Pierluigi Paganini August 19, 2016

The organization that controls the development of the Bitcoin software warns users that nation-state actors may hit the upcoming Bitcoin Core release.

The organization that controls the development of the Bitcoin system, Bitcoin.org, has warned of possible cyber attacks coordinated by nation-state attackers.

Bitcoin Core is the open source client for Bitcoin, the version Bitcoin Core 0.12.1 was released in April and a new one will be soon available (version 0.13.0).

This week, Bitcoin.org published a security notice to inform users that it is possible that the Bitcoin Core 0.13.0 version will be targeted by state-sponsored hackers.

“Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state-sponsored attackers.” states the security notice.

“We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website,” 

The organization is warning is a specific way the Chinese Bitcoin community, inviting it to be vigilant and to adopt all the necessary measured to avoid security breaches.

When dealing with a persistent attacker such as a nation-state actor in is necessary a supplementary effort of the entire community due to the abilities of the adversaries.

“In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers,” Bitcoin.org warned.

The Bitcoin.org suggests checking the hashes of Bitcoin Core binaries that are cryptographically signed with a known tkey.

“We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.”

In a thread on the news.ycombinator.com, experts discussed about the fact that bbitcoin.org does not implement HTTP Public Key Pinning (HPKP), this means that any government that controls a CA can generate its own cert for bitcoin.org, hijack the site’s IP and replace this page with their own fingerprint.

China controls the root CA China Internet Network Information Center (CNNIC) whom new certificates were banned last year by Mozilla and Google after one of its  intermediate certificates was used to issue fake Google certificates.

Unfortunately, many threat actors are interested in launching cyber attacks against the Bitcoin users.

Recently several Bitcoin exchanges have been hacked, clamorous the security breach suffered by the Asian Bitfinex that led the theft of 120,000 Bitcoin.

The Bitcoin value significantly dropped after the discovery of the breach, it was observed a 20 percent decrease.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Bitcoin Core, state-sponsored hackers)