never perfect. But there are simple ways to protect yourself.
Here's what I recommend to keep your cryptocurrency safe
Some people think that storing your cryptocurrency in a centralized exchange like Coinbase is a good idea. If you lose your code, they can help you recover it. But there's also a major downside: If it's not your wallet, it's not your crypto.
I recommend using a hardware wallet and a secure passphrase. Then keep that passphrase somewhere safe where you have access to it but others can't find it.
The biggest recommendation I have is not to put your eggs in one basket. If a hacker is going to have to go through the process of hacking a secure wallet to only get $100, it's probably not worth the time. So distribute your funds in different types of wallets, just to make things harder for an attacker to get all of your funds.
Next, practice basic hygiene. Update your wallet regularly, and make sure you're patched against known vulnerabilities.
If all of this doesn't work and you ever lose access to your wallet, find a trusted neighborhood hacker that can help.