Bitcoin2john -

By default, the script prefixes the hash with the filename (e.g., wallet.dat:). John the Ripper does not tolerate this prefix. You must remove it.

Manual method: Open wallet_hash.txt in a text editor and delete everything before $bitcoin$. Bitcoin2john

Command-line method (Linux/macOS):

cat wallet_hash.txt | cut -d ':' -f 2 > clean_hash.txt

Now clean_hash.txt contains only the hash line. By default, the script prefixes the hash with

Bitcoin Core wallets (wallet.dat) are encrypted using a master key derived from a user passphrase. To recover a lost passphrase, one cannot simply "decrypt" the file directly without the key. Instead, the file contains a "checksum" or verification block derived from the master key. Bitcoin2John extracts this verification block, the salt, and the iteration count, formatting them into a hash string that password cracking software can understand. Now clean_hash

Simply running Bitcoin2john and feeding the hash to John with a standard wordlist rarely works. Most lost Bitcoin passwords are not "password123"; they are personal.