Avatar
Luke Dashjr 3mo ago 💬 12

PSA: There is a supply chain attack on Bitcoin wallets going on.

HARDWARE WALLETS AND SIGNAL MAY BE AFFECTED. READ FURTHER.

I have not studied the full scope of this attack yet, but from what I hear, it can impact websites/webapps (including "local" webapps like Signal Desktop) and cause them to display a thief's address instead of the intended one.

This means hardware wallets will correctly display the actual send-to address, but you the human may compare the address to one that has already been replaced!

Regardless of what wallet you use, verify the address you are sending to without trusting a computer. Call your recipient and verify verbally.

Reply to this note

Please Login to reply.

Discussion

Avatar
bitcoinpoorguy 比特幣傢伙 🇭🇰 3mo ago

Always double check with the address on the airgapped cold wallet

Avatar
bplusp 3mo ago

The next few months will be difficult. Appreciate the work you do.

16
oooooo 3mo ago

what is harder? pagers in Lebanon or every kyc'd bitcoiner's "wallet"? asking for a friend

Avatar
Jan1st 3mo ago

Any reported cases?

Avatar
Thomas 3mo ago

Thanks for summarizing. So if you do not send any BTC you are not in danger? Any news on patches yet?

Avatar
Fotoart 3mo ago 💬 1

So easy to just check the last few digits.

Avatar
Fotoart 3mo ago

I should clarify, with this attack, now it's worth checking the whole thing. Probably will do that forever now 💪

Avatar
ManyKeys 3mo ago

This concerns web3 and metamask predominantly?

Avatar
SwBratcher 3mo ago

Even hardware wallets with companion apps that used npm.

Avatar
mobiusmoe 3mo ago

Is there any way to make a utility to make it easier to verbally verify swnd-to addresses? Might not matter in the world of deep fakes ...

Avatar
mobiusmoe 3mo ago

Sending to exchanges will be problematic

Avatar
5d5a9d4f... 3mo ago

Haven’t heard of Signal Desktop Wallet? Was that a typo?

Avatar
Tristan Hillerich 3mo ago

This is why you use nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqywhwumn8ghj7mn0wd68yttsw43zuam9d3kx7unyv4ezumn9wsqzp4x68cuj3umqm0xrzuwycqxs7x588zae3xkksx3fm3k4lwqrdjrvpzq3p6

Protects against this exact form of attack

nostr:nevent1qvzqqqqqqypzplw4arm2urdcz7lqkuw6ypyccxqxj6xc5eze2kwzf8ej97nnge98qqs8hn7vjws75vs8tl2jh37whs9em0anksnnc24efvkks4xk56xy43qvgryve