1 hour ago
(This post was last modified: 1 hour ago by datarecovery.com.)
It's clear you've put serious time into this. On the GPU side: for Bitcoin Core (wallet.dat), as you know, hashcat mode 11300 is what you want, and it's memory-bound enough that raw core count isn't the whole story. An RTX 4090 is probably the current sweet spot for cost-per-hash on this hash type, but if you're already running a 5090 on Vast.ai and still not getting a hit, the password likely has some complexity you haven't fully modeled yet — so throwing more hardware at it may not be the answer. The angle I'd encourage you to think about, especially given your 2013 timeframe, is the original drive. Bitcoin Core wallets start out unencrypted — encryption is something the user adds manually — and that earlier unencrypted wallet.dat often stays on disk long after it's been deleted or overwritten. wallet.dat is just a Berkeley DB file, and BDB writes data in fixed-size pages (typically 4KB). When records are deleted or the file is fragmented, those pages frequently survive intact in slack space or unallocated regions. It's possible to carve for BDB page headers in raw disk data and reconstruct enough of a pre-encryption wallet to extract keys directly — no cracking required. That's definitely worth pursuing if you still have the original drive or a disk image. I can't share it here, but I could post a python script on GitHub that scrapes BDB fragments and stores them in plain text to a file.
Separately, even if we don't find an earlier wallet copy, a raw forensic pass through the drive can surface a lot of useful context — old documents, browser artifacts, saved credentials, notes from that era. I've found that building a targeted wordlist and rule set from someone's own recovered data is often more productive than running generic wordlists, because it reflects how you actually constructed passwords back then. Even partial clues can make a mask attack dramatically more efficient.
After all you've put into it, it makes sense to consider a more methodical forensic approach. If the original disk is not available, I'd put together a list of all passwords and look for patterns to narrow the key space. All of this you may have thought of, but worth mentioning.
Separately, even if we don't find an earlier wallet copy, a raw forensic pass through the drive can surface a lot of useful context — old documents, browser artifacts, saved credentials, notes from that era. I've found that building a targeted wordlist and rule set from someone's own recovered data is often more productive than running generic wordlists, because it reflects how you actually constructed passwords back then. Even partial clues can make a mask attack dramatically more efficient.
After all you've put into it, it makes sense to consider a more methodical forensic approach. If the original disk is not available, I'd put together a list of all passwords and look for patterns to narrow the key space. All of this you may have thought of, but worth mentioning.