ReadMy.md

Bitcoin Core Wallet Password Recovery Finding

@itsadityaJune 18, 2026

Bitcoin Core Wallet Password Recovery Finding

Status

  • Status: Solved
  • Recovered password: pera5durasnopera5lus
  • Recovery date: 2026-06-18
  • Note: The plaintext password should be kept in a secure credential store, not in this report.

Summary

In 2013, the victim created a Bitcoin Core wallet and encrypted it without giving the password much thought.

Over the course of that year, the victim deposited small amounts of Bitcoin into the wallet. When the victim later wanted to cash out, he did not remember encrypting the wallet in the first place.

The recovery work focused on the victim’s personal password habits from that period, especially simple Spanish words, digits, and reused word patterns.

Victim Profile

  • Name: Guillermo Ariel Ramirez
  • Country: Argentina
  • Real birthday: 21-Nov-1969
  • Legal birthday on official ID: 21-Dec-1969
  • Telegram: @Arielram
  • Emails:
  • Likely city: Mendoza, Argentina
  • Possible city: Santa Rosa, La Pampa, Argentina
  • Football teams: River Plate, Godoy Cruz, Gutierrez Sport Club
  • Profession: IT
  • Bitcoin discovery source: Google+ in 2013
  • Family/pets at wallet creation: No wife, no kids, no pets

Wallet Details

Wallet Address

The Bitcoin address associated with the victim’s funds:

https://www.blockchain.com/es/explorer/addresses/btc/189JveWz2WP79oYU9Gq4NUfiurbiuNPUhn

Hashcat Hash

$bitcoin$96$1bbd24dc0f23175483d619a24e15f4a06e7e1d3d8b13d9a979b7f4223792836f50520c27c698fa9468ff95f481b888f0$16$65e1017f33467568$63533$2$00$2$00

Password Habits

The following password habits came from a 2013 survey filled out by the victim.

  • Uses uppercase: Yes
  • Uses numbers: Yes
  • Known digits: 5, 6, 7, 8
  • Known number sequence: 231661
  • Uses special characters: No, or the victim did not remember
  • Uses spaces: No
  • Password length: 7 to 15 characters
  • Common words used:
    • pera
    • durazno
    • luz
    • lus
    • asadera
    • asaderas
    • colimba

Known Transformations

  • Capitalizes words, for example casa to Casa
  • Swaps z for s, and s for z, for example durazno to durasno
  • Converts words to all lowercase
  • Does not appear to use other special character substitutions

Bitcoin Core Password Constraints

At the time the wallet was encrypted, Bitcoin Core suggested:

Use a password of ten or more random characters, or eight or more words.

This was only a suggestion. The actual requirement was that the password be more than one character.

Critical Intel From 2026-06-15

Bitcointalk Account

The victim’s Bitcointalk account was created around 2014, roughly one year after the wallet was created.

A data leak showed that the victim’s Bitcointalk password followed this pattern:

[survey word] + [single digit] + [survey word]

Observed traits:

  • Both words came from the victim’s survey word list.
  • The digit came from the victim’s known digit set: 5, 6, 7, 8.
  • The password was lowercase.
  • The password did not contain special characters.
  • The password length fit the victim’s stated 7 to 15 character range.

Survey Screenshot

The survey screenshot also showed Yybju576 in the victim’s “words commonly used” column.

This entry appeared in row 3, dated 11/28/2013, which was the same general period as the wallet creation. It appears to be an actual reused password from that era rather than a dictionary word.

Context

The victim was learning how to set up the wallet by following a tutorial, likely on Google+. He appears to have set the password reflexively rather than deliberately, which explains why he later forgot that the wallet had been encrypted.

The Bitcointalk password strongly suggested that the victim’s go-to pattern at the time was:

[Spanish word] + [digit] + [Spanish word]

The wallet password was set in 2013, before the Bitcointalk account was created in 2014.

Candidate Patterns Considered

  1. Direct reuse of the Bitcointalk-style pattern.
  2. The same pattern with different words from the victim’s survey vocabulary.
  3. The same pattern with 231661 instead of a single digit.
  4. The same pattern with the word order reversed.
  5. Yybju576 as a standalone reused password from that era.

Confirmed Findings

  • The victim did not use names in passwords.
  • The password was not simpler than expected.
  • Earlier intelligence that the password was simpler was incorrect.
  • The solved password matched the victim’s historical password habits from the 2013 to 2014 period.

0 comments

Sign in to comment

Loading comments…