Because this tool allows attackers to test passwords offline at high speeds, users must employ strong security practices:
By default, the script prefixes the hash with the filename (e.g., wallet.dat:). John the Ripper does not tolerate this prefix. You must remove it.
Manual method: Open wallet_hash.txt in a text editor and delete everything before $bitcoin$.
Command-line method (Linux/macOS):
cat wallet_hash.txt | cut -d ':' -f 2 > clean_hash.txt
Now clean_hash.txt contains only the hash line.
Bitcoin2john is the name commonly given to a set of Python scripts/tools maintained in the Hashcat/john-the-ripper password‑recovery ecosystems that convert Bitcoin (and other cryptocurrency) wallet files or key formats into hashed password representations suitable for offline cracking tools (notably John the Ripper). The converted output is usually given in a format like “bitcoin2john” so John or Hashcat can attempt to recover plaintext passphrases protecting wallet private keys.
Before using the tool, it helps to understand what it generates. When you run bitcoin2john.py against an encrypted wallet.dat, it outputs a string that looks something like this: Bitcoin2john
$bitcoin$96$88d96a65cbe1b33b2c65f32ad5f6346e7f6...$16$b2c8e9f1a3d5...
This is the "hash line." It contains several critical components:
John the Ripper sees this line and knows: "I need to take candidate passwords, run them through the same key derivation function (KDF) with that exact salt and iteration count, and compare the result to the encrypted master key."
If you remember the structure (e.g., "My dog's name + 2 numbers + a symbol"), you can tell Hashcat: Because this tool allows attackers to test passwords
hashcat -m 11300 -a 3 ?u?l?l?l?l?l?d?d?s
This tries: 1 capital, 6 lowercase, 2 digits, 1 symbol.
Older versions of Bitcoin Core (pre-0.4.0) used weak encryption (SHA-256). Modern versions use AES-256-CBC with a key derived via OpenSSL’s EVP_BytesToKey using SHA-512. This is strong encryption, but the weak link is always the user's memory.
You need Bitcoin2john because you cannot simply "reset" a Bitcoin wallet password. Without the password, the private keys remain encrypted forever. Bitcoin2john translates that encrypted blob into a format that allows you to launch a brute-force, dictionary, or rule-based attack to recover the human-memorable password. Now clean_hash