($200 reward) Phantom Wallet seed phrase recovery
#11
(02-01-2024, 07:46 PM)Qwarkz Wrote: ...
After some other research, i heard about the "Metamask vault decryptor", which is a tool that can decrypt those type of encrypted data by using the wallet password but unfortunately it works only with Metamask wallet.
...
I have written several extractor/decryptor tools for crypto wallets including Metamask, Atomic, and Phantom. Yesterday, I publicly released the Phantom Extractor / Decryptor code on github which supports the new wallet version like your example.
https://github.com/cyclone-github/phantom_pwn

Feel free to contact me if you need the seed phrase decrypted. It's a process, but doable. 

For clarity, the python3 scripts posted by bingussssssss seem to work fine with the previous version of Phantom wallets, but not the newer wallets which have 4x encrypted json strings.

Old Phantom Wallet:
Code:
encryptedMnemonic | {"expiry":{digits},"value":"{\"encrypted\":\"{base58_string}\",\"nonce\":\"{base58_string}\",\"kdf\":\"pbkdf2\",\"salt\":\"{base58_string}\",\"iterations\":10000,\"digest\":\"sha256\"}"}
New Phantom Wallet:
Code:
{"encryptedKey":{"digest":"sha256","encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
Reply
#12
(04-22-2024, 05:51 PM)cyclone Wrote:
(02-01-2024, 07:46 PM)Qwarkz Wrote: ...
After some other research, i heard about the "Metamask vault decryptor", which is a tool that can decrypt those type of encrypted data by using the wallet password but unfortunately it works only with Metamask wallet.
...
I have written several extractor/decryptor tools for crypto wallets including Metamask, Atomic, and Phantom. Yesterday, I publicly released the Phantom Extractor / Decryptor code on github which supports the new wallet version like your example.
https://github.com/cyclone-github/phantom_pwn

Feel free to contact me if you need the seed phrase decrypted. It's a process, but doable. 

For clarity, the python3 scripts posted by bingussssssss seem to work fine with the previous version of Phantom wallets, but not the newer wallets which have 4x encrypted json strings.

Old Phantom Wallet:
Code:
encryptedMnemonic | {"expiry":{digits},"value":"{\"encrypted\":\"{base58_string}\",\"nonce\":\"{base58_string}\",\"kdf\":\"pbkdf2\",\"salt\":\"{base58_string}\",\"iterations\":10000,\"digest\":\"sha256\"}"}
New Phantom Wallet:
Code:
{"encryptedKey":{"digest":"sha256","encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}



Thanks for bringing this up -- I'll see if I can get some scripts working for this type as well.

question -- do each of the 4 encrypted strings represent different asset types, whereas the previous version is just SOL?
Reply
#13
(04-30-2024, 12:38 PM)bingussssssss Wrote: question -- do each of the 4 encrypted strings represent different asset types, whereas the previous version is just SOL?
The 4x encrypted json strings in the new Phantom vaults are part of a multi-step process of decrypting and recovering the seed phrase. I posted a paper on GitHub that explains the process:
https://github.com/cyclone-github/phantom_pwn
~
Reply
#14
(04-30-2024, 05:16 PM)cyclone Wrote:
(04-30-2024, 12:38 PM)bingussssssss Wrote: question -- do each of the 4 encrypted strings represent different asset types, whereas the previous version is just SOL?
The 4x encrypted json strings in the new Phantom vaults are part of a multi-step process of decrypting and recovering the seed phrase. I posted a paper on GitHub that explains the process:
https://github.com/cyclone-github/phantom_pwn

wonderful, thank u
Reply
#15
(04-22-2024, 05:51 PM)cyclone Wrote:
(02-01-2024, 07:46 PM)Qwarkz Wrote: ...
After some other research, i heard about the "Metamask vault decryptor", which is a tool that can decrypt those type of encrypted data by using the wallet password but unfortunately it works only with Metamask wallet.
...
I have written several extractor/decryptor tools for crypto wallets including Metamask, Atomic, and Phantom. Yesterday, I publicly released the Phantom Extractor / Decryptor code on github which supports the new wallet version like your example.
https://github.com/cyclone-github/phantom_pwn

Feel free to contact me if you need the seed phrase decrypted. It's a process, but doable. 

For clarity, the python3 scripts posted by bingussssssss seem to work fine with the previous version of Phantom wallets, but not the newer wallets which have 4x encrypted json strings.

Old Phantom Wallet:
Code:
encryptedMnemonic | {"expiry":{digits},"value":"{\"encrypted\":\"{base58_string}\",\"nonce\":\"{base58_string}\",\"kdf\":\"pbkdf2\",\"salt\":\"{base58_string}\",\"iterations\":10000,\"digest\":\"sha256\"}"}
New Phantom Wallet:
Code:
{"encryptedKey":{"digest":"sha256","encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}
{"encrypted":"{base58_string}","iterations":10000,"kdf":"pbkdf2","nonce":"{base58_string}","salt":"{base58_string}"},"version":1}

Sent you a DM!
Reply
#16
(04-30-2024, 05:16 PM)cyclone Wrote:
(04-30-2024, 12:38 PM)bingussssssss Wrote: question -- do each of the 4 encrypted strings represent different asset types, whereas the previous version is just SOL?
The 4x encrypted json strings in the new Phantom vaults are part of a multi-step process of decrypting and recovering the seed phrase. I posted a paper on GitHub that explains the process:
https://github.com/cyclone-github/phantom_pwn

Hello mate, i know this is a few months old but i wanted to know whether it is possible to recover the 12 words if you have forgotten your password ? as most scripts i see use your initial password. I have forgotten my password but was able to retrieve the encrypted key since its the same device.
Reply
#17
(Yesterday, 03:23 PM)jakezain Wrote:
(04-30-2024, 05:16 PM)cyclone Wrote:
(04-30-2024, 12:38 PM)bingussssssss Wrote: question -- do each of the 4 encrypted strings represent different asset types, whereas the previous version is just SOL?
The 4x encrypted json strings in the new Phantom vaults are part of a multi-step process of decrypting and recovering the seed phrase. I posted a paper on GitHub that explains the process:
https://github.com/cyclone-github/phantom_pwn

Hello mate, i know this is a few months old but i wanted to know whether it is possible to recover the 12 words if you have forgotten your password ? as most scripts i see use your initial password. I have forgotten my password but was able to retrieve the encrypted key since its the same device.

The first step in recovering the seed phrase is recovering the password. Check out my phantom_pwn toolset and writeup on github as it will lead you in the right direction.
~
Reply