BIP39 Seed Phrases And Bitcoin Wallet Brute Forcing Technique

Written by Mohamed Habbat · Product Owner, Bitcoin Suisse

In this article

I work in the crypto self-custody space. Every month someone messages me asking whether they should worry about a brute-force attack on their seed phrase. The math says no. The behavior says yes, but for very different reasons than they expect.

Those 12 or 24 words are not a "backup." They are your Bitcoin. Whoever holds that phrase owns every satoshi in that wallet. No password reset, no support ticket, no appeals process.

This is a security deep-dive. How BIP39 works, where it is vulnerable, the 12 vs 24 word question, and the single most underused security feature in Bitcoin, the BIP39 passphrase.

TL;DR

A BIP39 seed phrase is the master key to your Bitcoin. 12 or 24 ordinary English words encoding 128 to 256 bits of cryptographic entropy. The 2,048-word wordlist is fixed, word order matters, and PBKDF2 stretches your phrase into a 512-bit seed that derives every key in your wallet. 24 words give 256 bits of entropy. Brute-forcing them is computationally impossible. Risk lives elsewhere. Photographing your phrase, storing it in the cloud, typo'd words, or exposing it to malware. Write on metal or paper. Never digital.

What Is BIP39?

Before BIP39, Bitcoin wallets generated raw hexadecimal private keys. 64-character strings of random letters and numbers, nearly impossible to transcribe accurately or memorize. BIP39 solved this by standardising wallet entropy into a human-readable mnemonic phrase.

How it works:

Entropy is generated. A random value of 128 to 256 bits (in 32-bit increments).
A checksum is appended. The first bits of a SHA-256 hash of the entropy are added to the end.
The combined value is split into 11-bit segments. Each 11-bit segment maps to one word from the BIP39 wordlist.
The result is your seed phrase. 12, 15, 18, 21, or 24 words, depending on the initial entropy.

The BIP39 wordlist contains exactly 2,048 words (2^11, by design). Every word is uniquely identifiable by its first four letters, which minimises input errors when typing. BIP-39 ships 10 official wordlists across English, Japanese, Korean, Spanish, Chinese (Simplified), Chinese (Traditional), French, Italian, Czech, and Portuguese (BIP-39 wordlist registry). The standard was defined in 2013 by Marek Palatinus, Pavol Rusnák, Aaron Voisine, and Sean Bowe (BIP-39 spec).

The final step. Your mnemonic phrase is run through the PBKDF2 key stretching function (with 2,048 rounds of HMAC-SHA512) to produce a 512-bit binary seed. That seed is then passed to the BIP32 HD (hierarchical deterministic) wallet derivation algorithm, which generates the entire tree of private and public keys your wallet uses.

One seed phrase, infinite keys. Every Bitcoin address your wallet has ever generated is recoverable from those words alone.

12 Words vs 24 Words

Here is what the entropy numbers actually mean:

Phrase Length	Entropy	Possible Combinations
12 words	128 bits	~3.4 × 10^38 (2^128)
24 words	256 bits	~1.16 × 10^77 (2^256)

128 bits is computationally infeasible to brute force. Every computer on earth working together could not exhaust the keyspace before the sun runs out of fuel. 256 bits is orders of magnitude larger, matching Bitcoin's own private key entropy. Most hardware wallets default to 24 words. For a full walkthrough of choosing and using one, see our self-custody guide.

Both are secure today. For long-term savings, 24 words gives you more margin. The security community generally recommends it.

How Your Wallet Derives Keys

The derivation path explains why a single seed phrase is so powerful and so dangerous to expose.

Your seed phrase, via PBKDF2, produces the master seed. The master seed, via BIP32, produces the master private key and master chain code.

From the master private key, your wallet derives child keys using a derivation path. The most common standard for Bitcoin is BIP44, which produces paths like:

m / 44' / 0' / 0' / 0 / 0

Where:

m = master key
44' = BIP44 purpose
0' = Bitcoin (coin type 0)
0' = first account
0 = external chain (receiving addresses)
0 = first address index

Every Bitcoin address you have ever received funds on is deterministically derived from that master seed. Restore the seed phrase on any BIP39/BIP44-compatible wallet and everything comes back. Addresses, balances, transaction history.

Lose the seed phrase and there is nothing to restore. No central server, no recovery path.

How To Generate BIP39 Wallets In Node.js

The fastest way to understand BIP39 entropy is to generate it yourself. The Node.js setup below spins up wallets and checks whether the generated addresses have ever held funds. Working code from Bi-Catalyst/bruteforcebitcoin. Educational only. Generating random wallets and checking on-chain activity is a brute-force exercise that confirms the math. It is not a path to anyone else's coins.

Tech Stack

axios for HTTP requests to blockchain APIs
bip39 for mnemonic generation and seed derivation
bitcoinjs-lib for address derivation and transaction tooling

package.json:

{
  "name": "bruteforcebitcoin",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "run": "node generate_wallet.js"
  },
  "license": "MIT",
  "dependencies": {
    "axios": "^1.4.0",
    "bip39": "^3.1.0",
    "bitcoinjs-lib": "^5.2.0"
  }
}

Imports And Constants

const axios = require('axios')
const bip39 = require('bip39')
const bitcoin = require('bitcoinjs-lib')
const fs = require('fs')

const parallelLimit = 10
const iterations = 100
const batchSize = 10
const delayBetweenBatches = 5000 // 5 seconds
const apiDelay = 3000 // 3 seconds
let useBlockchainInfoAPI = true

Generating A Wallet

async function generateWallet() {
  // Generate a new 12-word mnemonic seed phrase
  const mnemonic = bip39.generateMnemonic(128)
  console.log('Mnemonic:', mnemonic)

  // Convert the mnemonic to a seed
  const seed = await bip39.mnemonicToSeed(mnemonic)

  // Derive the wallet from the seed using BIP32
  const network = bitcoin.networks.bitcoin
  const hdMaster = bitcoin.bip32.fromSeed(seed, network)
  const account = hdMaster.derivePath("m/44'/0'/0'/0")

  // Generate a new Bitcoin address
  const { address } = bitcoin.payments.p2pkh({
    pubkey: account.derive(0).publicKey,
    network
  })

  console.log('Bitcoin Address:', address)
  const hasTransactions = await checkAddressActivity(address)
  await new Promise(resolve => setTimeout(resolve, apiDelay))
  return { address, hasTransactions }
}

Checking Address Activity

Two public block explorers alternating to manage rate limits. Blockchain.com's API and BlockCypher's API:

async function checkAddressActivity(address) {
  try {
    let response
    if (useBlockchainInfoAPI) {
      response = await axios.get(`https://blockchain.info/rawaddr/${address}`)
    } else {
      response = await axios.get(
        `https://api.blockcypher.com/v1/btc/main/addrs/${address}`
      )
    }

    useBlockchainInfoAPI = !useBlockchainInfoAPI

    let hasTransactions = false

    if (response.data.txs) {
      hasTransactions = response.data.txs.length > 0
    } else if (response.data.txrefs) {
      hasTransactions = response.data.txrefs.length > 0
    }

    if (hasTransactions) {
      console.log('This address has transactions associated with it.')
      return true
    } else {
      console.log('This address has no transactions associated with it.')
      return false
    }
  } catch (error) {
    console.error('Error fetching address data:', error.message)
    return false
  }
}

Persisting Hits

function appendToFile(filename, data) {
  fs.appendFile(filename, data, err => {
    if (err) {
      console.error(`Error saving data to ${filename}:`, err.message)
    } else {
      console.log(`Data saved to ${filename}`)
    }
  })
}

Orchestrating The Run

async function main() {
  const walletPromises = []

  for (let i = 0; i < iterations; i++) {
    walletPromises.push(generateWallet())

    if (walletPromises.length === parallelLimit) {
      await processBatch(walletPromises)
      walletPromises.length = 0
    }
  }

  if (walletPromises.length > 0) {
    await processBatch(walletPromises)
  }
}

Run it overnight. You will not hit a funded wallet. That is the point. The combinatorics make it a billion-billion-billion-year exercise on consumer hardware. The script proves the math by failing to defeat it.

Full repo at github.com/Bi-Catalyst/bruteforcebitcoin.

The 25th Word Most Holders Never Set

BIP39 includes an optional passphrase, the "25th word", that most Bitcoin holders have never used. That is a mistake.

When your mnemonic converts to a binary seed, the PBKDF2 function takes two inputs. Your mnemonic phrase and an optional passphrase. By default that passphrase is an empty string. You can enter anything. A word, a phrase, symbols, numbers.

A different passphrase produces a completely different wallet. Same 24 words, different passphrase, completely different master seed, addresses, and balances. Two security implications follow.

Physical theft becomes survivable

Someone breaks in and finds your seed phrase on paper. Without the passphrase, they access only the empty-string wallet, a decoy with a small amount. Your real holdings, behind a passphrase only you know, are cryptographically invisible.

This is a legitimate plausible deniability setup. Keep a small amount in the base wallet. Keep the real stack behind the passphrase.

The attack surface gets smaller

Most attack vectors (physical theft, shoulder surfing, a leaked photo) require only your seed words. The passphrase adds a second factor that is never written on the same paper, never stored in the same location, never transmitted digitally.

Coldcard, Jade, Trezor, Ledger. All support it. It is in the advanced settings. Enable it.

One warning. The passphrase is not recoverable. Forget it, and that Bitcoin is gone. Write it down separately, store it securely, and test your recovery before depositing anything significant.

The Attacks That Actually Drain Bitcoin Wallets

Real-world seed phrase failures almost never involve brute force. They cluster into three categories. Digital, physical, and mathematical.

Digital attacks own the field. Phishing is the highest-frequency loss vector. Fake wallet apps, fake "wallet recovery" websites, fake support agents. No legitimate wallet, exchange, or support desk will ever ask for your seed phrase, not once, not ever. Cloud backup mistakes are next. You photograph your seed phrase and your phone auto-uploads to Google Photos or iCloud. Your seed is now on a server, and this has caused real losses. Malware (keyloggers, clipboard hijackers) on internet-connected machines can capture seed phrases during entry, which is exactly why a dedicated hardware device exists in the first place.

Physical attacks are slower but real. Someone finds your written seed phrase in a drawer, behind a frame, on a fridge magnet. Storage location plus the BIP39 passphrase are your defences here. Shoulder surfing is the mild version. Someone watches you generate or enter your seed phrase, so set up hardware wallets in private and check for cameras before you confirm anything sensitive.

Mathematical attacks (brute forcing the entropy itself) are the one the title of this post pretends to be about, and the one that has never drained a wallet. 2^128 or 2^256 combinations with current hardware constraints. If you generated your seed on a reputable hardware wallet with healthy RNG, brute force is not your concern. The math wall is intact. The behavior wall is where you get pushed off.

What NOT to Do With Your Seed Phrase

Documented loss vectors, not suggestions:

No digital photos. Ever.
No cloud storage. Dropbox, Google Drive, iCloud, OneDrive.
No password managers unless you have specifically thought through the threat model.

Beyond the above, also skip email (not to yourself, not to anyone), messaging apps (WhatsApp, Signal, iMessage), screenshots, and any website that claims to be a "seed phrase validator" or "wallet recovery tool" because those are scams.

Physical form only. Locations you control. Eyes you trust.

How to Actually Store Your Seed Phrase

Generate on a dedicated device (Coldcard, Jade, Trezor) and not a browser extension, mobile app, or any desktop wallet with internet access. Hardware wallets isolate entropy generation. A connected computer has too many attack surfaces.

Metal backup, not paper

Paper burns, gets wet, deteriorates. Metal backup products (Cryptosteel Capsule, Blockplate, Bilodeau plates) stamp or engrave your seed words onto stainless steel or titanium. They survive house fires and floods. One copy in one location is a single point of failure. Two or three metal backups in separate physical locations. If you use a BIP39 passphrase, store it separately from the seed words.

Hardware wallet picks for 2026

Also covered in Wallets Staying Secure.

Coldcard Q. Bitcoin-only, airgapped PSBT workflow, highest security.
Jade Plus. Affordable, open source, strong security model.
Trezor Model T / Safe 5. GPL-3.0 firmware (Trezor firmware repository), with the EAL6+ Secure Element silicon remaining closed (vendor confirms NDA-free). Trezor Safe 3 defaults to a 20-word SLIP-39 backup with 12 or 24 BIP-39 selectable (Trezor Safe 3 product page).
Ledger Nano S Plus and BitBox02. Default to 24 BIP-39 words. Feature-rich; past supply chain concerns noted in the security community for the Ledger line.

Test before you deposit. Wipe the device. Restore from your seed phrase. Verify all addresses match. Confirm the passphrase works. Then deposit. Do this before any real Bitcoin enters the wallet.

Quantum Computing and BIP39

Shor's algorithm targets ECDSA (the elliptic curve signature scheme Bitcoin uses for transactions), not BIP39 entropy. A sufficiently powerful quantum computer could theoretically derive a private key from a public key exposed in an unspent transaction output. The seed itself is fine because PBKDF2-HMAC-SHA512 only loses a quadratic factor to Grover, which leaves 256-bit symmetric strength well above any plausible attack budget.

NIST finalised its post-quantum cryptography standards in 2024, Taproot introduced Schnorr signatures (BIP340), and current estimates put BIP39 seed phrases safe against quantum attacks for at least 10 to 20 years on current trajectories. Any migration will be a coordinated protocol-level change, not a surprise. Full breakdown in the quantum threat analysis.

BIP39 Survives. The Human Layer Often Does Not.

The cryptography is sound. 128 or 256 bits of entropy produces a keyspace no adversary can brute force. That problem is solved.

The vulnerabilities are human. Seed phrases get photographed, cloud-synced, typed into phishing sites, stored in a single location with no redundancy. The BIP39 passphrase, sitting unused in every major hardware wallet's advanced settings, defeats most of those scenarios with one extra step.

Three actions close the gap. Enable the BIP39 passphrase and store it separately from your seed words. Move to a metal backup (Cryptosteel, Blockplate, or similar) because paper is not a permanent solution. Test your recovery before it matters by wiping the device, restoring from seed and passphrase, and verifying it works.

BIP39 gives you the foundation. The security you build on top of it determines whether your Bitcoin is actually safe.

This article is publicly available BIP-39 cryptography documentation and 2026 hardware-wallet vendor information, not security advice. Hardware-wallet firmware and feature sets change. Test every recovery flow on a dedicated device before depositing significant Bitcoin, verify the open-source status of any wallet firmware against the vendor's current public repository, and treat any "BIP-39 brute force" service offer as a scam. Security guidance dates fast. When in doubt, talk to a Swiss-licensed security advisor or a FINMA-supervised custodian before depositing material capital into a setup you cannot independently verify.

Sources:

New to Bitcoin? Start with Chapter 1. It takes 8 minutes.

Want the full picture? Read all 19 chapters free or order the physical book.

Frequently Asked Questions

What is BIP39?

BIP39 (Bitcoin Improvement Proposal 39) is the standard for converting random entropy into a human-readable mnemonic seed phrase. It uses a fixed 2,048-word English wordlist and ships with 10 official wordlists (English, Japanese, Korean, Spanish, Chinese Simplified, Chinese Traditional, French, Italian, Czech, Portuguese). It derives the master private key via PBKDF2-HMAC-SHA512 with 2,048 iterations. Defined in 2013 by Marek Palatinus, Pavol Rusnák, Aaron Voisine, and Sean Bowe.

12 versus 24 words. Does it matter for security?

12 words encodes 128 bits of entropy. 24 words encodes 256 bits. Both are computationally infeasible to brute force. Every computer on earth working in concert could not exhaust the 128-bit keyspace before the sun runs out of fuel. 24 words gives a margin against multi-decade computational advances and matches Bitcoin private-key entropy. Trezor Safe 3 ships a 20-word SLIP-39 backup by default with 12 or 24 BIP-39 selectable. Ledger Nano S Plus and BitBox02 default to 24.

What is the BIP39 passphrase (the 25th word) and should I use one?

The passphrase is an extra string the user supplies that combines with the seed phrase to derive a different wallet. A thief with only the seed phrase sees an empty or decoy wallet. Recommended for any holding above casual spending size. Critical caveat. If you lose the passphrase the funds are gone. There is no recovery.

Can a BIP39 seed phrase be brute forced?

No. 12 words encodes 2^128 combinations. 24 words encodes 2^256. Even on a modern GPU farm running tens of billions of BIP-39 candidates per second, exhausting 2^128 takes longer than the heat death of the sun. Specific guess-rate estimates drift across implementations and hardware generations, so the time-to-crack figure is always longer than the universe currently has runway in practice. Brute force on the seed itself is not the practical attack vector. Supply-chain compromise, weak entropy generation in the wallet RNG, screen capture or keylogger malware, and shoulder-surfing during setup are the actual attack surfaces ethical hackers test for.

How should I store a BIP39 seed phrase safely?

Two physical copies on the seed cards that ship with the wallet, written by hand with a pen. Never a phone, never a screenshot, never the cloud. Store the copies in geographically separated, fire-resistant locations (home safe plus bank safety-deposit box). For long-term holding consider a steel backup plate (Cryptosteel Capsule, Blockmit Compact, SeedOR). Paper and ink fail in fires.

Is quantum computing a threat to my BIP39 seed phrase?

No, not directly. Shor's algorithm targets ECDSA (the signature scheme that derives addresses from public keys), not BIP39 entropy. The seed-to-private-key derivation uses PBKDF2-HMAC-SHA512, quantum-resistant under current models. Address-level exposure on spent outputs is the actual threat, covered in the [quantum threat analysis](/en/blog/quantum-computing-bitcoin-google-2026).

What if I lose part of my seed phrase?

BIP39 includes an internal checksum (the last word's final 4 bits for 12 words, last 8 bits for 24 words). If you have 23 of 24 words and know the position of the missing word, the search space drops to 2,048 candidates filtered by checksum. Recoverable with btcrecover or Coldcard's seed-recovery flow. If the position is unknown, the search becomes 24 times 2,048. Still tractable but slower.