Recovering lost bitcoins: what to actually do

"I lost my bitcoins" actually covers a dozen distinct scenarios whose recovery feasibility ranges from 100 % to 0 %. Identifying exactly which one applies is the first step : a missing word in a seed phrase×Seed phraseSequence of 12 or 24 words (usually in English) that encodes your master key. Universal wallet backup : with these words, you can restore your funds on any compatible software.See in the lexicon → has nothing to do with a wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → deleted from a hard drive, which has nothing to do with losing access to an exchange×ExchangeService that lets you buy, sell and swap cryptocurrencies against fiat money. Examples : Kraken, Coinbase, Bitstamp, Bitvavo. Most are custodial.See in the lexicon →.

Bitcoin has a particular asymmetry. When the seed is known but incomplete, cryptography leaves exploitable brute-force×Brute-forceTrying every possible combination of a password or passphrase. Ineffective against a long random password, viable against a short one.See in the lexicon → margins (BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → checksum, alternative derivation, forgotten passphrase×PassphraseExtra word or phrase you add to your seed phrase to create a hidden wallet. Optional security layer, independent of the seed.See in the lexicon →). When the seed is completely lost, on the other hand, cryptography holds and the bitcoins become inaccessible for the lifetime of the universe.

This article maps the loss scenarios, indicates the technical feasibility of recovery for each, presents the legitimate tools (BTCRecover, Wallets Recovery, Wallet Recovery Services) and the fake recovery scams to avoid, and gives a cost/benefit decision tree before engaging a provider.

Mapping the loss scenarios

Not all losses are equal. Before tackling a case, diagnosing it lets you estimate whether the effort is worth it, and which tool to bring out. The table summarises the ten most common scenarios encountered in 2026.

Four diagnostic principles to apply before any technical effort.

• Confirm it really is your wallet. Before recovering, verify×Don't trust, verifyBitcoiner mantra. Trust no one (bank, government, exchange, influencer), verify on your own through your own node.See in the lexicon → that the public addresses match. A seed determines a wallet, and you can test by generating the first addresses with an offline tool like Iancoleman BIP39 (local page, never online) and comparing to addresses you find in your history or old screenshots. Saves dozens of hours down a wrong lead.
• Assess the value at stake. 0.001 BTC, 0.1 BTC, 1 BTC: strategy changes. For 0.001 BTC (50 EUR in 2026), only minute-level recovery scenarios are worth the effort. For 1 BTC (~50,000 EUR), even a multi-week effort with a dedicated GPU stays profitable.
• Document before touching. Photograph the support (paper seed, wallet screenshot, stuck-transaction log) before any manipulation. A panicking user who resets the hardware wallet or wipes wallet.dat before attempting recovery turns a medium case into a hopeless one. The rule: freeze the scene, then think.
• Test on a subset. Before launching a 48 h brute-force×Brute-forceTrying every possible combination of a password or passphrase. Ineffective against a long random password, viable against a short one.See in the lexicon →, check the command runs on the first 100 combinations. Otherwise you come back 48 h later to find a typo invalidated everything.

Four fake scenarios circulate and lead to absurd decisions. "I forgot my Coinbase password": that is a Coinbase reset problem through KYC×KYC (Know Your Customer)Mandatory identification procedure that regulated platforms apply to their users : ID document, proof of address, and so on.See in the lexicon → customer service, not a wallet recovery. "I heard miners retrieve lost blocks": complete confusion; a mined block does not recover a wallet. "A service told me they can recover any lost seed for 30 %": every service demanding an upfront fee is a scam, no exceptions. "My old 2013 paper wallet is worthless now": false; dormant funds never expire on Bitcoin, and the blockchain×BlockchainA public, shared ledger that records every Bitcoin transaction in blocks linked together cryptographically. Each participant in the network keeps a copy.See in the lexicon → keeps the UTXO×UTXO (Unspent Transaction Output)« Chunk » of bitcoin received and not yet spent. A wallet does not have a single balance, it has a collection of UTXOs whose sum makes up the balance.See in the lexicon → indefinitely.

Recovering a partial BIP39 seed

BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → uses a 2048-word dictionary. For each unknown word, you have 2048 candidates. Total combinations to test is 2048^n where n is the number of unknown words. The counter rises fast but stays within reach for n=1, 2 and even 3 with consumer hardware.

Concrete brute-force×Brute-forceTrying every possible combination of a password or passphrase. Ineffective against a long random password, viable against a short one.See in the lexicon → feasibility numbers on a modern desktop CPU (Ryzen 9 or equivalent, ~10,000 attempts/second):

• 1 unknown word. 2,048 combinations. Seconds. Near-certain feasibility.
• 2 unknown words. ~4.2 million. 5 to 10 minutes on CPU, instant on GPU. High feasibility.
• 3 unknown words. ~8.6 billion. 10 days on CPU, 2 to 6 hours on high-end GPU (RTX 4090). Reasonable if the value at stake justifies it.
• 4 unknown words. ~17,600 billion. 50 years on CPU, ~2 months on GPU. Practically infeasible except dedicated topic, and even there marginal.
• 5+ unknown words. Impossible barring a cryptographic break.

The reference tool is btcrecover, an open-source Python project maintained by Christopher Forster (and its active fork×Fork (soft fork, hard fork)Change to the protocol rules. A soft fork stays compatible with old nodes (SegWit, Taproot); a hard fork creates a separate chain (Bitcoin Cash in 2017).See in the lexicon → 3rdIteration/btcrecover). Install via git clone, pip dependencies (libsecp256k1×libsecp256k1Reference cryptographic library for Bitcoin, written in C and maintained by the Bitcoin Core developers. Used by almost every serious wallet.See in the lexicon →, ecdsa×ECDSALegacy signature algorithm used by Bitcoin before Taproot. Signs a transaction with a private key to prove ownership.See in the lexicon →, coincurve). Typical use for 2 unknown words at positions 5 and 11 of a 12-word seed:

• Prepare a mnemonic.txt with the 12 words, putting `?` or a placeholder for unknowns: abandon ability able about ? actor actress actual ? add address admit.
• Run the command: python seedrecover.py --addrs bc1q... --addr-limit 20. The script tests every combination and verifies each by deriving the first addresses and comparing to the supplied address.
• Supplying a known public address dramatically speeds up verification: the script finds the seed as soon as a combination yields that address in the first 20 derivations.

Three common specific variants to know.

• Uncertain word order. If you have the 12 words but not the order, btcrecover token mode permutes positions. 12! = 479 million permutations, brute-forcable in a few GPU hours. Variant: do not forget that BIP39 embeds a checksum on the last 4 bits of the final word, so only 6.2 % of permutations are valid, further accelerating.
• Misread word but partial letters. If you read "abandxx" with two blurry letters, restricting the candidate list to BIP39 words starting with "aband" leaves 1 or 2 candidates. The BIP39 prefix is enough: every dictionary word is uniquely identifiable by its first 4 letters.
• Unknown BIP39 passphrase×PassphraseExtra word or phrase you add to your seed phrase to create a hidden wallet. Optional security layer, independent of the seed.See in the lexicon → with known structure. If the passphrase is for example "MyPhrase[year]!" and you do not remember the year, btcrecover token mode tests 100 years in seconds. The structure "M????1988!" with 4 unknown alpha-numeric characters = ~14 million tests, feasible in hours.

Recommended hardware for serious brute-force: a recent GPU (RTX 4080 or 4090) accelerates 50 to 100 times over CPU. One-off rental of a cloud GPU (vast.ai, runpod) at 0.5 to 1 USD/h stays profitable against a lost 5,000 EUR+ holding. Always disable internet during the operation: btcrecover runs 100 % offline, and plugging the network exposes the derived seed to any malware.

Forgotten wallet.dat password

Before BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → and hardware wallets, Bitcoin Core×Bitcoin CoreReference implementation of the Bitcoin software, written in C++ and maintained by an open-source community. This is the software that most nodes run.See in the lexicon → and its derivatives stored private keys in a wallet.dat file protected by a symmetric password. Many 2011-2017 users backed up a wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon →.dat on USB stick or external drive, then forgot the password. If you find that file in 2026 and the value has skyrocketed, recovery often is worth it.

Four prerequisites before launching brute-force×Brute-forceTrying every possible combination of a password or passphrase. Ineffective against a long random password, viable against a short one.See in the lexicon →.

• Retrieve the file intact. The wallet.dat must be at least a few dozen KB. A 0-byte or truncated file is unusable. If the USB stick is damaged, try ddrescue or TestDisk first. Make a working copy and leave the original untouched.
• Identify the version. Bitcoin Core 0.13, 0.16, 0.19, 0.21, 25.0 use slightly different formats. btcrecover detects most automatically, but some forks (Litecoin Core, Dogecoin Core, Bitcoin ABC) require a specific option. Document the original version through usage history.
• List the memories. What btcrecover can use: approximate password length, presence of uppercase, digits, special characters, blocks of words you used at the time, anniversary dates, family names, language. The more precise the memories, the smaller the search space.
• Have the hardware. wallet.dat decryption uses SHA-512 iterated 100,000+ times. On desktop CPU: 5 to 20 attempts/s. On GPU: 5,000 to 50,000 attempts/s. For an 8-character password unknown only among a-z and 0-9, that is 2,800 billion combinations, 2 to 3 years on CPU, 1 to 2 months on high-end GPU.

Practical approach with btcrecover and a wallet.dat whose password you know contains the words "bitcoin", "2014", "zurich" in a fuzzy order, plus a special character at the end:

• Prepare a tokenlist.txt:
  bitcoin
2014
zurich
!@#$%
• Run: python btcrecover.py --wallet wallet.dat --tokenlist tokenlist.txt --no-eta
• btcrecover tests every permutation and concatenation of tokens. For 4 tokens with optional spaces and variable case, ~10 million tests, a few minutes on GPU.

When memories are really fuzzy ("maybe something with one of my cats"), btcrecover also handles full dictionaries (English or German dictionary, 100,000 words) with mutation rules (capitalisation, leetspeak, numeric suffixes). Huge search space but tractable if you have a few GPU weeks to spend.

Three third-party services exist for cases where you cannot or do not want to brute-force yourself: Dave Bitcoin (walletrecoveryservices.com), Wallet Recovery Services Ltd, and a few specialised operators. All work on a percentage of recovery: typically 20 % of the recovered wallet, paid only on success, never upfront. Categorically refuse any service demanding an initial payment: it is invariably a scam. The proper service sends a cryptographic signature proving access to the wallet before any transfer, and the payment transaction goes from the recovered wallet to their address only.

Dust, undersized UTXOs, stuck transactions

Three common situations look like a loss while being trivial once you know the mechanics: stuck transaction, dust, and UTXO×UTXO (Unspent Transaction Output)« Chunk » of bitcoin received and not yet spent. A wallet does not have a single balance, it has a collection of UTXOs whose sum makes up the balance.See in the lexicon → too small to spend.

• Stuck transaction (too-low fees). You sent a transaction two weeks ago at 1 sat/vbyte when the network demanded 30. Miners ignore your transaction sitting in the mempool×MempoolWaiting area where Bitcoin transactions sit before being included in a block. The fuller the mempool, the higher the fees required.See in the lexicon →. Two solutions. Replace-by-fee (RBF×RBF (Replace-By-Fee)Mechanism that lets you replace an unconfirmed transaction with a new one carrying higher fees, in order to speed it up.See in the lexicon →): if your sending wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → enabled the RBF flag (default on Sparrow, Electrum, BlueWallet, Phoenix), reopen the wallet, select the stuck transaction, and choose "bump fee". The wallet rebroadcasts the same transaction with higher fees; miners prefer the best-paid version. Child-pays-for-parent (CPFP×CPFP (Child Pays For Parent)Alternative to RBF where a high-fee child transaction pulls its stuck parent out of the mempool.See in the lexicon →): if RBF was not enabled, receive a dust from the stuck transaction to another address of yours (self-transfer), then spend that dust with very high fees. Miners must confirm the parent transaction to include the child, so your fund moves.
• Dust of a few sats. A wallet contains 1,200 sats (~0.50 EUR) received as a tip or leftover. Current network fees require 800 sats per transaction, so sending those 1,200 sats costs 800 sats in fees, 67 % friction. Two solutions. Consolidation×Consolidation (UTXO batching)Merging several small UTXOs into one during a low-fee period, to avoid paying dearly when spending them later. A common wallet management practice.See in the lexicon →: open Sparrow, manually select the dust as an input in a transaction that includes other UTXOs from the same wallet, and merge into a new single output. Fees are then pooled over the total. Coinjoin×CoinJoinTransaction-mixing technique where several users combine their UTXOs into one large transaction, in order to break the input / output link.See in the lexicon →: Whirlpool (Samourai) or Wabisabi (Wasabi Wallet) mix your dust with other outputs, and you come out with a unified, more usable UTXO. Privacy bonus.
• UTXO below Bitcoin Core×Bitcoin CoreReference implementation of the Bitcoin software, written in C++ and maintained by an open-source community. This is the software that most nodes run.See in the lexicon → dust threshold. Bitcoin Core by default refuses to relay transactions with an output below 546 sats (varies by address type). If your wallet holds a 200-sat UTXO, you literally cannot spend it alone. Solution: receive a new transaction on it (even a few thousand sats) to combine, or wait for network fees to drop enough to make spending profitable. Some low-activity periods see fees fall to 1 sat/vbyte, bringing transaction cost to 100 sats and making the dust spendable.

The indispensable tool for these operations is Sparrow Wallet, which exposes UTXOs one by one in its "UTXOs" tab. You see each input with amount, age, address, and can select them manually as transaction inputs. Electrum desktop does the same in advanced mode. Mainstream mobile wallets (Phoenix, Muun) hide UTXOs and do not allow that fine-grained handling; for troubleshooting, going through Sparrow or Electrum is mandatory.

Practical case of a 0.01 BTC stuck transaction sent at 2 sat/vbyte when the network requires 25.

1. Open Sparrow, load the sending wallet, transactions tab.
2. Select the unconfirmed transaction, right-click, "Bump fee" (if RBF flag), enter 30 sat/vbyte. Sign.
3. Broadcast. The new transaction reuses the same inputs and outputs, replaces the old in the mempool, and confirms in the next block or the next 6. Extra fees: ~5,000 sats (~2 EUR).

If the transaction predates 2020 and the wallet had no RBF, the same operation goes through CPFP. More complex but possible with Sparrow or Electrum. Important note: an unconfirmed transaction is not lost. It stays in the mempool as long as peers keep it (typically 14 days), and even if it expires it can be rebroadcast by the sender. Funds are never inaccessible, just pending.

Old supports, paper wallets and forks

Three families of legacy supports raise specific challenges: pre-2017 paper wallets, brain wallets and WIF private keys, and bitcoins awaiting post-fork×Fork (soft fork, hard fork)Change to the protocol rules. A soft fork stays compatible with old nodes (SegWit, Taproot); a hard fork creates a separate chain (Bitcoin Cash in 2017).See in the lexicon → claims (Bitcoin Cash 2017, Bitcoin SV, Bitcoin Gold).

• Unreadable or partial paper wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon →. A paper wallet printed in 2014 typically contains a public key×Public keyNumber derived mathematically from the private key, used to build a Bitcoin address. Can be shared freely.See in the lexicon → (address, at the top) and a WIF private key×Private keySecret number that proves ownership of bitcoins at a given address. Whoever holds the private key holds the bitcoins. Never share it and never store it in plain text.See in the lexicon → (at the bottom, format 5KQwrPbwdL6PhX...). If the public key is readable but the private key damaged by humidity, tear or fading, several options. Manual reconstruction: one unreadable WIF character gives 58 candidates (base58), retriable in minutes. Three unreadable characters give 195,000 candidates, still feasible. Optical recognition: high-resolution scanner, Photoshop processing to recover contrast, visual validation. If nothing works, the key is lost. Never type a clear private key on an internet site, even allegedly offline: use offline Sparrow or Electrum to import the WIF.
• 2013 brain wallet. Mnemonic phrase passed through SHA-256×SHA-256Hash algorithm used by Bitcoin for proof of work and block hashing. Produces a 256-bit fingerprint (64 hexadecimal characters).See in the lexicon → to generate the private key. Deprecated method because weakly entropic phrases ("satoshi nakamoto×Satoshi NakamotoPseudonym of the creator (or collective) behind Bitcoin. Active on forums from 2008 to 2011, then vanished without revealing any identity. Holds roughly 1.1 million BTC that have never moved.See in the lexicon →", "to be or not to be") were massively brute-forced from 2015. If you remember the exact phrase, SHA-256 hash×HashFunction that turns data of any size into a fixed-size fingerprint. The same input always yields the same output, but you cannot go back from output to input.See in the lexicon → offline with a tool like Iancoleman and import in Sparrow as WIF. If you remember it approximately, btcrecover handles brain wallets with mutations. Real risk: if the phrase was weak, the wallet is probably empty long since. Check the address on mempool.space×mempool.spaceReference open-source Bitcoin explorer in 2026. Visualisation of blocks, fees and the mempool. Launched by Wiz and the mempool.space team.See in the lexicon → before investing in recovery.
• Bitcoin Cash and other fork claims. In August 2017, Bitcoin forked and gave birth to Bitcoin Cash (BCH). Everyone holding pre-fork BTC received the same quantity in BCH, but only if they controlled their seed (not if BTC sat on a centralised exchange×ExchangeService that lets you buy, sell and swap cryptocurrencies against fiat money. Examples : Kraken, Coinbase, Bitstamp, Bitvavo. Most are custodial.See in the lexicon → that did not distribute). If you find in 2026 a seed controlled in 2017, you can claim BCH (and BSV from 2018, and Bitcoin Gold from 2017) by importing the seed in Electron Cash, Electrum SV, and BTG Wallet respectively. Beware of replay attack: signing a BCH transaction can be replayed on Bitcoin (and vice versa) if the chains are not anti-replay. Solution: first do a "splitter" transaction that separates the two chains via a unique transaction on each chain, before any other move.

Three pitfalls specific to old supports.

• Fork-claim malware. In 2017-2019, allegedly "official" Bitcoin Cash and Bitcoin Gold sites proposed to "validate your seed for claim". Most were malware that drained the seed once typed. Always use verified open-source tools (Electron Cash downloaded from electroncash.org with PGP verification, never from Google or a forum).
• Old Bitcoin Core×Bitcoin CoreReference implementation of the Bitcoin software, written in C++ and maintained by an open-source community. This is the software that most nodes run.See in the lexicon → addresses. Before 2017, Bitcoin Core used legacy addresses starting with 1... (P2PKH). Modern wallets today use bc1q... (SegWit×SegWit (Segregated Witness)Upgrade activated in 2017 that separates signature data from the rest of the transaction. Lowered fees and paved the way for Lightning Network.See in the lexicon →) or bc1p... (Taproot×TaprootMajor Bitcoin upgrade activated in November 2021 (BIP 341). Brings more privacy, scripting flexibility and the efficiency of Schnorr signatures.See in the lexicon →). A BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon → seed imported in a modern wallet generates bc1q... by default, not 1.... If your paper wallet shows a 1... address, you must configure the recovery wallet in legacy mode (P2PKH) to find the right UTXO×UTXO (Unspent Transaction Output)« Chunk » of bitcoin received and not yet spent. A wallet does not have a single balance, it has a collection of UTXOs whose sum makes up the balance.See in the lexicon →.
• Very old wallets (Bitcoin Core 0.1-0.5). 2009-2011 Bitcoin Core versions used a wallet.dat format without encryption, with a pool of 100 pre-generated keys. If the user made more than 100 receive transactions, some addresses may be outside the initial pool and require a rescan with Bitcoin Core 0.21+ or an import in Electrum legacy. Serious technical effort, but documented on Stack Exchange Bitcoin.

A practical note on fork-derived altcoins. In 2026, BCH and BSV represent about 0.7 % and 0.2 % of Bitcoin's value respectively. On a wallet holding 0.5 BTC in 2017, the claim gives ~0.5 BCH (~150 EUR) and ~0.5 BSV (~25 EUR), so 175 EUR total. Compared to the 25,000 EUR of the original 0.5 BTC. The margin does not justify effort if operating fees (Ethereum gas to route through a DEX, withdrawal fees) exceed. But on larger packets (10+ pre-2017 BTC), the claim stays profitable.

Ethical limits and when to give up

Bitcoin recovery is technically fascinating, but hits two rarely-discussed limits: the ethical limit on others' wallets, and the practical limit of cost-benefit calculation.

On the ethical front, one rule applies: you only recover wallets you legitimately held. Not a deceased brother's seed without a testament in your favour, not a friend's seed who forgot to come back in time, not a wallet×WalletSoftware or device that manages your Bitcoin keys and lets you sign transactions. A wallet does not really « hold » your bitcoins, it holds the keys that prove you own them.See in the lexicon → found on a second-hand hard drive, not a seed overheard by chance. In all those cases, you are not the holder even if you have technical access. Three concrete consequences.

• Accidental access theft. Recovering a wallet found on a flea-market hard drive is legally embezzlement (CH: art. 137 CP, FR: art. 311-1 of the Penal Code, DE: Unterschlagung §246 StGB, IT: appropriazione indebita art. 646 c.p.). Bitcoins have a holder even if you do not know them. The moral rule: return if you find the owner, or do not touch.
• Post-mortem recovery outside succession. If your cousin dies without testament and you find their seed, you cannot spend it. The seed enters the estate and must be declared to the notary, who distributes according to legal succession rights. Moving the seed before that exposes you criminally, and on-chain forensics can prove the move.
• Phishing×PhishingAttack where someone impersonates a legitimate service via email, SMS or clone website, in order to extract your credentials or your seed phrase.See in the lexicon → disguised as recovery. You see online a help call "I lost my seed, here are 11 words, help me find the 12th". Never brute-force×Brute-forceTrying every possible combination of a password or passphrase. Ineffective against a long random password, viable against a short one.See in the lexicon → a seed someone else handed you: the majority of those messages are traps (the brute-force succeeds, you discover a filled wallet, you transfer to an address provided by the "owner", and the address belongs to the trapper who will exploit your signature). If the situation is sincere, the owner does the brute-force themselves or formally engages you by contract.

On the cost-benefit side, six criteria to weigh before launching a long operation.

1. Estimated wallet value. Check the current balance on mempool.space×mempool.spaceReference open-source Bitcoin explorer in 2026. Visualisation of blocks, fees and the mempool. Launched by Wiz and the mempool.space team.See in the lexicon → before any effort. A wallet showing 0 BTC is not recoverable, it is recovered (by someone else, or by yourself 10 years ago and forgotten). Also watch the current EUR/CHF value, not the value at creation.
2. Personal time cost. A recovery taking 40 h of personal effort costs 40 h of your time, valued at your hourly rate (if 100 EUR/h, that is 4,000 EUR opportunity cost). If the wallet contains less, the calculation collapses.
3. Hardware or cloud GPU cost. A 1 USD/h cloud GPU rental over 4 weeks = 670 USD. Add electricity for local setup. Should stay below 5 % of estimated recoverable value.
4. Success probability. 1 unknown word = ~100 %. 2 words = ~95 %. 3 words = ~70 % if you commit means. 4 words = ~20 %. Beyond = near nil. Multiply estimated value by probability to get expectation.
5. Emotional stress. Underestimated but real criterion. A 6-week brute-force without success weighs psychologically. If recovery would mortgage your sleep and mood, give up.
6. Learning acquired. Sometimes ignored bonus: recovering an old wallet teaches a lot about Bitcoin (BIP39×BIP39Standard defining the list of 2,048 words used for seed phrases. Lets every wallet brand generate seeds that are compatible with each other.See in the lexicon →, derivation, address formats, brute-force, technical tools). Even a failure has pedagogical value. If you enjoy the topic, time cost partly becomes a productive hobby.

Three practical thresholds where giving up is the right call. Wallet under 200 EUR with 3+ unknown words. Wallet of 2,000 EUR with 5+ unknown words. Any wallet where expectation (value × probability) falls below total cost (time × hourly rate + hardware). Better to accept the loss and invest freed-up time into a fresh clean accumulation cycle than to obsess over a hopeless case.