Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Technical Support
Topic OP
Regaining access to wallets in veracrypt after MacBook catastrophe - REWARD
by
andrew2406
on 07/06/2025, 04:25:21 UTC
I’m reaching out for urgent assistance with a complex data recovery case involving a 2015 MacBook Pro with a soldered internal SSD (~1TB capacity). The device may have contained a hidden Veracrypt or TrueCrypt volume holding cryptocurrency wallet data. We’re seeking to recover this encrypted volume or any associated wallet files.

I am happy to offer a very generous reward to anyone who can figure out how to get this done



Background:


   •   The MacBook likely had a hidden Veracrypt volume stored on the internal SSD.
   •   This volume contained critical crypto wallet files, including:
   ◦   Cake Wallet (Monero) – likely stored with a .keys file or 25-word seed phrase.
   ◦   XMR (monero official wallet)
   ◦   exodus wallet
   •   The computer was later:
   ◦   Involved in a failed Linux dual-boot install (possibly overwriting sectors of the drive)
   ◦   Reformatted and reinitialized with macOS APFS volumes, which now show nearly the entire drive as “free space”
   •   
   •   The Veracrypt volume is no longer visible or mountable, and tools like TestDisk and PhotoRec have not located it.





What We’re Hoping To Recover:


   •   The hidden Veracrypt volume, if still intact deeper on the SSD (e.g., in unallocated or untouched sectors)
   •   Any fragments or full copies of:
   ◦   wallet.stronghold
   ◦   .keys, .json, or .txt files
   ◦   Plaintext or partial seed phrases
   •   
   •   A forensic clone or chip-off recovery if required to bypass TRIM or file system interference

Technical Notes:


   •   SSD is soldered (non-removable)
   •   Veracrypt header may have been overwritten
   •   TRIM status is unknown (but Linux install failed, so possibly never triggered)
   •   Visible volumes now show APFS structure with ~3TB free on each

Request:


Could your team perform:

   •   Full forensic-level SSD image extraction (chip-off if necessary)
   •   Sector-level entropy scanning for encrypted volumes
   •   Recovery attempts for Veracrypt hidden volumes (mounting with offsets)
   •   File carving or keyword searches for seed phrases or wallet files


I’m happy to provide the full MacBook for recovery, or any other details needed.

Please advise:

   •   Whether this is within your scope of services
   •   The process, expected timeline, and potential costs
some extra detail:on what we tried;

When we got the Mac back it had errors booting, believe it was the ? Icon showing. Every step here took a long time, system seemed to we very sluggish

We connected another Mac via usb and did a DFU revive (100% a revive, not a restore) which then made the Mac boot very quickly. I don't recall if that was the original install of macOS from before the laptop was taken or if it was a fresh install. 

From there we installed veracrypt to try and access that partition. We didn't have any success. 

Because the SSD is soldered on we then installed a Linux distribution, FreeBSD on an external hard drive and then tried to access drive again