lost-my-walletrecovery.lab
Recover →
Technical guide · 12 min read

Bitcoin Core wallet.dat Password Recovery

A technical deep dive into how wallet.dat encryption actually works, how the hash is extracted, and what realistically can — and cannot — be recovered with modern GPU hardware.

If you are reading this, you probably have an old wallet.dat from a 2012–2017 Bitcoin Core installation and a password you half-remember. This guide explains exactly what is inside that file, why GPU recovery is feasible for weak-to-medium passwords, and where the cryptographic wall is that no amount of money can break through.

Honesty first. Bitcoin Core's encryption is strong. If your passphrase was truly random, long, and not based on anything you remember, it cannot be recovered — not by us, not by anyone. This guide focuses on the realistic case: you remember fragments.

How wallet.dat encryption works

wallet.dat is a Berkeley DB 4.x file. Inside it are key-value pairs: master keys, encrypted private keys, addresses, metadata, transactions. When you set a passphrase with encryptwallet, Bitcoin Core does not encrypt each private key with your password. Instead, it uses a two-layer scheme designed to let you change the passphrase without touching thousands of keys:

  1. A random 256-bit master key is generated. This is the key that actually encrypts every private key in the wallet (AES-256-CBC).
  2. The master key itself is encrypted using a key derived from your passphrase. The KDF is SHA-512 iterated a variable number of rounds (benchmarked on the encrypting machine so it takes around 100 ms — typically 25,000 to 200,000 iterations).
  3. A 8-byte random salt is stored alongside the encrypted master key in the DB.

So to crack wallet.dat you must: (1) hash the candidate passphrase N rounds with SHA-512, (2) AES-256-CBC decrypt the encrypted master key, (3) verify the result is valid (the last 16 bytes follow PKCS#7 padding rules, and the decrypted key length is 32).

The actual bytes — what a Berkeley DB record looks like

You do not need the raw file on disk to crack it; you need the encrypted master key record and the salt. The relevant keys in the B-tree are mkey (master key) and ckey (encrypted private keys). Only the mkey record is needed for password recovery — it holds:

struct CMasterKey {
    std::vector<unsigned char> vchCryptedKey;   // 48 bytes: AES-256-CBC(master_key || pad)
    std::vector<unsigned char> vchSalt;         //  8 bytes: random salt
    unsigned int nDerivationMethod;             //  0 = SHA-512 iterations
    unsigned int nDeriveIterations;             //  e.g. 103,842
    std::vector<unsigned char> vchOtherDerivationParameters;
};

Extracting the hash: pywallet and bitcoin2john.py

Two tools extract the mkey record into a hash format that hashcat or John the Ripper can attack.

bitcoin2john.py (recommended)

Ships with the John the Ripper run/ directory. Usage:

$ python3 bitcoin2john.py wallet.dat > wallet.hash
$ cat wallet.hash
$bitcoin$64$... ckey bytes ...$16$... salt ...$103842$2$00$2$00

The format is: $bitcoin$[ckey_len]$[ckey_hex]$[salt_len]$[salt_hex]$[iterations]$2$00$2$00. This is exactly what hashcat mode 11300 consumes.

pywallet.py (when Berkeley DB is corrupted)

If bitcoin2john.py fails with a Berkeley DB error — common on wallets from different BDB versions or partially-copied files — use pywallet.py --dumpwallet to recover the mkey manually, or repair the BDB file with db_recover first.

Running the attack with hashcat

# Dictionary + rules (best first attempt)
hashcat -m 11300 -a 0 wallet.hash rockyou.txt -r OneRuleToRuleThemAll.rule

# Mask attack — you remember it starts with "Summer" and has 2 digits + 1 symbol at end
hashcat -m 11300 -a 3 wallet.hash "Summer?d?d?s"

# Hybrid — dictionary word followed by year
hashcat -m 11300 -a 6 wallet.hash personal-words.txt ?d?d?d?d

# Resume a stopped session
hashcat -m 11300 --restore

GPU recovery speeds — realistic numbers

GPUwallet.dat H/s (mode 11300)Days to exhaust 8-char lowercase+digit
RTX 4090~105,000310 days
RTX 3090~70,000465 days
CMP 90HX~55,000590 days
RTX 3060 Ti~28,0001,160 days

The table looks grim because brute-forcing an unknown 8-character password against mode 11300 is genuinely hard. What actually works is mask and rule-based attacks that narrow the keyspace from 10^12 down to 10^8 or less using what you remember.

What you can realistically recover

Feasible

  • • You remember most of the password, 1–3 characters unknown
  • • You used a variation of an old password (leet + digits + symbol)
  • • It is a word or phrase with some typos
  • • Length is under 10 characters
  • • You have a short candidate list (≤ 10,000 words)

Effectively impossible

  • • Truly random 12+ character passphrase
  • • Passphrase generated by a password manager
  • • Diceware phrase with 6+ words
  • • Keyboard pattern you cannot describe at all
  • • Anything above 15 characters with no memory anchor

Strategy that actually finds passwords

We crack dozens of wallet.dat files per month. Here is what works in order of hit rate:

  1. Candidate dictionary from the user's life. Names, pets, dates, addresses, favorite words — all lowercased, uppercased, leet-substituted, concatenated. A 5,000-line custom dictionary beats rockyou (14M lines) because it is tuned to one person.
  2. Rule stacking. OneRuleToRuleThemAll.rule, dive.rule, best64.rule expand each candidate into 50–50,000 variants — appending digits, symbols, toggling case.
  3. Masks with known structure. If you remember "it started with a capital letter and ended with !1" → ?u?l?l?l?l?l?l!1.
  4. PRINCE attack. Combines your candidate dictionary words into multi-word passphrases. Excellent for "I used two English words separated by something" cases.
  5. Markov / statistical attacks. Generate passwords that follow the statistical distribution of real-world passwords rather than uniform brute force.

Submit for recovery

Our service uses a 10-GPU farm (CMP 90HX + RTX) to run this exact pipeline, with a hand-curated list of the 76,000 highest-hit-rate rules and wordlists. You only pay if we find the password. Submit your wallet.dat here, or run a free format check first on the Wallet Analyzer to confirm the file is intact.

Frequently asked questions

Can a strong Bitcoin Core wallet.dat password be recovered?

If the passphrase is truly random and 12+ characters with mixed case, digits, and symbols, it is computationally unrecoverable even on a GPU farm. Real recoveries succeed when the user remembers fragments that allow mask or rule-based attacks to prune the keyspace.

What hashcat mode is used for wallet.dat?

Hashcat mode 11300 targets Bitcoin/Litecoin wallet.dat. It simulates the SHA-512 iterated key derivation, then attempts AES-256-CBC decryption on the encrypted master key and verifies PKCS#7 padding on the result.

How fast can a GPU crack wallet.dat?

RTX 4090: ~105 k H/s. RTX 3090: ~70 k H/s. CMP 90HX: ~55 k H/s. Fast compared to scrypt but slow compared to MD5 — brute force of any password above 9 uniform characters is not feasible without hints.

Is it safe to send my wallet.dat to a recovery service?

Only if the service never asks for your seed phrase or private keys. The encrypted file alone is enough. Avoid any service that asks you to export anything from the decrypted wallet up front — that is a scam pattern.

What is bitcoin2john.py?

A helper script shipped with John the Ripper that extracts the encrypted master key, salt, and iteration count from wallet.dat and formats them as $bitcoin$... — consumable by both John and hashcat mode 11300.

Ready to try recovery?

Upload your wallet.dat, add every password fragment you remember, and pay only if we find it.

Submit wallet.dat Free format check