Security model

What participants can see — and what they can't.

Two cryptographic constructions cover the threat model: extract-safe verifiers on the compute tier, and NVIDIA Confidential Computing attestation on the confidential tier. The threat model is rational economic adversaries trying to steal a wallet. Both constructions are designed to remove the option entirely.

Threat model

The defense target is a financially-motivated participant attempting to monetize a recovered wallet rather than report it. Concretely:

Theft of recovered private keys before settlement.
Theft of recovered passwords for credential reuse against other services.
Exfiltration of customer identity for downstream fraud.
Silent withholding of a hit while pretending to keep working.

Out of scope: nation-state hardware attacks, NVIDIA / Intel / AMD root-of-trust compromise, novel published side channels we have not had time to patch around. We track those, but they are not what the participant agreement defends against.

Compute tier

The extract trick

The compute tier ships a ~40-byte verifier to each worker, never the wallet itself. Every supported wallet format has a structural property that lets us strip the encrypted payload down to a tiny non-sensitive header decryption plus the KDF parameters needed to verify a password attempt. Specifically:

Bitcoin Core, Litecoin Core, Dogecoin Core — extract the encrypted master key only. The encrypted private keys live in wallet.dat, encrypted under the master key. Worker can derive the master key with the password, but can’t apply it to anything.
Blockchain.com, MetaMask, MultiBit HD, Electrum 2.x, Dogechain.info — extract the IV plus the first 16-byte ciphertext block. Decryption yields a known plaintext header ("guid", xprv, \x0a?org.bitcoin.) which verifies the password but contains zero key material. The seed lives in subsequent blocks that are simply absent from the payload.
Electrum 1.x — extract half the encrypted seed plus the IV. The full seed cannot be reconstructed from one half.
Bither, mSIGNA — extract the last half of the encrypted private key plus 16 bytes of encrypted padding. Padding has predictable structure, verifies the password; half a private key is unrecoverable.
Armory, Coinomi — same family: a minimal verifier plus the memory-hard KDF parameters, no recoverable key bits.

visible to worker

What the worker handles

Just enough material to test passwords. Nothing else.

IV (16 B)
first ciphertext block (16 B)
KDF params (iter, salt, n/r/p)
candidate chunk indices

total payload

≈ 40 bytes

hidden from worker

What stays on Brute Brothers

Everything required to actually move the funds.

encrypted master key / seed
encrypted private keys
wallet addresses
customer identity / PII

consequence

Worker who finds the password cannot unlock the wallet — the encrypted key material was never sent to them.

The pipeline end-to-end

Compute tier flow

Extract-based recovery, end to end

The customer's wallet stays on Brute Brothers' isolated machine. We send the fleet a ~40-byte verifier — enough to test passwords, not enough to reconstruct keys.

1 · extract

Open-source extract scripts strip the wallet down to a verifier — header bytes or padding only. No seed material.

2 · partition

Distribrute slices the candidate keyspace into chunks and dispatches them to suitable workers by workload kind.

3 · settle

A worker that produces a match returns only the candidate. Brute Brothers settles with the customer and the participant earns a share.

Confidential tier

NVIDIA Confidential Computing + remote attestation

BIP39 partial seed recovery has no extract analogue. The PBKDF2 output of a candidate mnemonic is the BIP39 seed, and the seed alone is sufficient to derive every private key in the wallet. There is no construction that lets a worker test candidates without computing the seed itself. So for this class of recovery — and for password recoveries above a value threshold — we route work to NVIDIA Confidential Computing GPUs (H100, H200, B200) and rely on hardware-rooted attestation.

The attestation handshake proves four things before any work payload is sent:

The GPU is a genuine NVIDIA Confidential Computing SKU (signed by NVIDIA’s PKI).
CC mode is enabled in firmware.
The firmware version is on our policy allow-list.
The public key used to encrypt the work channel was generated inside the attested enclave.

If any check fails, work is refused. The handshake includes a fresh server nonce to prevent quote replay.

Inside the enclave, candidates, derived seeds, and any recovered key material live in encrypted VRAM. The host operating system — including a malicious host with root — cannot read them. Egress travels back over the same encrypted channel.

Confidential tier flow

NVIDIA Confidential Computing + remote attestation

Before any work dispatch, the GPU proves to us that it is genuine, that Confidential Computing is enabled, and that our signed code is loaded. The host operating system is never trusted with cleartext.

① attestation

Server sends a nonce. GPU produces a quote signed by the hardware-rooted attestation key. NVIDIA PKI verifies the chain.

② sealed channel

The quote carries a public key generated inside the enclave. Encrypted work payloads can only be decrypted there.

③ encrypted compute

Candidates, derived seeds, and any recovered keys live exclusively in encrypted VRAM. Host root sees only ciphertext.

What we don't claim

Honest limits.

We don’t claim:

Defense against side-channel attacks. Published cache, timing, and power side channels exist against CC and SEV-SNP. They typically require local access and known vulnerabilities; we track research and update attestation policy as new findings warrant. They are real, they are not in the participant-agreement threat model.
Defense against vendor compromise. If NVIDIA’s attestation root is compromised or compelled by legal process, forged quotes would verify. This is the irreducible trust assumption at the bottom of any TEE system.
Defense against bugs in our enclave code. Attestation proves the right binary is loaded; it doesn’t prove the binary is bug-free. Small TCB, public reproducible builds, third-party review.
Anonymity for participants. The compute tier is not cryptographically theft-proof on its own. Real-name KYC and a binding participant agreement complete the defense. Anonymous participation is not offered.

Customer privacy

What participants learn about customers.

The short answer is nothing.

Case IDs displayed to participants are reshuffled per participant; an ID assigned to one participant for a chunk is not the same ID used internally or for another participant.
Wallet addresses, customer names, contact information, jurisdiction — none of these are part of the work payload at any tier.
Wallet value range is published only at aggregated, anonymized granularity.
Match results are reported to Brute Brothers, not published to the fleet. Settlement happens off the fleet’s view.

The participant agreement prohibits attempts to deanonymize cases or correlate them across participants.

Disclosure

Reporting a security issue.

If you find a vulnerability in the agent, the extract format, the attestation flow, or anywhere else in the protocol, email security@distribrute.io. We publish a coordinated disclosure timeline. Bug bounty schedule will be published prior to mainnet onboarding.