A Bitcoin wallet. Over 100 BTC. No clear instructions for access.
This is a case description for a recovery that Unciphered performed for a customer. Certain details have been changed and names have been omitted at the request of the client.
Summary
A [CUSTOMER] had a significant amount of cryptocurrency but no clear way to access it.
Despite having devices, seed words, and documentation, [CUSTOMER] found himself locked out without a clear path forward due to how the wallet had been set up.
Background
[CUSTOMER]’s situation began when a close friend gave him Bitcoin and other crypto holdings. He had a box with various pieces of crypto hardware, some pieces of paper, and a set of metal plates with words stamped into them. This was everything required to access the crypto, but the setup of wallets and distribution of funds was unconventional and needed a walkthrough to fully understand.
Before being able to fully explain how everything was structured or accessed, the friend passed away.
What was left was not a single wallet with a clear path forward to access, but an unfulfilled wish to pass on these assets and a collection of materials that should lead to accessing the crypto. A stamped metal plate, seed words written on paper, multiple hardware wallets, and a box of various crypto-related items and documentation.
At first glance, it appeared that there was everything needed to access the funds.
Losing Access
That assumption did not hold.
The seed words did not match what would normally be expected to restore a wallet.
There were more words than should be required and no numbering scheme to the words.
No clear structure for what funds were related to what wallet.
No clear mapping of what funds even existed or how they were stored.
The hardware devices did not clarify anything.
If anything, they made it more confusing.
There were no PINs for any of the hardware wallets in the documentation.
Was anything necessary missing, or was everything already there?
[CUSTOMER] brought in a local trusted technician friend to try to make sense of the setup.
Even though they had experience with self-custody crypto wallets, they were not able to access the funds or make sense of the setup. Every “restored” wallet was at zero balance.
Despite having what appeared to be all the necessary components, the wallet remained inaccessible.
Without a clear way to interpret the seed words or understand how the wallets were structured, access to the funds was effectively lost.
His friend said there was significant BTC stashed away in this configuration, but no matter what he tried [CUSTOMER] couldn’t make headway.
He needed help.
Recovery with Unciphered
After exhausting all available options, [CUSTOMER] made the decision to look for more specialized crypto recovery help.
He found Unciphered from an article in Wired and reached out to determine if recovery was possible and if we were capable of the job.
The case required a careful and methodical approach.
Every step needed to be evaluated without knowing how the wallet had originally been configured.
Rather than relying on standard tools, the process focused on identifying how the different pieces of information might fit together.
This involved testing possible configurations and analyzing patterns across the materials that had been left behind and building custom tools for this unique recovery scenario.
After thorough testing and analysis we uncovered what made this recovery so complex: the setup involved extensive use of hidden wallets.
Hidden wallets allow an astronomically large number of wallets to exist under a single seed phrase, each unlocked by a separate passphrase (just a matter of which are funded). Without the correct passphrase, the correct wallet does not appear, and can’t be analyzed. Normally, one would document the passphrase as you would a password (in addition to the seed phrase, each pw represents a unique hidden wallet), separate from the rest of the documentation, for added security. Because of this, the passphrases were missing from the documentation altogether.
The seed phrase documentation also contained extra words as red herrings.
This explained why previous recovery attempts had failed.
Access Restored
With our custom tools and rigorous testing, we were able to access many wallets with distributed funds that added up to and exceeded the expected value of the assets.
Access to a portion of the funds was successfully restored.
There was still more work to be done with the hidden wallets.
Contrary to password cracking, hidden wallets pose a unique problem that every possible answer will generate a wallet, but answering if that wallet is funded is a completely different problem altogether. As opposed to open source password cracking tools, like hashcat where the default use case is to run until you get a positive response, with hidden wallets every response will generate a wallet and therefore a positive response whether the wallet is funded or not. No open-source or publicly available tool is designed for hidden wallet recoveries, so we had to design our own in-house.
The development of this tool quickly led to the recovery of a significant amount of bitcoin and additional coins of other currencies for this client. Nearly a year later, continued investigation and development of that tool led to the recovery of nearly 10 bitcoin more.
Conclusion and Recommendations
When access instructions are unclear or incomplete, standard recovery options are limited.
This case highlights the risks that come with complex wallet configurations, especially in cases where there is limited ability to gain additional information regarding how the wallet(s) were originally set up.
Even when assets, devices, and documentation are physically present, access can still be out of reach if the structure behind them is not understood.
It also shows that in complex cases, recovery may still be possible with the right technical approach.
Situations that appear unrecoverable are not always final.
However, many steps could have been taken to prevent this situation.
Clear documentation of how wallets are structured, including passphrases and configurations, is critical.
