The next version of Bitcoin Core, a popular digital wallet for the cryptocurrency, could be hacked and replaced with a malicious look-alike by state sponsored actors, reads a safety warning.
On 17 August, open-source project Bitcoin.org announced the threat on its website. The alert reads:
“Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.”
Downloading a malicious binary could open the door for an attacker to steal all of a user’s Bitcoins, the statement indicates. It could also enlist users into a botnet for the purposes of siphoning hundreds of thousands (if not millions) of dollars worth of Bitcoin out of the market.
This has of course drawn the curiosity of many folks on Reddit, as well as that of Eric Lombrozo, a contributor to Bitcoin Core.
Lombrozo told The Register there’s not much to worry about at this point:
“[T]he maintainer of the bitcoin.org site (which is unaffiliated with the Bitcoin Core project itself) posted an advisory of an apparent threat he’s been informed about – without consulting anyone else. …[T]here’s absolutely nothing in the Bitcoin Core binaries, as built by the Bitcoin Core team, that has been targeted by state sponsored attackers that we know of at this point. Perhaps certain sites where people download the binaries could end up getting compromised, but let’s not unnecessarily spread paranoia about the Bitcoin Core binaries themselves.”
To be on the safe side, users are urged to verify that the key with which Bitcoin Core version 0.13.0 is cryptographically signed has the fingerprint 01EA5486DE18A882D4C2684590C8019E36C2E964 before running any binaries. Better to be safe than sorry!