The next version of Bitcoin Core, one of the most popular bitcoin wallets in existence, might be replaced with a malicious version courtesy of government-backed hackers, a warning on Bitcoin.org, the site that hosts downloads for Core, states.
The message, posted on Wednesday, warns that the site could be compromised by "state sponsored attackers" so that anybody downloading an upcoming version of the Bitcoin Core wallet, which people use to store their bitcoin, will actually be given a hacked version of the software. In particular, the alert encourages Chinese bitcoin users and services to be vigilant "due to the origin of the attackers."
"In such a situation, not being careful before you download [the software] could cause you to lose all your coins," the alert on Bitcoin.org states. "This malicious software might also cause your computer to participate in attacks against the Bitcoin network."
If a government, or anybody else, were to compromise Bitcoin.org and disseminate a malicious copy of Bitcoin Core to enough people, it could be a crippling attack on bitcoin unlike any we've seen before, siphoning millions and millions of dollars out of the market. If the warning on Bitcoin.org is based on fact, it could be very serious.
"So long as you check signatures properly, even a state sponsored attacker would have a hard time compromising a […] build of the Bitcoin Core software"
Bitcoin.org is maintained as an open-source project, meaning that a slew of contributors can upload a page to the site, and it has a peer review system for posts. The contributor who uploaded the alert, "Cobra-Bitcoin," is understood to be in control of Bitcoin.org, Core developer Peter Todd told me in an encrypted message, and so they were able to bypass the peer review process for posts to the site.
Core developer Eric Lombrozo told The Register that "there's absolutely nothing in the Bitcoin Core binaries, as built by the Bitcoin Core team, that has been targeted by state sponsored attackers that we know of at this point." However, it's worth noting that in order to serve someone a fake version of Bitcoin Core, an attacker only needs to compromise the Bitcoin.org site, or fake a cryptographic certificate that would allow them to intercept someone's encrypted HTTPS connection to Bitcoin.org and replace the real download with a hacked one without anybody noticing. This is known as a man-in-the-middle attack.
To mitigate the effects of a possible hack, the post on Bitcoin.org encourages users to verify that the Bitcoin Core version they download hasn't been tampered with by checking it against a cryptographic key that marks official software as being created by the team of legitimate Core developers.
"So long as you check signatures properly, even a state sponsored attacker would have a hard time compromising a […] build of the Bitcoin Core software," Todd wrote me in a message.
Verifying software is a fairly standard security practice, and so suggesting that users take this precaution doesn't indicate any sort of malice on the part of Cobra-Bitcoin, unless their intent is simply to sow chaos and paranoia about the next Bitcoin Core release.
"I don't know much about the particular threat Cobra is concerned about, but people should always work assuming similar threats exist," Bitcoin Core developer Luke Dashjr wrote me in an email. "Bitcoin calls for a heightened level of security among typical computer users that unfortunately most people do not have."
Since the circumstances surrounding the alert and its veracity are totally unknown at this point, the only thing most bitcoiners can do at this point is wait—and verify their download of Core when it's released.
Things could be about to get very interesting in bitcoinland.