Bitcoin2john
git clone https://github.com/openwall/john.git
cd john/run/
ls bitcoin2john.py # present in bleeding-edge jumbo
Now that you have the hash in hash.txt, you run John:
john --format=bitcoin hash.txt
Or, if you want to use a custom wordlist:
john --format=bitcoin --wordlist=rockyou.txt hash.txt
The script parses the binary structure of the wallet file. It locates the Master Key (mkey) records which contain:
Bitcoin2john is a double-edged sword. Use it only on wallets you own or have explicit written permission to test. Unauthorized use of this tool against someone else’s wallet is illegal in most jurisdictions. Many stolen cryptocurrencies have been recovered by law enforcement using tools like this—but only with a warrant. Bitcoin2john
Open a terminal and execute:
python bitcoin2john.py /path/to/your/wallet.dat > wallet_hash.txt
Example output:
wallet.dat:$bitcoin$96$d3b17b5a...$1d6c4e51...
Note: If your
wallet.datis not encrypted (e.g., you never set a password), the script will exit with an error. Bitcoin2john only works on encrypted wallets. git clone https://github
Create a custom wordlist from:
Use tools like cewl to scrape your old social media for phrases.
By default, the script prefixes the hash with the filename (e.g., wallet.dat:). John the Ripper does not tolerate this prefix. You must remove it. Now that you have the hash in hash
Manual method: Open wallet_hash.txt in a text editor and delete everything before $bitcoin$.
Command-line method (Linux/macOS):
cat wallet_hash.txt | cut -d ':' -f 2 > clean_hash.txt
Now clean_hash.txt contains only the hash line.
Many legacy scripts online were written for Python 2. Modern systems use Python 3.
Error: print syntax error or bytes vs str exceptions.
Fix: Ensure you are using the updated bitcoin2john.py from the official John the Ripper Jumbo repository—not a random 2013 forum post.