Solana Wallet Recovery

Solana became a top-five cryptocurrency by market cap largely on the back of two very usable wallets: Phantom (originally browser-only, now also native iOS and Android) and Solflare (web, mobile, Ledger integration). Both ask you to remember a password and to write down a 12- or 24-word seed phrase. Most users remember neither, and arrive at this page when Phantom refuses their password guess for the fiftieth time. The recovery path depends entirely on which artifacts survive — the seed phrase, the browser vault, both, or neither.

Solana's cryptography is not Ethereum's

Ethereum, Bitcoin, and most chains derive keys using secp256k1 elliptic curve cryptography along the BIP32 derivation standard. Solana uses Ed25519, a different curve with different performance and security characteristics. This matters for recovery because:

• A BIP39 seed phrase generates different keypairs on Solana vs Ethereum vs Bitcoin. Same 12 words, three completely different address sets.
• Solana uses the SLIP-0010 specification for hierarchical deterministic key derivation on Ed25519 curves. The standard derivation path is m/44'/501'/0'/0' where 501 is Solana's coin type per SLIP-0044.
• Phantom additionally supports m/44'/501'/0' (no final 0 on some older wallets) and m/501'/0'/0/0 (historical). If you restore and see zero balance, try these alternate paths in Phantom's "Add another wallet" → "Derivation path".
• Signature verification is ~5× faster than secp256k1, which is why Solana can claim high TPS — irrelevant to recovery, but useful context.

The upshot: you can safely re-import the same 12-word phrase into Phantom, MetaMask, and a Bitcoin wallet. None of them interfere with each other; each derives its chain-specific keys. This is also why users sometimes panic — they restore their MetaMask seed into Phantom and see zero balance, concluding their SOL is lost. In reality, they never sent SOL to the Phantom-derived address in the first place; they were holding SOL on a different wallet or a different derivation path.

How Phantom encrypts your seed

Phantom's browser extension architecture is similar in spirit to MetaMask: seed phrase held in memory when unlocked, encrypted at rest when locked, password required to unlock. The exact cryptographic parameters have shifted across versions but the current recipe (as of late 2025 builds) is roughly:

// Phantom vault encryption (simplified, based on reverse-engineered builds)
async function encryptVault(password, mnemonic) {
  const salt  = crypto.getRandomValues(new Uint8Array(16));
  const nonce = crypto.getRandomValues(new Uint8Array(24)); // XSalsa20
  // PBKDF2-HMAC-SHA256, ~100,000 iterations (varies by version)
  const key = await pbkdf2(password, salt, 100000, 32, 'SHA-256');
  // XSalsa20-Poly1305 (NaCl secretbox)
  const ciphertext = nacl.secretbox(
    new TextEncoder().encode(mnemonic),
    nonce,
    key
  );
  return {
    encryptedContent: base64(ciphertext),
    nonce: base64(nonce),
    kdfSalt: base64(salt),
    kdfIterations: 100000
  };
}

Three notes:

• PBKDF2-HMAC-SHA256 with ~100,000 iterations is significantly slower than MetaMask's 10,000 but still GPU-friendly. A modern GPU reaches ~500k–1M guesses/sec, compared to Daedalus Argon2 at ~1k/sec.
• XSalsa20-Poly1305 (NaCl secretbox) is a stream cipher with authenticated encryption — wrong passwords fail cleanly with MAC error, no false positives.
• Phantom iteration counts have varied between 10,000 (very old builds) and 100,000 (current). Recovery scripts try multiple iteration counts automatically.

Finding the Phantom vault on disk

Phantom extension ID on Chrome/Brave/Edge is bfnaelmomeimhlpmgjnjophhpkkoljpa. Storage paths:

Inside the directory are LevelDB files: 000003.log, CURRENT, MANIFEST-000001, and numbered .ldb files. Close the browser completely before copying — LevelDB does not tolerate concurrent writes from a running process and a copier.

Extracting the vault interactively

1. In Chrome/Brave/Edge, navigate to chrome://extensions/.
2. Enable Developer mode (top-right toggle).
3. Find Phantom, click "Inspect views: service worker". DevTools opens.
4. In DevTools, go to Application tab → Extension Storage → Local.
5. Search for keys like encryptedKeyPairs, activeAccount, or similar. The encrypted vault will be visible as a JSON value with base64-encoded encryptedContent, nonce, kdfSalt.
6. Copy the entire JSON object. Save it as phantom-vault.json.

Solflare — two formats to know

Solflare supports several storage modes:

• Web wallet (solflare.com): encrypted vault stored in localStorage of your browser for the origin solflare.com. Accessible via DevTools → Application → Local Storage.
• Browser extension: stored in extension IndexedDB, similar architecture to Phantom.
• Keystore JSON file: Solflare can export an encrypted JSON file that mirrors the Ethereum keystore v3 format (scrypt + AES-128-CTR). This is a standalone file you can store on any disk. It works with our Ethereum keystore recovery techniques with minor adaptation for Ed25519 key material.
• Mobile app: iOS Keychain or Android Keystore, not user-accessible without jailbreak/root. Recovery flow on mobile is strictly through seed phrase.
• Ledger integration: private keys live on the Ledger device. Solflare password / local encryption protects the Ledger account list but not the underlying keys. Loss of Solflare password + loss of Ledger = recover via seed. Loss of Solflare password alone = reinstall + reconnect Ledger.

Scenario 1: Seed phrase intact, password forgotten

Uninstall the wallet extension or delete the Solflare localStorage data. Reinstall fresh. On Phantom: welcome screen → "I already have a wallet" → "Use secret recovery phrase" → enter 12 words → create new password. On Solflare: click "Access your wallet" → "Recovery phrase" → same flow. Your SOL and SPL token balances, NFTs, and transaction history will all appear once the wallet syncs (typically 10–30 seconds for Solana).

If you had multiple accounts derived from the same seed (Phantom and Solflare both support this), click "Add / Connect Wallet" → the wallet will scan derivation paths m/44'/501'/0'/0', m/44'/501'/1'/0', m/44'/501'/2'/0' and surface any accounts with non-zero balance. If an account does not appear automatically, you can add it manually by specifying the index.

Scenario 2: Vault intact, seed lost, password has hints

Extract the vault (procedure above). Feed it to a Phantom vault decryptor — several open-source implementations exist on GitHub. Be cautious: as with MetaMask, fake "Phantom decryptor" tools are rampant phishing attempts. Only use code you can audit, ideally run fully offline.

# Python sketch using pynacl + hashlib
import base64, json, hashlib
from nacl.secret import SecretBox
from nacl.exceptions import CryptoError

vault = json.load(open("phantom-vault.json"))
salt  = base64.b64decode(vault["kdfSalt"])
nonce = base64.b64decode(vault["nonce"])
ct    = base64.b64decode(vault["encryptedContent"])
iters = vault.get("kdfIterations", 100000)

for pw in open("candidates.txt"):
    pw = pw.strip().encode()
    key = hashlib.pbkdf2_hmac("sha256", pw, salt, iters, dklen=32)
    try:
        mnemonic = SecretBox(key).decrypt(ct, nonce)
        print("FOUND:", pw.decode(), "->", mnemonic.decode())
        break
    except CryptoError:
        continue

PBKDF2-HMAC-SHA256 at 100k iterations is a GPU-friendly target. A single RTX 4090 reaches ~800k guesses/sec with a custom OpenCL kernel. A 6-card farm runs through a 1-billion-candidate dictionary + rule set in about 20 minutes. Dictionary + mask hybrids (known prefix + unknown digits) converge even faster when the password has recoverable structure.

Scenario 3: Vault lost AND seed lost

Funds are permanently inaccessible. No server holds a backup — Phantom and Solflare are non-custodial. Check every possible source: old browser profiles on other machines, Dropbox/iCloud backups that might have synced extension data, old phones, printed-out QR codes. A 12-word phrase written down months ago in an obscure notebook is worth more than any password recovery service. If nothing turns up, accept the loss and focus on prevention for the next wallet.

Scenario 4: Hardware wallet + Solflare

If Solana funds sit on a Ledger accessed through Solflare, the private keys never leave the Ledger. Forgetting the Solflare app password is a non-event — reinstall Solflare, reconnect the Ledger, your accounts reappear. Forgetting the Ledger PIN wipes the device after three wrong attempts; you then restore the Ledger from its own 24-word recovery phrase. See hardware wallet recovery for PIN-wipe mechanics.

Realistic throughput — Phantom PBKDF2 (100k iterations)

Note: Solflare keystore JSON using scrypt at N=131072 runs roughly 20–40× slower per guess. Check which format you have before estimating time.

Recovery matrix

Scam landscape specific to Solana

Solana's meme-coin culture attracts heavy scam activity and wallet recovery scams are disproportionately common. Red flags specific to this ecosystem:

• "Phantom support" on X/Twitter — Phantom has never DMed a user first. Any account reaching out to help is a scam.
• "Seed phrase verification bot" — asking you to type your 12 words into a form to "verify" anything. 100% phishing.
• "Airdrop claim" links that first ask to connect wallet, then sign a transaction draining all tokens.
• Downloadable "Phantom recovery tool" .exe — always malware. The real Phantom is only at phantom.app.
• Fake Phantom browser extension — verify the publisher is "Phantom" and the extension ID is exactly bfnaelmomeimhlpmgjnjophhpkkoljpa before installing.

Our scams guide covers the full pattern library.

Related guides

• MetaMask vault recovery — nearly identical browser-extension attack surface with different KDF parameters.
• BIP39 seed recovery — if your Solana seed phrase is missing a word or the order is uncertain.
• Ethereum keystore recovery — Solflare's JSON export format is similar; the attack procedure transfers.
• Hardware wallet recovery — Ledger + Solana specifically.
• btcrecover tutorial — tokenlist syntax applies to Phantom custom decryptors too.

Frequently asked questions