I built a GPU-accelerated Bitcoin wallet recovery tool that recovered wallet with 4 missing words

I built a GPU-accelerated Bitcoin wallet recovery tool that recovered wallet with 4 missing words in just 2 hours. Here’s why, how it works, and why you can trust it.

I’ll start with what set everything in motion, because I think it helps understand the choices I made — both technical and ethical.

Someone close to me lost access to a Bitcoin wallet in 2018 — not a small amount. The seed phrase had been carefully saved on paper, or so they believed. When the time came to access it, eight of the twelve words were legible. The remaining four were completely unreadable because the page had been damaged by moisture.

I started looking for existing tools. What I found was either Python scripts abandoned for years that no longer compiled, or commercial services asking you to send them your seed phrase which is absurd from a security standpoint or forums simply saying “it’s gone, sorry.”

In this article about the ten recovery modes the software contains, I’ll focus on Mode 1, which is seed phrase brute force. It’s the most common and easiest to understand. For the other modes, don’t hesitate to consult the software documentation.

I named the software: wrecover.

Understanding the mathematical problem first

Before going into the details of the software, I want to make sure you understand the problem you’re facing, because the mathematics entirely determine whether your situation is recoverable and with what hardware.

BIP39 is the standard that defines how your seed phrase works. Each word comes from a fixed list of 2,048 words. The phrase is converted into a seed via PBKDF2-HMAC-SHA512 with exactly 2,048 iterations — a deliberately slow operation designed to make brute-force difficult. Then BIP32 and BIP44 take over for hierarchical key derivation. I won’t dwell too long on these steps for more detailed information you can read the excellent articles that explain this process in depth.

When words are missing, you are searching through all valid combinations of those 2,048 words at the unknown positions:

• 1 missing word: 2048 candidates

• 2 missing words: 2048² (~4.2 million) candidates

• 3 missing words: 2048³ (~8.6 billion) candidates

• 4 missing words: 2048⁴ (~17.6 trillion) candidates

• 5 missing words: 2048⁵ (~36 quadrillion) candidates

These are raw figures before the BIP39 checksum filter I describe below. But even with that filter, the jump from 3 to 4 missing words is where CPU alone becomes insufficient. That’s precisely what pushed me to do the GPU work.

What I built and why it takes this form

wrecover is a command-line tool available on Linux and Windows, and a graphical interface available exclusively for the Pro version on Windows — written in C++20, with a full CUDA backend and a portable OpenCL backend. It runs entirely locally. Nothing leaves your machine. No telemetry, no license server, no network component of any kind. Your seed phrase never leaves your hardware.

This is a decision I made from day one and that has never changed. A wallet recovery tool that makes network calls is a wallet theft tool.

Full documentation is available at wrecover.github.io — each mode has its own page with complete parameters, realistic performance estimates for different configurations, and example commands.

Ten modes because recovery is not a single problem

One of the first things I realized while building wrecover is that losing access to a wallet is not a single problem. It’s a family of distinct problems each requiring a different approach. I implemented ten.

Mode 0 — Model File is for cases where you have partial knowledge that’s difficult to express simply. You know some words but not their exact positions. You have several candidates for certain slots. You encode your constraints in a text file and wrecover systematically tests every valid combination that satisfies them. It’s the intelligent version of brute force — you apply what you know before computing anything.

Mode 1 — Mnemonic Brute Force is what most people need. You mark unknown words with x and wrecover tests all 2,048 BIP39 words at each position. The free version includes GPU acceleration for up to three missing words. Four or more require the Pro version.

Mode 2 — Full Passphrase Brute Force is for cases where you know your seed phrase perfectly but have completely forgotten the passphrase. You define a minimum and maximum length and wrecover tests every combination of printable ASCII characters in that range. The search space is 95 to the power of the passphrase length — this mode is only tractable with GPU beyond 5 to 6 characters.

Mode 3 — Passphrase Mask is the most elegant mode in my view. If you remember your passphrase was something like “Bitcoin” followed by three digits, you write -mask “Bitcoin?d?d?d” and wrecover tests only the 1,000 combinations matching that pattern. Available wildcards: ?l for lowercase, ?u for uppercase, ?d for digits, ?s for special characters, ?a for all, ?b for hexadecimal. When you have any structural memory of your passphrase, this mode reduces the search space by several orders of magnitude.

Mode 4 — Substitution handles the leet-speak problem. You put base words in a dictionary file and wrecover automatically generates all possible substitution variants — p@ssword, passw0rd, P@55w0rd, and every other combination of common substitutions.

Modes 5 to 9 are combination modes. Mode 5: model file for seed recovery combined with a passphrase list. Mode 6: missing words combined with a passphrase list. Mode 7: testing a file of complete seed phrase candidates. Mode 8: testing a passphrase list against a known complete seed phrase. Mode 9 — the most exhaustive — full Cartesian product of a seed phrase file and a passphrase file. Modes 7, 8 and 9 are CPU-only. Modes 0 to 6 support GPU.

The BIP39 checksum filter — the optimization built into the standard

A technical detail that many recovery tools miss entirely, and that has a real impact on performance.

BIP39 integrates a checksum into the seed phrase. The last word encodes the final entropy bits plus a checksum of the entire phrase — 4 bits for a 12-word phrase, 8 bits for 24 words. wrecover validates this checksum before performing any address derivation.

In practice, for a 12-word phrase with one unknown last word, about 7 out of 8 candidates are eliminated immediately — you test ~256 real candidates instead of 2,048. On a large brute-force run, filtering invalid candidates before the expensive PBKDF2 computation significantly reduces the actual workload. Tools that skip this step do unnecessary work on every run.

The GPU numbers — this is where everything changes

The core operation of wrecover is PBKDF2-HMAC-SHA512 with 2,048 iterations. This dominates the runtime. And it is embarrassingly parallel: each candidate is completely independent of the others. No shared state, no communication between threads. This is exactly the type of workload GPUs were designed for.

Here are the real measured figures for different configurations in Mode 1:

The measured speedup ranges from 650× to 6,000× depending on the hardware and mode. This is a direct consequence of mapping a parallel workload onto hardware designed for it — not an optimistic rounding, but real measurements.

To put it concretely: three missing words in a 24-word phrase takes 9 hours on 8 CPU threads. On an RTX PRO 6000, it takes 1 minute. Four missing words in a 24-word phrase takes 2 years on CPU. On an RTX PRO 6000, it’s 18 hours recoverable overnight.

I ran tests on 8× RTX PRO 6000 Blackwell and achieved speeds of 2.02 Gseeds/s. With this configuration I can scan the entire 4-missing-word range in just 2 hours 30 minutes.

Imagine renting 200× RTX PRO 6000 Blackwell on vast.ai — you could scan the entire 5-missing-word range in less than 8 days: (2,048⁵ / (200 × 264,000,000)) / 3600 = 190 hours (< 8 days).

GPU compatibility by architecture (free version provided for testing)

Linux (sm_60 to sm_120):

• Pascal: GTX 1060/1070/1080/1080 Ti, Tesla P100

• Volta: Titan V, Tesla V100

• Turing and above: all RTX 20, 30, 40, 50 series, professional and datacenter cards

Windows (sm_75 to sm_120):

• Turing: GTX 1650, RTX 2060/2070/2080/2080 Ti, Titan RTX

• Ampere: RTX 3060 to 3090, A100, A30

• Ada Lovelace: RTX 4060 to 4090, L40S, RTX 6000 Ada

• Hopper: H100, H200

• Blackwell: RTX 5070 to 5090, B100, B200, RTX PRO 6000

The OpenCL backend covers AMD cards and other OpenCL-compatible devices, using the same algorithm as the CUDA backend.

The -grid and -gblock parameters (default: -grid 256 -gblock 256) allow tuning the GPU configuration for different architectures. For my tests I used -grid 2048 -gblock 256 and obtained excellent results.

Five or more missing words — distributed recovery

This is probably the most important feature for difficult cases.

Five missing words in a 24-word phrase means 2,04⁸⁵ (~36 quadrillion) candidates. Even across 200× RTX PRO 6000, that’s nearly 8 days to scan the full range. But the Pro version includes -startp and -endp parameters that allow splitting the search space across multiple independent machines on completely different systems.

The principle: you create a work file describing the job, then launch multiple instances with different assigned ranges.

Machine 1 — first third

wrecover -m 1 -ms "abandon x able x x absent x abstract x accuse accident account" \
-addr "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa" -wlang en \
-ws -wf job_part1.wrec -wp "password" \
-startp 0 -endp 5000000000000 -gpu -grid 2048 -gblock 256

Machine 2 — second third

wrecover -m 1 -ms "abandon x able x x absent x abstract x accuse accident account" \
-addr "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa" -wlang en \
-ws -wf job_part2.wrec -wp "password" \
-startp 5000000000000 -endp 10000000000000 -gpu -grid 2048 -gblock 256

Machine 3 — last third

wrecover -m 1 -ms "abandon x able x x absent x abstract x accuse accident account" \
-addr "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa" -wlang en \
-ws -wf job_part3.wrec -wp "password" -startp 10000000000000 -gpu -grid 2048 -gblock 256

Each machine works its segment independently. In this example, three machines with decent GPUs divide the total time by three. Rent multiple GPU instances on vast.ai for 24 hours and what was a multi-day job becomes an afternoon’s work.

Why the Pro version delivers source code and not a binary

I want to be direct on this point because it’s a conscious decision that goes against what most tools in this space do.

The Pro version of wrecover does not send you a compiled executable. It sends you the complete source code.

The reason is simple: a wallet recovery tool is, by construction, exactly the type of software a malicious actor would want to distribute. You’re running something on a machine that potentially contains other sensitive files. You’re often in a stressed state, not in the best conditions to calmly evaluate the security of a downloaded executable.

The only honest way to solve this trust problem is to give you the code. You read it. You have someone else audit it if you want. You verify that every line does what it’s supposed to do. And when you’re satisfied, you compile it yourself on your own machine.

The code is well-commented, well-documented, and without any form of obfuscation. No encrypted segments, no embedded binary blobs, no runtime decompression, and no external libraries other than the standard C++, OpenCL, and CUDA libraries are used. What you read is exactly what runs.

On Linux, a preconfigured Makefile handles the entire compilation. One make command and it’s compiled from your local source.

On Windows, a preconfigured Microsoft Visual Studio project file is included. You open it, review the code, and compile. The Pro Windows version produces both a CLI executable and a GUI application — same code, same algorithms, two interfaces according to your preference.

Personal compilation support is included with the Pro license. If you get stuck on the CUDA configuration or the Visual Studio project, I’ll help you through it.

Testing without installing anything locally — Colab, vast.ai, and the rest

Some of you will still hesitate to run the free binary directly on your main machine. That’s a reasonable position, and there are clean alternatives.

Google Colab gives you free GPU access in a notebook environment isolated from your machine. Upload the Linux binary, generate a test wallet whose parameters you fully control, simulate the loss of a few words, and verify that wrecover finds them. You prove the tool works without your real seed phrase ever being involved.

vast.ai is a marketplace for rented GPU compute. You spin up an Ubuntu instance with an NVIDIA card for a few cents to a few euros per hour, upload the Linux binary, run your job, terminate the instance. Your sensitive data only touches an ephemeral session you control. This is actually the approach I recommend even without specific security concerns — renting GPU compute for a one-time recovery is often more economical than buying hardware.

RunPod, Lambda Labs, Paperspace — all valid alternatives in the same category.

For Pro users who want maximum confidence: read the source, compile it in a cloud environment, run it there. You go from “trust an executable” to “compile and run code you personally audited in an isolated environment.” That’s a fundamentally different security position. And above all, avoid trusting tools or so-called cracked versions — go to the official GitHub page and download the free version yourself, or order the Pro version from the official website.

The work file system — because long jobs need reliability

I added this system after seeing too many recovery attempts fail not because of the search space, but because of a simple interruption. You start a 3-day job, the computer restarts, you lose everything and start over. Twice. You give up.

Every recovery job in wrecover creates a .wrec file with -ws -wf your_job.wrec. This file captures the complete state: configuration, parameters, progress counter. An interruption? You resume with -wi -wf your_job.wrec and the counter picks up exactly where it stopped.

Work files are encrypted with a password you choose via -wp — because a work file by definition contains sensitive information about your seed phrase and target address.

They’re also portable. A job started on your desktop can be transferred to a rented GPU instance on vast.ai and resumed there at full speed. The binary format is compatible across all CPU and GPU systems.

The -save-only flag creates the work file without starting recovery — useful for preparing multiple distributed segments and launching them simultaneously on different machines.

What is realistically recoverable — I prefer to be honest

With the right hardware and distributed recovery, here’s what’s feasible:

1 to 3 missing words: recoverable quickly on any NVIDIA card from the last five years. Minutes to hours depending on the card. Even feasible on a good CPU.

4 missing words: tractable with GPU. From 6 days on an RTX PRO 6000 for a 12-word phrase, to 18 hours for a 24-word phrase. Run it on a machine with multiple GPUs or distribute across machines and the times divide linearly.

5 missing words: feasible but computationally expensive. On one RTX PRO 6000, about 33 years for a 12-word phrase, ~4 years for a 24-word phrase. With multiple GPUs in parallel it’s much faster, as shown in the previous example.

6 or more missing words with no constraints: the search space becomes astronomical. I won’t promise you that wrecover solves that in a reasonable timeframe on standard hardware. This is where the model file (Mode 0) becomes crucial — if you have the slightest partial constraint on what the missing words might be, you can reduce the search space by several orders of magnitude before a single hash is computed.

The tool is most powerful when you combine its computational speed with everything you know. Even a vague memory can make the difference between a search of a few days and one of several weeks.

Watch the demo before going further

I published a demonstration video on YouTube showing the software in real operation — the launch, configuring a session, the live speed counter, the output format. No written description replaces seeing the terminal running and millions of seeds scrolling in real time.

The channel is dedicated to wrecover: mode-by-mode tutorials, GPU setup guides, comparative benchmarks between different hardware configurations. If you’re trying to evaluate whether the tool fits your situation, start by watching the demo.

Where to start

If you have a concrete recovery problem, here’s the approach I recommend.

Go to wrecover.github.io and consult the “Which mode to use?” decision table — it maps your exact situation (what you know about the seed phrase, what you know about the passphrase) to the appropriate mode.

Download the free version and test it on a wallet you control. Generate a new wallet, note everything, simulate the loss of one word, verify that Mode 1 finds it. Five minutes of testing that proves the tool works on your hardware before any commitment.

Honestly assess your search space using the performance tables. How many words are missing? Do you have any uncertainty about the passphrase? Is your situation feasible on CPU or does it require GPU?

If you need GPU — rent via Colab or vast.ai to test, or go Pro, compile the source yourself after auditing, and run locally or on rented hardware with full knowledge of what you’re executing.

To conclude

I built wrecover because I couldn’t find what I needed. I designed it to run entirely locally because it’s the only ethical way to distribute this type of tool. And I chose to deliver the source rather than a binary because it’s the only honest way to solve the trust problem.

There are limits to what’s recoverable — I’d rather tell you that clearly than sell you a dream. But for cases where recovery is mathematically feasible, the difference between a well-designed GPU-accelerated tool and an approximate CPU attempt is often the difference between finding the answer and never finding it.

wrecover is available at wrecover.github.io — free version available for download, full documentation online. The Pro version includes complete source code with no obfuscation, a preconfigured Makefile for Linux, a preconfigured Visual Studio project for Windows, CLI and GUI versions, multi-GPU support with linear scaling, and personal compilation support. Intended exclusively for recovering wallets you own or are legally authorized to access.

I built a GPU-accelerated Bitcoin wallet recovery tool that recovered wallet with 4 missing words was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.