by Landon Mutch
At the time of publication, the following warning appears on bitcoingold.org welcome page:
According to the associated Critical Warning description, Bitcoin Gold’s (BTG) official GitHub repository served unsigned wallet software for almost five days:
“Anyone who downloaded the Windows Wallet file between November 21, 2017, 09:39 UTC, and November 25, 2017, 22:30 UTC, should not use the file in any way…all users should presume these files were created with malicious intent – to steal cryptocurrencies and/or user information.”
The BTG team highly recommends affected machines be “thoroughly checked for malware and viruses (or wiped clean), and any cryptocurrencies with wallets accessible on that machine should be moved to new wallet addresses immediately.”
This is not the first time the BTG team has promoted wallets containing malware. Just a day after BTG mainnet went live, the compromised wallet MyBTGWallet allowed an attacker to steal over $3 million in BTC from users. Sadly, rather than owning responsibility for their promotion of the compromised wallet, the BTG team denied any responsibility by releasing this statement (emphasis added), “Neither [official social promotion] nor listing on the bitcoingold.org site should be taken as endorsements of third parties.” In other words, ‘Don’t trust us.’ As with the first breach, the BTG team refused to acknowledge any culpability but instead implied that users were responsible for not verifying the checksum of the unsigned file.
In their short critical warning, they made no less than four references to the responsibility of users to checksum the files they downloaded. Yet incredibly, only a week prior the attack, bitcoingold.com didn’t even include checksums of the files on their download page! It was not until November 22 that the checksums were shown to be included there.
When I asked the archive.org admin team for details regarding the behavior of their crawlers, they replied, “Our regular web crawling is pretty random: crawlers cannot detect changes made to web pages. It’s up to someone accessing the archives to see the differences. We also provide many ways for people to archive sites that are meaningful to them.”
Thus, while it’s possible that the checksums were added to the page during the intervening days before the attack, it would appear far more likely that the checksums were added only after the BTG team became aware of the attack. This is an even more alarming prospect, as it would indicate the developers left the links up even after discovering their illegitimacy.
In either case, it is deplorable of the BTG team to attempt to pawn off responsibility for their gross negligence onto their users, especially because they never even provided the file checksums a week prior to the attack. Nonetheless, they have certainly tried to point the finger at their users with statements such as, “nobody should assume that all users take this important step [checksumming files].”
It’s also interesting to point out that, due to archive.org’s ‘random’ crawling behavior, it seems likely that someone intentionally requested archive.org archive bitcoingold.org on November 13, just a week before the attack, and then again on November 22, while the unsigned files were live. In all probability, these archive requests were sent by the attacker himself/herself.
This may suggest that the attacker’s motivation was to discredit the BTG team, if not to actually steal users’ BTG and information. At the time of publication, there is yet to be any publication determining whether or not the unsigned files contain any indication of malware.
The BTG team claim that the Linux version file was unaffected; however, due to the prior omission of checksums on bitcoingold.org, this claim appears to be unverifiable. I guess users will just have to trust the BTG developers on this one.
At time of publication, this latest breach of security appears not to have negatively affected BTG’s market cap and price as of yet.
Even if no malware is found in the files, this episode should certainly serve to discredit the BTG developers further, as there is absolutely no excuse for any developer to allow an “unknown party to gain access to their GitHub repository!” And of course, as the BTG developers have amply highlighted, no matter how official the source, whenever possible always checksum your downloads!