Bitcoin 'targeted by state sponsored attackers' says Bitcoin.org
Bitcoin Core devs don't know about threat, advise usual signatures and hash checks
Update Bitcoin.org is warning that the Bitcoin Core, the as-close-to-official-as-it-gets version of Blockchain consolidation software and Bitcoin wallets, may become the target for an attack.
“Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release [version 0.13.0] will likely be targeted by state sponsored attackers,” the organisation says in a post that does not elaborate which state may be be behind the threat or the nature of any attack.
“As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.”
The warning makes oblique references to China, saying “We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.”
The potential problems with Bitcoin Core mean “not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network.”
A suggested defence is to employ only the key used to sign Bitcoin Core hashes.
“We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries,” the advisory says.
Bitcoin.org is not an official organ of Bitcoin, instead offering a hub for development of the Bitcoin Core. We therefore presume that the site's publishers speak with some authority, but as it offers no way to contact its operators we've attempted to contact The Bitcoin Foundation to seek its take on this announcement. But the Foundation's contacts mechanism has a mis-firing CAPTCHA that has repelled all our attempts at sending a message.
The Register will keep trying to learn more about this warning! ®
Updated to add
A contributor to the Bitcoin Core, Eric Lombrozo, has been in touch to say "the maintainer of the bitcoin.org site (which is unaffiliated with the Bitcoin Core project itself) posted an advisory of an apparent threat he's been informed about – without consulting anyone else.
"Why this was done is uncertain, but verifying cryptographic signatures for builds is generally recommended practice in any case."
Lombrozo added that "there's absolutely nothing in the Bitcoin Core binaries, as built by the Bitcoin Core team, that has been targeted by state sponsored attackers that we know of at this point. Perhaps certain sites where people download the binaries could end up getting compromised, but let's not unnecessarily spread paranoia about the Bitcoin Core binaries themselves."