The Bitcoin ecosystem produced dozens of wallet applications during its first decade. Each stored private keys differently, used different encryption if any, and created different files. Recovery difficulty varies significantly — not because some wallets are inherently harder to break, but because different formats have different properties that affect what approaches work.
Bitcoin Core (wallet.dat)
File: wallet.dat
Encryption: AES-256 with PBKDF2-SHA512 key derivation (when enabled)
Recovery difficulty: Moderate to high for encrypted wallets; trivial for pre-2011 unencrypted wallets
Bitcoin Core is the original and most common wallet type found on old machines. The key derivation function is intentionally slow — designed to make brute-force attacks impractical. On an RTX 3080 GPU, you get roughly 11,000 password attempts per second. This makes recovery feasible when you have good information about the password, and very difficult for truly random passwords.
The format is well-understood and supported by all major recovery tools. Wallets created before September 2011 are unencrypted and trivial to access — the private keys are stored in plaintext.
Electrum
File: default_wallet (no extension, in a .electrum/wallets/ folder)
Encryption: AES-256 with PBKDF2-SHA512 (optional, same as Bitcoin Core)
Recovery difficulty: Similar to Bitcoin Core for encrypted wallets; seed phrase recovery possible
Electrum was introduced in 2011 as a lightweight alternative to Bitcoin Core. Its defining feature: wallets are generated from a seed phrase (called a "seed" in earlier versions, 12 words). If the seed phrase is available, the wallet can be fully restored on any Electrum installation regardless of the original file.
The file has no extension, which means forensic scans searching only for .wallet or .dat extensions will miss it. A complete investigation needs to scan the .electrum folder specifically and also search unallocated space for the file signature.
MultiBit Classic
Files: [name].wallet and [name].key
Encryption: AES-256-CBC with scrypt key derivation
Recovery difficulty: Easier than Bitcoin Core — scrypt with MultiBit's parameters is faster to crack
MultiBit was a popular lightweight wallet from 2011 to 2017, when it was discontinued. It created two files: a .wallet file containing the wallet structure and a .key file containing the encrypted private keys. The scrypt parameters used by MultiBit Classic result in faster cracking speeds than Bitcoin Core, making password recovery more feasible even for moderately complex passwords.
Both files are needed for recovery. Finding only one without the other limits options significantly.
MultiBit HD
Files: mbhd.wallet.aes (in a folder with a random-looking name)
Encryption: AES-256 with different parameters than MultiBit Classic
Recovery difficulty: Moderate; seed phrase recovery preferred
MultiBit HD (introduced around 2014) used a different architecture from Classic — HD wallets generate all addresses from a single seed phrase. The wallet file has an .aes extension. As with Electrum, if the seed phrase is available, full recovery is possible without touching the encrypted file.
Blockchain.com (formerly Blockchain.info)
File: wallet.aes.json (often downloaded to the user's Downloads folder)
Encryption: AES-256-CBC with PBKDF2
Recovery difficulty: Moderate; also recoverable via web interface with email access
Blockchain.com was a hugely popular web wallet from 2011 onward. Users could download encrypted backup files (wallet.aes.json) that contain the wallet data. If such a file is found on an old machine, recovery requires the password. However, if you have access to the email address used to register the account, the web interface may provide another path to account access through Blockchain.com's own recovery procedures.
Armory
Files: armory_[id].wallet
Encryption: AES-256 with custom key derivation
Recovery difficulty: High; limited tool support
Armory was an advanced wallet application aimed at security-conscious users, discontinued around 2018. It used a custom key derivation scheme and the file format has limited support in modern recovery tools. Recovery is possible but requires more specialized work than Bitcoin Core or Electrum.
Hardware wallets (Ledger, Trezor)
Storage: On-device secure chip
Recovery: Seed phrase only (PIN alone gives device access; seed phrase needed for full recovery without device)
Hardware wallets store private keys on a secure chip that never exposes them, even to the connected computer. There is no file to recover. Recovery requires either the device PIN (to access the device directly) or the 24-word seed phrase (to restore the wallet on any compatible device). Without one of these, hardware wallet assets are generally inaccessible — PIN attempts are limited and wiping is automatic after too many failures.
What all of this means practically
When you find an old wallet, identifying what software created it is the first step — because that determines what tools apply, what the cracking speed will be, and whether a seed phrase recovery path exists. A professional investigation will identify the wallet type, extract the necessary hash for cracking, verify the balance before investing in recovery, and apply the appropriate methods for that specific format.
Across all encrypted wallet types, the single biggest factor in recovery success is what you know about the password. Wallet type affects speed and method — but targeted information about how the password was created is what actually makes recovery possible or impossible in most cases.
Have a situation like this?
Book a free 15-minute consultation. We'll assess your situation honestly and explain exactly what investigation would involve — no obligation to proceed.
Book a Free Consultation