Connect with us


$220M in Bitcoin May Be Encrypted Forever on IronKey

Stefan Thomas is two failed password attempts away from losing the private keys to $220 million worth of bitcoin forever. This is because Thomas holds the private keys to his bitcoin wallet in an IronKey. “The World’s Most Secure Flash…

The post $220M in Bitcoin May Be Encrypted Forever on IronKey appeared first on CipherTrace.

Republished by Plato



Stefan Thomas is two failed password attempts away from losing the private keys to $220 million worth of bitcoin forever. This is because Thomas holds the private keys to his bitcoin wallet in an IronKey. “The World’s Most Secure Flash Drive” would rather die than give up its secrets, thanks to a series of built-in protections. IronKey was funded by the US Department of Homeland Security in 2018 and co-founded by Dave Jevans, CEO of CipherTrace. 

Jevans is helping with the investigation to recover Thomas’s private keys, an endeavor made challenging by the highly attack-resistant IronKey that Jevans and his team designed to protect crypto keys. 

On Tuesday, Jevans commented on Thomas’s situation in a Twitter conversation with Alex Stamos, former CISO at Facebook.  

The full thread was found here but is no longer available.

An archive has been transcribed below.

Alex Stamos @alexstamos

6:24 AM · Jan 12, 2021

Um, for $220M in locked-up Bitcoin, you don’t make 10 password guesses but take it to professionals to buy 20 IronKeys and spend six months finding a side-channel or uncapping.

I’ll make it happen for 10%. Call me.

“Stefan Thomas, a German-born programmer living in San Francisco, has two guesses left to figure out a password that is worth, as of this week, about $220 million.

The password will let him unlock a small hard drive, known as an IronKey, which contains the private keys to a digital wallet that holds 7,002 Bitcoin. While the price of Bitcoin dropped sharply on Monday, it is still up more than 50 percent from just a month ago, when it passed its previous all-time high of around $20,000.

The problem is that Mr. Thomas years ago lost the paper where he wrote down the password for his IronKey, which gives users 10 guesses before it seizes up and encrypts its contents forever. He has since tried eight of his most commonly used password formulations — to no avail.

“I would just lay in bed and think about it,” Mr. Thomas said. “Then I would go to the computer with some new strategy, and it wouldn’t work, and I would be desperate again.”

Alex Stamos @alexstamos

Replying to @alexstamos

We’re not talking about some NSA-built crypto processor installed on an SSBN, but an old $50 piece of consumer kit. There is no way it’s hardened against the last ten years of USENIX papers that have never been used in practice.

Dave Jevans @davejevans

Replying to  @alexstamos

I was co-founder and CEO of IronKey.  We had numerous conversations with the NSA during the development of the products.  If the person is using the first generation of IronKey before we sold the company to Imation, it will be very challenging.  /1

Jex @in3dye

What was NSA’s purpose in helping you?

Dave Jevans @davejevans

Replying to  @in3dye and  @alexstamos


Once they determined that there were no back doors, they wanted to make it as secure as possible for classified use.  For example, they didn’t just want AES key destruction, they advised on NAND flash wipe techniques that we implemented in hardware.

Dave Jevans @davejevans

Replying to  @alexstamos


The password counter and encrypted AES keys are stored on an Atmel AT98 processor.  Uncapping is challenging as there is a randomized protection layer over the chip meaning access to the internal circuitry is likely to kill the chip.  /2

Dave Jevans @davejevans

Replying to  @alexstamos

IronKey/Atmel security features include voltage, frequency and temperature detectors, illegal code execution prevention, tampering monitors and protection against side channel attacks and probing. The chips can detect tampering attempts and destroy sensitive data on such events /3

Dave Jevans @davejevans

Replying to  @alexstamos


We went to Fly Labs and uncapped and looked at our IronKey security chips with a FIB during development.  It will be extremely hard to attack.  If you can turn off the password counter, that is your best bet.  Maybe extract the encrypted AES key.  Both are highly unlikely.  /4

Alex Stamos @alexstamos

I’m sure you guys did a great job (I think iSEC did some validation for you at one point) but it’s not a reasonable threat model to expect consumer hardware to hold up after a decade and against millions of dollars in directed research.

Dave Jevans @davejevans

Replying to  @alexstamos


It would be cool to find if anyone has reliably been able to attack the AT98SC family of smart cards without it resetting.  By reliable I mean attacking one device, with a high success chance, rather than being successful 1% of the time.

Garrett SerackCowboy hat face @fearthecowboy

Replying to @alexstamos

Wasn’t there a case similar to this a few months back where someone had bitcoin on some piece of crap crypto disk?

IIRC someone came out and found that the firmware that was on it could be downgraded to one that was vulnerable, and went thru and they got it unlocked.

Dave Jevans @davejevans

Replying to  @fearthecowboy and  @alexstamos


You cannot downgrade the firmware on the original IronKey devices.  It is checked in hardware and must be signed by physical keys on an HSM at IronKey (now Imation).  This is not a Trezor with software firmware checks.  It’s done in custom hardware. We spent over $10M in chip R&D

Brent Mueller @Patchemup1

Replying to @alexstamos and @hacks4pancakes

I’m betting that counter to 10 at the very least can be reset or severed from the kill switch. At least with the amount of resources that much money could buy.

Dave Jevans @davejevans


Yes.  But see my comments on the protective mesh, side channel attack prevention, etc on the key management chip that we used in building IronKey devices.  You have one chance to disable the physical mesh, and it is randomized per device.

iver_Tam @RiverTamYDN

I feel like he could afford to pay Kingston enough money to update the firmware of IronKey to a version that gives him unlimited decrypt attempts

Dave Jevans @davejevans


If it is an original version of IronKey, then there is no way to update the firmware on the smart card which holds the encrypted AES key and password counter.  Needs physical attack, which the chip has many protections against.

Josh @JDG_1980

Any chance the IronKey could be decapped and the password deciphered with an electron microscope?

Dave Jevans @davejevans


During development at IronKey we did decap the smart card and played with a FIB.  The card has many physical protections against reading memory, including UV detection, randomized hardware mesh, side channel attack detection, etc.  They reset easily.

Dan Kaminsky @dakami

If it’s helpful,  @justmoon, Alex’s offer is absolutely credible.

 Dave Jevans @davejevans

Replying to  @dakami, @lacker  and 2 others


As co-founder and former CEO of IronKey I’ll give you what help I can.  You need to crack the Atmel AT98 (assuming this is the IronKey that we developed before Imation bought our company).

Hardware Wallets, IronKeys, and Unbreakable Security

Hardware wallet companies need to elevate their security posture and seek the external certification of their encryption. Unlike hardware wallets, IronKeys continue to be tamper-proof more than a decade after their initial release. The National Institute of Standards and Technology (NIST) issues the Federal Information Protection 140 Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government.  

  • FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be “production-grade” and various egregious kinds of insecurity must be absent. 
  • FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication. 
  • FIPS 140-2 Level 3 adds requirements for physical tamper-resistance. 

In 2011, IronKey was by far “World’s Most Secure Flash Drive” because it was the only mobile encryption device to be certified FIPS 140-2 Level 3, tamper-resistance. Zero hardware wallet vendors have yet to certify their software at even FIPS 140-2 Level 1. While some Trezor wallets have chipsets from Super Micro, ST31 and STM32, which are separately EAL validated, the Trezor wallet itself is not certified. 

Implications for Hardware Wallets 

Historically, hardware wallets have never been very secure. In 2018, Ledger hardware wallets were compromised by a 15-year-old researcher, Rashid Saleem, using very small amounts of code. Saleem installed a backdoor on a Ledger Nano S that caused the device to generate pre-determined recovery passwords. An attacker could enter those passwords into a new Ledger hardware wallet to recover the private keys of the backdoored device. Rashid was also able to exploit a Trezor wallet flaw a year prior. 

The Ledger data breach of 2020 exposed the email addresses and other PII of over 270,000 users, resulting in many of Ledger’s customers falling victim to phishing and ransomware attacks that included threats of violence. While the hack didn’t directly threaten any customer funds, their reputation within the industry has been compromised, leading many to question the future of hardware wallet security. Perhaps these hardware companies would be wise to revisit IronKey’s contributions to crypto security. In the spirit of decentralization, the onus remains on the user to secure their private keys so that they do not end up in Thomas’s unfortunate situation with hundreds of millions of dollars inaccessible. 



Ethereum Co-Founder Anthony Di Iorio Bets Big on the Future of Cardano and Polkadot

Republished by Plato



Anthony Di Iorio, a Canadian entrepreneur and the co-founder of leading smart contract platform Ethereum, said that he believes in the potential of Cardano (ADA) and Polkadot (DOT).

In an interview with crypto proponent Anthony Pompliano, Di Iorio, who is also the CEO and founder of Canadian blockchain startup Decentral and crypto wallet Jaxx, revealed that he has a diversified investment portfolio featuring several top projects, including Cardano and Polkadot.

A Big Fan of Cardano and Polkadot

He said:

“Now I’ve kind of fallen back to just simplicity. I’m in a number of different projects, but the majority of my stuff is in the top projects. I’m a big fan of Polkadot, I’m a big fan of Cardano.”

Di Iorio went on to narrate why he was so sure of the future of these two projects. He had joined the Ethereum development team earlier in 2012 when he met Vitalik Buterin at a Bitcoin conference.

He has formed strong relationships with other co-founders of Ethereum, including Vitalik Buterin, Cardano’s founder Charles Hoskinson, and Polkadot’s current CEO Gavin Wood.


Di Iorio admitted that while he worked with these men, he knew that they were goal-oriented and would help push these projects further.

He continued:

“Big fan of Charles, let’s say that. You know, taking some different approaches in the way that they’re doing things, much more on the academic side of what he’s done and bringing stuff forward. Real big fan of Gavin Wood… Knowing those guys from the days back at Ethereum – and knowing their drive and knowing their competitiveness and their smarts – I was able to see those projects for the last few years and know that they were gonna get to where they’ve gotten up to.”

Not Getting Lost in DeFi

Despite all the recent hype about DeFi, Di lorio pointed out that he is keeping his investments simple and investing in larger projects.

“Most of my stuff is in the top few things, Ether, Bitcoin, Cardano, Polkadot. I like Cosmos as well. And there’s a few others, but I’m not getting lost in all the DeFi stuff. I just think there’s not enough time, not enough energy. It’s a full-time gig to be running a lot of that stuff and keeping on top of stuff, so I’ve simplified my life quite a bit over the past few years.”

Featured image courtesy of Business Insider


Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited offer).

PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to get 50% free bonus on any deposit up to 1 BTC.

You Might Also Like:

Coinsmart. Beste Bitcoin-Börse in Europa

Continue Reading


What you should know if your bank is exposed to Bitcoin





On one hand, El Salvador recently became the first nation to officially declare Bitcoin as its legal tender, and on the other, several nations have recently opined that their indigenous banks face a ‘threat’ from the world’s largest crypto-asset. Nevertheless, the rise in the adoption of cryptocurrencies has been accompanied by regulators taking the fast-growing market seriously. 

Banks will now face “the toughest” capital requirements for their holdings in Bitcoin and other crypto-assets under global regulators’ plans to brush off the insecurity offered by the “volatile” crypto-market. 

Using money laundering, reputational challenges, and massive price swings as the base of their proposal, the Basel Committee on Banking and Supervision is in the news after it explicitly stated that the banking industry faced “increased risks” and “financial stability concerns” from crypto-assets.

Accordingly, they have now placed Bitcoin in the “highest risk” category. The aforementioned committee comprises a host of nations and global institutions as its members.

The Basel Committee isn’t alone, however, with a Bank of International Settlements exec recently commenting that El Salvador’s Bitcoin policy is an “interesting experiment.”

What’s more, the panel proposed a 1250% risk weight be applied to a bank’s exposure to Bitcoin and certain other cryptocurrencies. Bloomberg’s estimates highlighted, 

“In practice that means a bank may need to hold a dollar in capital for each dollar worth of Bitcoin, based on an 8% minimum capital requirement.”

However, stablecoins and other tokens tied to real-world assets are set for lower capital requirements. The report further highlighted, 

“The capital will be sufficient to absorb a full write-off of the crypto asset exposures without exposing depositors and other senior creditors of the banks to a loss.”

The proposal did not specify any specific timeline, and hence, the implementation of these rules can take a couple of years. The proposal is, however, open to public comment before it comes into effect. It should also be noted that the committee said that the initial policies were “likely to change” several times as the market “evolves.”

Even though banks like HSBC have been cautious about stepping into crypto-trading, a few big names, like Standard Chartered Plc have announced their entry into the space.

As for Bitcoin, it fell by over 3.7% in the last 24 hours to trade at $35,418 at press time.

Source: Coinstats

Subscribe to our Newsletter


Continue Reading


Why Amp is the Best Altcoin You’ve Never Heard Of





Crypto Summer Pt. 2

Nordstrom, GameStop, and Ulta already support it


I work with a crypto wizard.

Yesterday the wizard gave me a piece of advice: “Hey man, your fly is down.” After that, he told me to look into Amp, otherwise known as Crypto-Square.

Amp is the brainchild of Flexa and ConsenSys and aims to make real-world crypto transactions instant and verifiable.

Through this ERC-20 token, retailers can accept Bitcoin, Litecoin or Ethereum without having to wait 10 minutes or more for the network. Today Nordstrom, Lowes, Baskin Robbins, GameStop, Ulta Beauty, Office Depot, AMC Theaters, and Petco are just some of the stores that support Amp.

That’s right, you can go to these retailers and use Flexa’s SPEDN app (pronounced spend) to easily buy things with Bitcoin or other cryptocurrencies.


And if that wasn’t enough, Coinbase just listed Amp yesterday. Coinbase-approved altcoins often skyrocket in price as 56 million users are nothing to scoff at.

Here’s everything else you should know about this project.

There’s only one thing that Flexa and ConsenSys created Amp to do: Act as collateral. Amp guarantees that real-world transactions go through instantaneously due to collateralization.

Flexa, the company that created Amp, is the puppet master attempting to make cryptocurrency the new global financial system. They initially launched a Flexa token years ago, but ditched it for Amp and a close partnership with ConsenSys.

“The new Amp token demonstrates Flexa’s unrelenting commitment to DeFi and to building new technologies that will democratize access to payments for people all over the world,” Tyler Spalding, CEO of Flexa wrote in a blogpost.

Flexa eventually wants to use Amp to guarantee home purchases, loan distributions, and fiat exchanges.

Can you guess it? Go ahead — on three…

ONE, staking!

Oh, sorry I got excited.

Staking on Amp is just like providing to a liquidity pool on Uniswap or any other DeFi protocol. I just imagine a giant Uncle Sam poster pointing at you saying “we need your tokens.”

This is another reason why Amp works. It follows the old Army adage “K.I.S.S.” or Keep it Simple Stupid. In the past few months, Amp is one of the only altcoins I feel like I can explain to my mother. That’s a good thing.

If you want to add to the Amp collateral pool you can stake on Gemini or on the SPEDN app to earn around 5.5% interest on your Amp tokens.

Three words should make you very bullish about an altcoin: ‘Real-World Use’

Many altcoins over-engineer their projects to death and bog their white papers down with technical mumbo jumbo to make you think their team is smarter than you. Amp is not one of these projects. It keeps it simple, stupid.

Moreover, Amp is the leading technology making it possible for retailers to exchange cryptocurrencies. It’s so ahead of the pack that dozens of businesses are already using it.

It’s a no-brainer 10x, in my opinion.

Amp is trading at $0.06 at the time of publishing with a market cap of $2.59B (for reference the market cap of Ethereum is $276 B)


Continue Reading
Blockchain4 days ago

World Economic Forum Seeks to Offer Clear Policy Landscape For DeFi

Blockchain3 days ago

The Colombian President’s Advisor to Peter Schiff: Stop Talking and Short Bitcoin

3 days ago

Pokemon GO: How to Get Alolan Slowpoke

Blockchain4 days ago

World Economic Forum Releases a DeFi Policy Toolkit for Fair and Executable Regulations

5 days ago

How watching LoL Esports rewards viewers in summer 2021

Uncategorized3 days ago

Battlefield 2042 officially revealed

Blockchain3 days ago

How Does Bitcoin Mining Work? Is It Profitable in 2021?

Uncategorized4 days ago

Where to find all the Alien Artifacts to unlock Kymera’s custom style in Fortnite Chapter 2, Season 7?

Blockchain3 days ago

1,100 people arrested by Chinese Police on crypto-related money laundering charges

Blockchain3 days ago

Axie Infinity Price Prediction 2021-2025: AXS Token Can Hit $40 by 2025

Blockchain4 days ago

XRP lawsuit: Is the SEC ‘triply wrong’ about its latest filing?

Blockchain3 days ago

XRP lawsuit: What’s the ‘existential threat’ Ripple is facing?

Blockchain5 days ago

Troy Gayeski von SkyBridge: „Fiat-Investoren könnten alternativ auf Bitcoin setzen“

Blockchain1 day ago

Trouble Looms For Bitcoin As U.S Looks to Bar Holders From Converting Crypto To USD

Blockchain4 days ago

The Classic Meme Behind Dogecoin (DOGE) to Be Auctioned as an NFT

Uncategorized4 days ago

Doge meme Shiba Inu dog to be auctioned off as NFT

Uncategorized3 days ago

The UNICEF is investing in five crypto startups via Ethereum (ETH)

Blockchain2 days ago

Third-Party Results of Credits’ Blockchain Speed Test

Blockchain1 day ago

MT5 Will Phase Out MT4, but It Will Take Time

Blockchain4 days ago

Gaugecash – The world’s first Decentralized Monetary System.