Bitcoin2john May 2026
The typical command-line workflow for a recovery attempt looks like this:
1. Extract the hash:
python bitcoin2john.py wallet.dat > wallet.hash
**2. Run
This guide covers: what it is, how it works, installation, usage, hash formats, integration with John the Ripper, and real-world recovery scenarios.
wallet.dat:$bitcoin$96$3284754b4a686247614a3e0b5b59563a395d4107553e35406533363f405b033f32595f513c4f1c3922374b734e142b0c2b1b6d001e20102410436b1f554a0e3a025d4f1a4e2d5c133b27597d1640197c$f8f2e1a0a0e1f2f8
Components:
$bitcoin$96$ → algorithm identifier, then salt/iterations/encrypted master key. Bitcoin2john
By default, the script prefixes the hash with the filename (e.g., wallet.dat:). John the Ripper does not tolerate this prefix. You must remove it.
Manual method: Open wallet_hash.txt in a text editor and delete everything before $bitcoin$.
Command-line method (Linux/macOS):
cat wallet_hash.txt | cut -d ':' -f 2 > clean_hash.txt
Now clean_hash.txt contains only the hash line. The typical command-line workflow for a recovery attempt
While John the Ripper is the namesake, many professionals prefer Hashcat for Bitcoin wallets because Hashcat supports GPU acceleration (graphics cards are thousands of times faster than CPUs for hashing).
Using Bitcoin2john with Hashcat:
The hash format produced by Bitcoin2john is compatible with Hashcat mode 11300 (Bitcoin wallet).
Performance insight: A modern RTX 4090 GPU can test roughly 20,000–30,000 Bitcoin wallet hashes per second. This sounds fast, but due to the iteration count (key stretching), it is significantly slower than cracking an MD5 hash (billions per second). This is why a good passphrase is crucial.
Navigate to your terminal or command prompt. Run the script against your wallet file: wallet
python bitcoin2john.py /path/to/your/wallet.dat > hash.txt
What happens here?
The script scans the .dat file for encrypted keys. If your wallet has multiple addresses (or a "masters" key), it will output multiple hashes. The output looks like this:
$bitcoin$64$b456a0c3f4d...$32768$2b3a5f...$1$2
john --format=bitcoin wallet_hash.txt --wordlist=rockyou.txt
Or for faster cracking using Hashcat (convert format first):
hashcat -m 11300 -a 0 bitcoin_hash.txt rockyou.txt
bitcoin2john supports:
It detects:
You remember the password was Bitcoin2020 but maybe a different year. Use mask attack in hashcat:
hashcat -m 11300 -a 3 bitcoin_hash.txt Bitcoin?d?d?d?d