Skip to content

Releases: cyclone-github/phantom_pwn

v1.0.0

22 Oct 15:18
@cyclone-github cyclone-github
v1.0.0
d8f9e7d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0 Latest
Latest

Full Changelog: v0.1.5...v1.0.0

Readme Card

License

Phantom Vault Extractor & Decryptor

POC tools to recover, extract and decrypt Phantom vaults

This toolset is proudly the first publicly released Phantom Vault Extractor and Decryptor

  • Contact me at https://forum.hashpwn.net/user/cyclone if you need help recovering your Phantom wallet password or seed phrase
  • Note: phantom_extractor supports hashcat modes 30010, 26650, and 26651 for convenience, but these are third-party modules that are not affiliated with or included in the official hashcat beta or release builds at https://github.com/hashcat/hashcat

Writeup of my process of decrypting Phantom Wallets and recovering the seed phrase

Phantom vault location for Chrome extensions:

  • Linux: /home/$USER/.config/google-chrome/Default/Local\ Extension\ Settings/bfnaelmomeimhlpmgjnjophhpkkoljpa/
  • Mac: Library>Application Support>Google>Chrome>Default>Local Extension Settings>bfnaelmomeimhlpmgjnjophhpkkoljpa
  • Windows: C:\Users\$USER\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\

Extractor usage example on test vault: (plaintext is password)

  • Old pbkdf2 KDF
./phantom_extractor.bin bfnaelmomeimhlpmgjnjophhpkkoljpa/
 ----------------------------------------------------- 
|        Cyclone's Phantom Vault Hash Extractor       |
|        Use Phantom Vault Decryptor to decrypt       |
|    https://github.com/cyclone-github/phantom_pwn    |
 ----------------------------------------------------- 
{"encryptedKey":{"digest":"sha256","encrypted":"5pLvA3bCjNGYBbSjjFY3mdPknwFfp3cz9dCBv6izyyrqEhYCBkKwo3zZUzBP44KtY3","iterations":10000,"kdf":"pbkdf2","nonce":"NZT6kw5Cd5VeZu5yJGJcFcP24tnmg4xsR","salt":"A43vTZnm9c5CiQ6FLTdV9v"},"version":1}
 ----------------------------------------------------- 
|          hashcat -m 30010 hash (pbkdf2 kdf)         |
 ----------------------------------------------------- 
$phantom$SU9HoVMjb1ieOEv18nz3FQ==$7H29InVRWVbHS4WcBJdTay0ONb4mLX9Q$g0vJAbflhH4jJJDvuv7Ar5THgzBmJ8tt6oajsQZd/dSXNNjcY5/0eGeF5c1NW1WU
 ----------------------------------------------------- 
|          hashcat -m 26651 hash (pbkdf2 kdf)         |
 ----------------------------------------------------- 
PHANTOM:10000:SU9HoVMjb1ieOEv18nz3FQ==:7H29InVRWVbHS4WcBJdTay0ONb4mLX9Q:g0vJAbflhH4jJJDvuv7Ar5THgzBmJ8tt6oajsQZd/dSXNNjcY5/0eGeF5c1NW1WU
  • New scrypt KDF
./phantom_extractor.bin bfnaelmomeimhlpmgjnjophhpkkoljpa/
 ----------------------------------------------------- 
|        Cyclone's Phantom Vault Hash Extractor       |
|        Use Phantom Vault Decryptor to decrypt       |
|    https://github.com/cyclone-github/phantom_pwn    |
 ----------------------------------------------------- 
{"encryptedKey":{"digest":"sha256","encrypted":"37fJoKsB9vwnKEzPgc2AHtYVsPTTzrXdTGacbgWxLxbiS7Ri3P3iNnf8csaKwJ4wpk","iterations":10000,"kdf":"scrypt","nonce":"49aomus4HiKLyg7F66pSinR4tpuUuJDHX","salt":"M1PMFn4p4gdCxZDzf8qX71"},"version":1}
 ----------------------------------------------------- 
|          hashcat -m 26650 hash (scrypt kdf)         |
 ----------------------------------------------------- 
PHANTOM:4096:8:1:ogSL4J4xP/wNbAjiA8Q4hA==:Iofs3VYyyaYFzHVkcMsnpkrjGQ2+Kni2:OacHaTJAM8dD7XJIj5bGMU3cM8QW3u92n+ngYjXsgRSR20FDnkMLQHTgPxJDefOx

Decryptor usage example:

 ----------------------------------------------- 
|       Cyclone's Phantom Vault Decryptor       |
| https://github.com/cyclone-github/phantom_pwn |
 ----------------------------------------------- 

Vault file:     hash.txt
Valid Vaults:   1
CPU Threads:    16
Wordlist:       wordlist.txt
2025/10/22 14:11:35 Working...
{"encryptedKey":{"digest":"sha256","encrypted":"5pLvA3bCjNGYBbSjjFY3mdPknwFfp3cz9dCBv6izyyrqEhYCBkKwo3zZUzBP44KtY3","iterations":10000,"kdf":"pbkdf2","nonce":"NZT6kw5Cd5VeZu5yJGJcFcP24tnmg4xsR","salt":"A43vTZnm9c5CiQ6FLTdV9v"},"version":1}:password
2025/10/22 14:11:39 Decrypted: 1/1 6181.36 h/s 00h:00m:03s

2025/10/22 14:11:39 Finished

Decryptor supported options:

-w {wordlist} (omit -w to read from stdin)
-h {phantom_wallet_hash}
-o {output} (omit -o to write to stdout)
-t {cpu threads}
-s {print status every nth sec}

-version (version info)
-help (usage instructions)

./phantom_decryptor.bin -h {phantom_wallet_hash} -w {wordlist} -o {output} -t {cpu threads} -s {print status every nth sec}

./phantom_decryptor.bin -h phantom.txt -w wordlist.txt -o cracked.txt -t 16 -s 10

cat wordlist | ./phantom_decryptor.bin -h phantom.txt

./phantom_decryptor.bin -h phantom.txt -w wordlist.txt -o output.txt

Decryptor credits:

Checksum

9e5987958c4c3adbbb854af5040bf4eb2b8cb943  phantom_decryptor_amd64.bin
c832c4450b7eb57a40b546b23d4d08042620db8b  phantom_decryptor_amd64.exe
5554e6f172ecacb8be5708d501026bc7e4ecdb72  phantom_extractor_amd64.bin
32d57c314cc2667886547442ad14534fea96706b  phantom_extractor_amd64.exe

Jotti Antivirus Scan Results:

https://virusscan.jotti.org/en-US/filescanjob/udynhd26hz,uq7n6pw3pg,kmicmd0vhn,gwkkpmvs4g

Assets 6
Loading

v0.1.5

30 Nov 20:49
@cyclone-github cyclone-github
v0.1.5
6d715f0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.1.5

Phantom Vault Decryptor

POC tool to decrypt Phantom vaults

This toolset is proudly the first publicly released Phantom Vault Decryptor

Writeup of my process of decrypting Phantom Wallets and recovering the seed phrase

Decryptor usage example:

 ----------------------------------------------- 
|       Cyclone's Phantom Vault Decryptor       |
| https://github.com/cyclone-github/phantom_pwn |
 ----------------------------------------------- 

Vault file:     hash.txt
Valid Vaults:   1
CPU Threads:    16
Wordlist:       wordlist.txt
2024/11/30 14:11:35 Working...
{"encryptedKey":{"digest":"sha256","encrypted":"5pLvA3bCjNGYBbSjjFY3mdPknwFfp3cz9dCBv6izyyrqEhYCBkKwo3zZUzBP44KtY3","iterations":10000,"kdf":"pbkdf2","nonce":"NZT6kw5Cd5VeZu5yJGJcFcP24tnmg4xsR","salt":"A43vTZnm9c5CiQ6FLTdV9v"},"version":1}:password
2024/11/30 14:11:39 Decrypted: 1/1 6181.36 h/s 00h:00m:03s

2024/11/30 14:11:39 Finished

Decryptor supported options:

-w {wordlist} (omit -w to read from stdin)
-h {phantom_wallet_hash}
-o {output} (omit -o to write to stdout)
-t {cpu threads}
-s {print status every nth sec}

-version (version info)
-help (usage instructions)

./phantom_decryptor.bin -h {phantom_wallet_hash} -w {wordlist} -o {output} -t {cpu threads} -s {print status every nth sec}

./phantom_decryptor.bin -h phantom.txt -w wordlist.txt -o cracked.txt -t 16 -s 10

cat wordlist | ./phantom_decryptor.bin -h phantom.txt

./phantom_decryptor.bin -h phantom.txt -w wordlist.txt -o output.txt

Changelog:

v0.1.5-2024-11-30-1415;
	fix https://github.com/cyclone-github/phantom_pwn/issues/6
	swapped crackedCount and lineProcessed channels for atomic int32 for better performance
	multiple performance optimizations in process.go
	print vault:password when vault is cracked

Checksum:

2b15f7705092dad90bb4ea454f91744de3dbaec59f8b259278913c1a56c75019  phantom_decryptor_amd64.bin
b8816b94f18061f81018d5b346eec8ddc7609778b7e5ba3f5939d357db2b9edd  phantom_decryptor_amd64-darwin
6d849d5a36c7aef1ab68579f61035b2c714e1db4c09fa0bd6845705224c5a34e  phantom_decryptor_amd64.exe

Jotti Antivirus Scan Results:

https://virusscan.jotti.org/en-US/filescanjob/dcfuoi2ecx,zcx5eurogb,ybul8xq8zo

Loading