According to a security advisory posted on Bitcoin.org, the upcoming Bitcoin Core software release is being targeted by government hackers. Bitcoin.org is a popular Bitcoin information site that offers downloads of Bitcoin Core, software used to store Bitcoins and make payments. The site is not directly affiliated with the creators of the program.
In the advisory, the maintainer of Bitcoin.org explained the site has “reason to suspect” that the pre-compiled downloads for the new version of Bitcoin Core will be altered by government hackers. Bitcoin Core is offered in two forms, the pure source code for users to compile themselves or prebuilt downloads that can be installed without any contact with the code.
If a hacker modified the download, they could inject malicious code into the package. The user would end up running a compromised version of Bitcoin Core that could give the attackers the ability to steal Bitcoins, make unauthorised transactions and take control of the Bitcoin network.
Bitcoin.org advised all its users to verify the integrity of their downloads once the transfer is complete. This can be done by comparing the cryptographic signature of the file with that originally created by the Bitcoin Core team. If the resulting hash differs from the original, the file has been tampered with during the download. The site warned it cannot protect itself from the attackers so it will be up to users to check their downloads are safe.
“Not being careful before you download binaries could cause you to lose all your coins,” the site warned. “This malicious software might also cause your computer to participate in attacks against the Bitcoin network.”
Chinese users will apparently be most at risk of attack. The origin of the alleged state sponsored hackers has led Bitcoin.org to believe that Chinese Bitcoin pools and exchanges are the target of the download interceptions, although anyone using the website could be impacted. The site warned the entire community to remain alert in the near future.
“As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre,” Bitcoin.org’s advisory reads. “We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.”
However, not everyone is convinced that there’s a real threat. Many community members are sceptical. There doesn’t seem to be any motivation for the attack and it’s unclear what the aim of the hackers is. Despite mentioning an origin country, the post does not reveal its identity or explain how Bitcoin.org became aware of the plans for the attack.
The mystery deepens as the maintainer of the Bitcoin.org website apparently posted the alert alone. Eric Lombrozo, a contributor to Bitcoin Core, told the Register that his team is unaware of any upcoming attack. He said the maintainer of Bitcoin.org hasn’t notified anyone else of the impending threat and advised the community to stay calm.
“There’s absolutely nothing in the Bitcoin Core binaries, as built by the Bitcoin Core team, that has been targeted by state sponsored attackers that we know of at this point,” Lombrozo said. “Perhaps certain sites where people download the binaries could end up getting compromised, but let’s not unnecessarily spread paranoia about the Bitcoin Core binaries themselves.”
With two differing opinions from two authoritative sources, it will be interesting to see how the claimed attack manifests itself. The Bitcoin community is no stranger to large-scale hacks, malware campaigns and thefts though. Earlier this month, $65 billion was stolen from one of the largest Bitcoin exchanges around, significantly reducing the currency’s market value and again revealing its underlying volatility.
While the attack could come to nothing, Bitcoin users would be best to stay vigilant. Lombrozo joined Bitcoin.org in advising all downloads are verified against a cryptographic signature, noting this should be viewed as a best practice for any new build.
