How to check wallet.dat is real or fake?

Published November 16, 2022 by Maksim Boiarov

wallet.dat real or fake

Bitcoin-QT wallet.dat files sometimes even include password clues or hints for cracking. With some luck, skills, and sufficient computing power, you may recover lost passwords and would be able to take a chance on guessing a password to some wallet and get access to bitcoins and altcoins. However, most of these files are fake or forged.

How to distinguish the authenticity of a file?

The file itself is a Berkeley DB database that includes an address book, private keys, setting parameters and transactions.

1. To get started, use a hex editor for the search word “xingfeng” (these are the most popular fakes made in China). If you found that website address in the code, no need to go on. Sorry, it’s fake.


2. Next, let’s put the file into the folder ‘wallets’ and synchronize it with Bitcoin-QT. If there are balances and watch-only entries, then the addresses are only for viewing and no private keys at all.

watch-only bitcoin QT wallet

It happens that a fake-maker using a hexadecimal editor was replaced only by the wallet address. Then old transactions and the balance appear after the synchronization. It looks like the wallet is real.

3. However, if you send coins (even dust) to that address, the transaction will not occur, because the real address is different.

4. Also, the number of transactions in the list must match the ones in blockchain explorers. All the incoming and outcoming addresses can be found by searching for "name" in the hex editor. If there is a discrepancy in the number of transactions, then the wallet is 100% fake too.

search name in HEX wallet.dat

5. In old wallets, when creating a new address, several addresses are created and all of them are stored in a file, while the file size changes.

6. After accepting BIP32 (HD Wallet) a new bitcoin address is created for each payment, and the keys are stored in xpriv, and the file size does not change regardless of the number of addresses. This is also one of the ways to spot the fake. In addition, you can check the types of addresses (segwit or p2pkh) according to the wallet version.

watch-only bitcoin QT wallet

7. If the wallet.dat file is open in the Bitcoin-QT application by default, then enter the following CLI command: "dumpprivkey 1LfV1tSt3KNyHpFJnAzrqsLFdeD2EvU1MK", which returns:

  • code 10 (or 13), which means you shall enter a passphrase (password)
    Error: Please enter the wallet passphrase with wallet passphrase first. (code -13)
  • The private key, if the password is entered or not set
  • error "Private key for address 1LfV1tSt3KNyHpFJnAzrqsLFdeD2EvU1MK is unknown (code -4)", which means the file is fake.

List of fake wallet.dat:

Wallet name Address Password
11.26827053.dat 1NibfhHfgA857dtG6pB25Y5hDcxpDo2J47 12aVP18cd5XsbcGQy8u6eywQ6UuA6Q319s
70.01000000.dat 17w8w8ZHdqkSYFkhAMfHJaEqCHgHm9egKv 12aVP18cd5XsbcGQy8u6eywQ6UuA6Q319s
25.00011094.dat 12BycRrxPivnhnwfD5qfKaE7ccAc1qhrCb 12aVP18cd5XsbcGQy8u6eywQ6UuA6Q319s
5.03448336.dat 1JWXHwtBuVGDDjrVDQNFaBHhw7AhuuPeV9 12aVP18cd5XsbcGQy8u6eywQ6UuA6Q319s
28.12063817.dat 1ELCrM2FMXePtsGLRbcqAdhj61EUGmUtK9 [email protected]
14.09013974.dat 1GDcVTrZNhVFt7pEnwvHfepoth6mqHVVvq 🔒
11.26828169.dat 1NibfhHfgA857dtG6pB25Y5hDcxpDo2J47 🔒
51.99952188.dat 12DE6ff6gxLA1JfV7eaGG4ehUUUpZMo8Bo 🔒

Well, those are unsophisticated ways to spot and avoid fake wallet.dat files. In general, beware of scammers. The rules are as plain as day: purchase only from sellers with a positive story, require time for verification, or buy using escrow. Basically, scammers do not let you take your time to check a file, they may haggle or sell several files for the price of one, but ... as practice shows, when they get the money, they disappear. So be careful and good luck!