Case File #024: Recovering 4.2 BTC After a 3-Year Seed Gap
case_file // #024 // status: closed_recovered
Anonymized case file. Details altered enough to protect the client, preserved enough to be technically accurate. This is real work, real math, real recovery.
The intake
A client contacted us through the AI agent terminal. Their initial message was three lines:
lost 24-word phrase. remember 22 of them. no passphrase. wallet from 2022. btc. rough value ~$300k at today's price. can you help?
The agent asked the follow-ups that mattered:
- Which two words were missing? (Answer: positions 11 and 19.)
- What generated the phrase? (Answer: BlueWallet on iPhone.)
- Any known receiving addresses? (Answer: two, from old exchange withdrawals they'd kept in email.)
- Any passphrase (25th word)? (Answer: no.)
- Handwritten or metal backup? (Answer: written on the inside cover of a book they later gave to a friend who moved abroad. Book unrecoverable.)
Case qualified in five minutes. Handed to a senior operative.
The math
Two unknown BIP-39 words, positions known, target address known, derivation path known (BlueWallet uses BIP-84 native SegWit for Bitcoin).
Search space: 2048 × 2048 = 4,194,304 combinations. Checksum filter: ~1 in 16 pass, leaving ~262,144 candidates. Per candidate: HD derive, generate first receive address, compare.
On a single mid-range GPU, ~2 hours of walltime.
The workflow
Day 0 — Signed agreement. Client provided:
- The 22 known words in positions 1–10, 12–18, 20–24.
- Two target addresses.
- BlueWallet wallet type confirmed.
We provided:
- Fixed success fee (18% of recovered value).
- Zero-fee-on-failure guarantee.
- Chain-of-custody document.
Day 1 — Search began at 09:00. Custom BTCRecover fork running on 2× RTX 4090. Day 1, 11:47 — First match: valid checksum + address match on candidate #43,912. Verified against second target address. Confirmed.
Total elapsed: ~2 hours 47 minutes.
The handoff
We never touched the funds. Never derived a private key we retained. Here's the delivery:
- We wrote the two missing words to an encrypted PGP-signed message to the client.
- Client decrypted it on their own device.
- Client restored the full 24-word phrase into a fresh BlueWallet install.
- Balance appeared. Client immediately moved funds to a new hardware wallet (Coldcard Mk4).
- Client confirmed receipt. We invoiced the success fee.
We did not know the private key at any point after the search process completed. Our engineers do not retain candidate lists after case close.
The lessons
Lesson 1: Two missing words is a solved problem. People often assume "some words missing" means "wallet gone." It doesn't. Even three missing words with good position hints is usually workable.
Lesson 2: The derivation path matters. If we hadn't known BlueWallet uses BIP-84, we'd have had to test BIP-44 and BIP-49 as well, tripling compute time.
Lesson 3: Old email is a goldmine. The client thought they had no target addresses. Then they searched their Gmail for "Coinbase withdrawal" and found two old confirmation emails with the destination address. That single detail turned an impossible case into a two-hour job.
Lesson 4: Don't panic. But do move fast. Three years had passed. Nothing critical had degraded — checksums don't decay, addresses don't expire. Time is only against you when there's a physical or digital medium involved (a dying drive, a cleaned browser).
What this case didn't look like
- No one asked for the full seed phrase (we only received 22 words + positions).
- No upfront fee. No "unlock fee." No "gas payment."
- No promises. We quoted a probability band during triage.
- No dashboard, no crypto tokens, no fake blockchain "portal." Just a signed contract, a private terminal, and the actual recovery work.
If your case looks anything like this one — partial seed, target address available, standard wallet software — talk to us.
FAQ
Was this really 2 hours? Yes. Two missing words with position hints is genuinely fast. Most of the elapsed clock time in the case was contract signing, not compute.
What if the wallet was 5+ years old? Age doesn't matter. Bitcoin's address format hasn't changed in a way that breaks BIP-84 addresses. Ethereum keystores from 2016 are still crackable today.
What if the client had lost the target addresses? Then we'd have had to derive multiple candidates and check on-chain for any address with a non-zero balance across the derivation tree. Slower but still tractable for two-word cases.
Can I have my case published like this? Only with explicit consent, and always anonymized. Some clients like the visibility. Most prefer strict privacy.
Free assessment. Never asks for full seed. No recovery, no fee.