Open Source 2017-11-21 · 4 days ·Cryptocurrency Theft, Private Key Theft

Bitcoin Gold wallet generated weak keys

An attacker replaced Bitcoin Gold's official Windows Core wallet installer on the project's GitHub release page with builds that generated weak private keys for newly created wallets.

Story

Bitcoin Gold's compromise started as the sort of thing careful users are supposed to catch: a checksum mismatch. On November 25, 2017, a user opened a GitHub issue after the Windows installer downloaded from the official Bitcoin Gold release did not match the SHA-256 hash published on the project's download page.

The first warning was necessarily broad. Bitcoin Gold said an unknown party had gained access to the GitHub repository and replaced the compiled Windows wallet installer. The source code was unchanged, the Linux build was not changed, and the project told users to treat any Windows wallet downloaded between November 21, 2017, 09:39 UTC and November 25, 2017, 22:30 UTC as hostile. Two different suspicious installers had been served during that window, and neither matched the public checksum.

The later analysis made the attack more interesting, and more dangerous, than a generic infected installer. Bitcoin Gold reported that the planted wallet did not appear to contain a conventional virus or upload private keys. Instead, it sabotaged CKey::MakeNewKey, the function responsible for generating new private keys. A normal wallet draws 32 bytes of strong entropy. The malicious build replaced that with a value derived from a timestamp, one random byte, and constants, shrinking the key space from 2^256 possibilities to roughly 2^40 before accounting for the known download window.

That is still too much for a person, but it is not too much for an attacker watching the blockchain. New wallets created by the phony installer could look normal, receive BTG, and later be reconstructed by someone who knew the weakened key-generation scheme. Once Bitcoin Gold understood the trick, the team scanned for vulnerable addresses, swept just under 77.5 BTG into a safe address before the attacker did, and began returning funds to owners who could prove control.

The lesson is not that checksums are ceremonial. They were the first alarm. The failure was that the release channel itself, trusted by the official download page, could serve a wallet that quietly changed the math behind ownership.

Affected Artifacts

Bitcoin Gold Core

github · bitcoingold.org · repository · Binary Installer

Observed: 2017-11-21 to 2017-11-25
Compromised Versions: 0.15.0

0.15.0.1
Fixed: Not listed
Hashes: sha256:0ccbae26914fc36973c5b74f0c031ba324bcffc7bbb188e752498573345215d5

sha256:8e9d4cb73116beb173d6079792d474ba29488c6de30a05d2d77bff7850c80b0d
Evidence: distribution: github.com/BTCGPU/BTCGPU/releases/tag/0.15.0.1, distribution: bitcoingold.org/downloads, advisory: web.archive.org/web/20201109001210/https://www.bitcoingold.org/critical-warning-nov-26, analysis: bitcoingold.org/vulnerable-core-wallet-update , +6 more

Bitcoin Gold said the Linux release archive and source code were not changed.
Bitcoin Gold later reported about 30 vulnerable wallets and just under 77.5 BTG evacuated to a safe address before the attacker could steal the funds.

Incident Context

Motive: Cryptocurrency Theft
Attribution: Group
Cause: Compromised Account Credentials
Transitive: No

External References

Bitcoin Gold critical warning, November 26, 2017web.archive.org
Bitcoin Gold critical warning mirrorbtgofficial.org
Vulnerable Core Wallet Updatebitcoingold.org
Checksum for Setup not matchinggithub.com
PSA - Bitcoin Gold official Windows wallet app might have been compromisedbleepingcomputer.com
Bitcoin Gold official wallet app compromisedwccftech.com
Bitcoin Gold dev team warns users about a security breachsecurityaffairs.com
MalwareTips thread on the Bitcoin Gold wallet warningmalwaretips.com
BitcoinTalk discussion of the vulnerable Bitcoin Gold walletbitcointalk.org

Source record: oss/attacks/bitcoin-gold/meta.yaml