Mnemonics are another form of plaintext private keys. They were first proposed by the BIP39 proposal to help users remember complex private keys. The mnemonics created in imToken consist of 12 words, all of which are taken from a fixed word library. It is known that the BIP39 standard mnemonic library has a total of 2048 words, which can generate 2^128 types of mnemonic combinations. Mnemonics are very secure due to their large number of combinations, strong cryptography-based design, and effective verification mechanisms.
However, some users think that mnemonics are only 12 words, and mistakenly believe that they should be able to collide with some powerful machines, thereby gaining control of wallet tokens. Users' lack of knowledge of mnemonics has given some lawless elements an opportunity to profit from it, falsely claiming that they have developed a tool that can "collide" mnemonics, and selling this so-called cracking software through various channels.
Ethan is a cryptocurrency investor who saw a tweet ad on Twitter claiming that there is a newly developed software that can quickly "collide" mnemonics to obtain tokens in cracked wallet addresses. The software was expensive, but the various "successful cases" shown in the tweet made Ethan feel tempted.
(Fraudulent tweets that collide with mnemonics)
After Ethan contacted the seller, the seller provided him with a free trial version of the "Mnemonic Collision Tool", but it would cost a high fee to use it in full. In order to gain Ethan's trust, the seller also provided some fake videos demonstrating how to successfully "crack" the mnemonics of certain wallet addresses through the tool. Ethan used the trial version of the "Mnemonic Collision Tool" and followed the steps in the video to "crack" the mnemonics of some wallet addresses. After importing it, he found that there were a small number of tokens in it. The seller explained that the computing power of the trial version could only "collide" the mnemonics of the wallet addresses of a small number of assets, and Ethan then paid thousands of dollars to buy the software.
However, after the payment, the software Ethan received was completely unusable, and even triggered the virus protection alarm on his computer during installation. Ethan, who realized that he might have been deceived, contacted the seller again, but found that the other party had blocked him. Not only did he lose the funds used to purchase the software, but his computer was also implanted with malware, further threatening the security of his digital tokens.
Scam Knowledge
From a mathematical point of view, the probability of mnemonics being collided is extremely low. The 2048 words in the BIP39 standard mnemonic library can generate 2^128 types of mnemonic combinations. NVIDIA RTX 4090 is the most powerful graphics card in the consumer market. If you use an RTX4090 graphics card to traverse all the mnemonic combinations, it will take about 1.38×10^24 years – clearly impossible within a human lifetime.
However, if 8\9\10 words in a 12-word mnemonic phrase are leaked, it takes a certain amount of time to calculate the remaining words using the computing power of the graphics card, so there is also a risk of leaking only part of the mnemonics.
In addition, the security of mnemonics or private keys is also related to randomness. If the algorithm used to generate mnemonics or private keys is not random enough, it will increase the probability of hackers using brute force. In order to ensure sufficient randomness, imToken uses the random number generator provided by the system on Android and iOS. For example, the source of iOS entropy (which can be understood as random numbers) is the statistics of events that occurred in the system over a period of time. Since the kernel state of the system is different in real time, the randomness and security of the private key are fully guaranteed.
PSA:
- Keep your mnemonics or private keys in offline storage media, such as hardware wallets or paper backups, to reduce the risk of cyber attacks.
- Use legitimate wallets and mnemonic generators, and avoid using apps or websites from unknown sources.
- Mnemonic generation is extremely random, and the probability of successful collision is almost zero.
imToken Is Always Protecting Your Token Security
In June, imToken marked a total of 2891 risky tokens, banned 606 risky DApp websites and marked 1414 risky addresses.
In addition, if you find any suspiciously risky tokens or DApps, please contact us: support@token.im to help more users avoid token losses.
Closing Thoughts
Scams are constantly evolving, it is indeed challenging for average users to fully prevent them. imToken is committed to rapidly detecting issues and finding solutions, providing timely messages to the community, and educating users about various types of scams to protect them from losses.
We encourage you to read and share imToken Wallet Security Monthly Report and join hands with imToken to safeguard your token security.