Bitcoin Review Podcast BR093 - ECDSA Key Extraction, ESP32 Security Concerns, COLDCARD, Cove Wallet, Krux, Nunchuk, Invalid Mining Jobs, Javascript Injection Attack, CTV Back on the table? + MORE ft. Rob & Vivek
Iâm joined by guests Rob Hamilton & Vivek to go through the list.
Housekeeping
- Unleashed.chat rebrands to dataMachine and enables Nostr Wallet Connect.
Urgent Vulnerability Disclosures
- ECDSA private key extraction upon signing a malformed input in Elliptic library [Vulnerability disclosure]
- The elliptic library versions up to 6.6.0 have a critical vulnerability allowing private key extraction when signing malformed inputs, such as strings or numbers.
- This issue arises because the library, by design, accepts hex strings as input types, leading to potential nonce reuse during the signing process.
- ESP32 Security Concerns
- CVE-2025-27840: Undocumented commands in ESP32 Bluetooth chip raise security concerns [Tarlogic Securityâs disclosure]
- Tarlogic Security researchers discover undocumented HCI commands in ESP32 microcontrollers, which are present in over one billion IoT devices worldwide. These proprietary commands allow memory access and modifications to the chipâs functionality.
- Post-exploitation: The hidden commands require physical HCI access and high privileges on the controller, making remote exploitation via Bluetooth impossible.
- Tarlogic introduces BluetoothUSB, a free tool designed to democratize Bluetooth security testing across operating systems, helping manufacturers and security experts conduct comprehensive device audits without expensive hardware requirements.
- Undocumented commands found in Bluetooth chip used by a billion devices [Bleeping Computer]
- [NVK Tweet] [esp32.fail]
- ESP32 is an amazing platform, but not good for securing things, especially not securing #Bitcoin.
- Here are a few known Secure Boot Bypass Methods, including both hardware (fault injection, EMFI) and software-based attacks with emojis!
- Unpatched Bypasses (Active Threats)
- CVE-2023-35818 â EMFI attack bypasses Secure Boot V3 on ESP32 rev 3.0/3.1, allowing unsigned code execution & plaintext flash readout.
đš Not patchable in software, requires future silicon fix.
đ USENIX WOOT â24 Paper
đ Espressif Security Advisory AR2023-005 - AR2023-007 â Power analysis + voltage glitch on ESP32-C3 & ESP32-C6 extracts Flash Encryption Key & bypasses Secure Boot.
đš No fix yet, Espressif confirmed future silicon will mitigate.
đ Espressif Security Advisory
- CVE-2023-35818 â EMFI attack bypasses Secure Boot V3 on ESP32 rev 3.0/3.1, allowing unsigned code execution & plaintext flash readout.
- Patched Bypasses (Fixed in Newer Hardware)
- CVE-2020-13629 â EMFI attack on ESP32 (rev 0/1) bypasses Secure Boot & Flash Encryption. Attackers inject faults to force execution of unsigned code.
đš Patched in ESP32 V3+ (ECO3).
đ Raelize Research Blog - CVE-2019-15894 â Voltage glitch skips Secure Boot digest check, allowing execution of unsigned firmware if Flash Encryption is off.
đš Patched in ESP32 V3 (ECO3).
đ Espressif Security Advisory - CVE-2019-17391** â Fault injection allows reading Secure Boot & Flash Encryption keys from eFuses, permanently compromising security.
đš Patched in ESP32 V3.
đ Espressif Security Advisory
- CVE-2020-13629 â EMFI attack on ESP32 (rev 0/1) bypasses Secure Boot & Flash Encryption. Attackers inject faults to force execution of unsigned code.
- CVE-2025-27840: Undocumented commands in ESP32 Bluetooth chip raise security concerns [Tarlogic Securityâs disclosure]
- Coinos revokes NWC connection secrets due to security leak concerns [Announcement]
- Users experiencing issues with Coinos zaps via NWC are advised to generate a new connection at Coinos settings and update their Nostr app.
Vivekâs Corner
- Invalid mining jobs by AntPool & friends during forks [b10c]
- AntPool and associated pools (CloverPool, Ultimus, Rawpool, Poolin) published invalid mining jobs with excessive coinbase output values, indicating a bug in their coinbase creation code.
- Invalid jobs were observed during block races, particularly on March 1, 2025, and in December 2024, suggesting a pattern of errors linked to these pools.
- Historical data shows that invalid jobs often reused coinbase output values from previous blocks, hinting at a caching issue in the coinbase building process.
- The behavior does not appear to be a selfish mining attempt but rather a result of technical glitches in job templates or coinbase code.
- The consistent invalid job publication reinforces the idea that these pools are interconnected and potentially operated by the same entity, warranting the label âAntPool & friends.â
- [Boerst Tweet]
- Mempool Partitioning and Identifying Mining Nodes [crypt-iq]
- The study aimed to identify influential mining nodes on the Bitcoin network to assess potential attack vectors, such as mempool partitioning and pinning attacks.
- A list of approximately 5,700 listening p2p nodes was created, filtering out those that did not accept incoming connections or participated in transaction relay.
- Using the Candidate Selection algorithm from the CoinScope paper, the researcher conducted 100 trials, finding that major miners like Foundry and AntPool accounted for a significant portion of mined conflicts.
- The top 200 influential nodes represented about 40% of the networkâs hashrate, while a refined list of influential nodes from individual mining pools improved the representation to 50%.
- The high rate of unintentional mempool partitioning (91%) indicates that attackers could exploit this for effective partitioning attacks, suggesting further analysis and refinement of the influential node list is warranted.
- BIP-119 (OP_CHECKTEMPLATEVERIFY) (no activation) #31989
Bitcoin
Software Releases & Project Updates
- COLDCARD
- New COLDCARD Release: v5.4.1 (Mk4) and v1.3.1 (Q)
- New (Message) Signing Features:
- Sign message from secure note text, or password note
- Sign message with key resulting from positive ownership check. Press (0) and enter or scan message text to be signed
- Sign message with key selected from Address Explorer Custom Path menu. Press (2) and enter or scan message text to be signed
- JSON message signing. Use JSON object to pass data to sign
- Sign message from secure note text, or password note
- Delta Mode Enhancements:
- Hide Secure Notes & Passwords in Deltamode. Wipe seed if notes menu accessed
- Hide Seed Vault in Deltamode. Wipe seed if Seed Vault menu accessed
- Catch more DeltaMode cases in XOR submenus
- Address Display Changes:
- New address display format improves address verification on screen by splitting addresses into groups of 4 and showing with a space between them
- Related: Added option to show/export full multisg addresses without censorship
- Other Changes:
- Both Mk4 and Q
- Enhancement: Add ability to switch between BIP-32 xpub, and obsolete SLIP-132 format in Export XPUB
- Enhancement: Use the fact that master seed cannot be used as ephemeral seed, to show message about successful master seed verification
- Enhancement: Allow devs to override backup password
- Enhancement: If derivation path is omitted during message signing, derivation path default is no longer root (m), instead it is based on requested address format (m/44h/0h/0h/0/0 for p2pkh, and m/84h/0h/0h/0/0 for p2wpkh)
- Mk4 Specific Changes
- Enhancement: Export single sig descriptor with simple QR.
- Q Specific Changes
- New Feature: Verify Signed RFC messages via BBQr
- New Feature: Sign message from QR scan (format has to be JSON)
- Enhancement: Sign/Verify Address in Sparrow via QR
- Enhancement: Sign scanned Simple Text by pressing (0). Next screen query information about which key to use
- Enhancement: Add option to âSort By Titleâ in Secure Notes and Passwords
- Both Mk4 and Q
- New (Message) Signing Features:
- New COLDCARD EDGE Release: v6.3.5X (Mk4) and v6.3.5QX (Q) - Catch-Up Release
- Update the startup warning which now reads: âThis firmware version is qualified for use with wallets (such as AnchorWatch) that keep redundant key schemas for recovery independent of COLDCARD. We support the very latest Bitcoin innovations in the Edge Version.â
- Catch up with latest releases
- Qualified for use with miniscript wallets, such as AnchorWatch
- Shared Changes - Both Mk4 and Q
- Allow origin-less extended keys in multisig & miniscript descriptors
- Static internal keys disallowed - all keys need to be ranged extended keys
- New COLDCARD Release: v5.4.1 (Mk4) and v1.3.1 (Q)
- Sparrow Wallet v2.1.3
- OneKey Pro and Classic 1S hardware wallet support
- Update BIP329 wallet labels export to include additional fields
- Make BIP329 wallet labels import and export scannable
- Add Copy Payment Code item to the transaction diagram outputs context menu for BIP47 outputs
- Add Show Transaction as QR button to signed transaction tabs when offline
- Upgrade libusb to v1.0.27 on all platforms
- Add specific handling for invalid Windows device drivers on Trezor devices
- Handle scanning and pasting server URLs in the Electrum (x.x.x.x:n:t/s) format
- Additionally check for Trezor model against internal name and improve exception handling on no match
- Lark v1.1.0
- Add support for OneKey Pro and Classic 1S
- Validate and sanitize multisig wallet names on Jade, BitBox02 and Ledger
- Remove unnecessary public key field from BitBox02 pairing config
- Add the Jade Plus to udev rules
- Upgrade libusb to 1.0.27
- Throw an error if trying to sign a Taproot input on legacy Ledger firmware
- Additionally check for Trezor model against internal name and improve exception handling on no match
- Support Coldcard P2TR address display and show correct address for script type on message sign
- Add specific handling for invalid Windows device drivers on Trezor devices
- Krux v25.03.0
- Taproot and WSH Miniscript support
- Add an indented visualization of Miniscripts for improved readability
- Implement Miniscripts policy and cosigner verification
- Support custom derivations
- Detect unspendable internal keys in Taproot
- Include various UI and settings adjustments
- Easter Eggs Reveal
- Hints have been introduced to help users discover hidden features, such as:
- Swiping sideways to change the keypad keyset
- Switching between camera modes
- Adjusting QR code brightness
- Rearranged Keypad Keysets
- Keypad keysets were organized to group similar keys and help with visibility
- More Camera Modes
- A zoomed camera mode is now available for all cameras
- An anti-glare mode has been added for the GC0328 camera
- More Intuitive Tamper Check
- The Tamper Check Flash Hash is now displayed immediately after generating the Tamper Check code
- Display Customization Options
- Screen orientation can now be flipped on Yahboom and WonderMV devices
- SD Card PSBT Signing Preserves All Fields
- When signing PSBTs via SD card, all fieldsâincluding signatures from other keysâare preserved
- This ensures a seamless signing process across multiple devices and locations, allowing a single PSBT file to be incrementally signed by different signers
- Other Bug Fixes and Optimizations
- New encrypted mnemonics now display a key strength score during confirmation
- Address scanning for Blue Wallet has been updated to match its revised export format
- A faster algorithm for double mnemonic calculation has been introduced
- PSBT change detection has been made more restrictive
- Hints have been introduced to help users discover hidden features, such as:
- Taproot and WSH Miniscript support
- Cove Wallet
- v0.2.1
- Add more plausible deniability to decooy PIN mode
- Pretend to change PIN and trick PINs in the settings screen
- Make it easier to click the âChange PINâ button in the settings screen
- Add more plausible deniability to decooy PIN mode
- iOS Beta, is now available on TestFlight [Announcement]
- It supports importing hardware wallets via NFC, file, and QR code.
- Key features include creating and backing up hot wallets, sending Bitcoin via PSBTs, managing multiple wallets, and connecting to personal nodes. Users can also set Trick Pins for added security and lock wallets with Face ID or a PIN.
- Upcoming updates will introduce CoinControl, TapSigner and SatsCard support, and UTXO locking/unlocking. An Android version is planned for release in a few months.
- v0.2.1
- Nunchuk Desktop v1.9.43 / Android v1.9.64
- New and improved encrypted group wallet:
- End-to-end encrypted group wallet and communication
- Single-file recovery using wallet descriptors
- Compatibility with hardware signing devices
- Supports both standard multisig and Taproot multisig
- Automatic message deletion for enhanced privacy
- New and improved encrypted group wallet:
- BTCPayServer v2.0.7
- Display fiat amount previews in Transaction Details page
- Greenfield: Adding endpoint to set server email settings
- Bitcoin Keeper v2.0.2
- Redesign manage subscription screen
- Support External Key for Miniscript vaults
- Support Specter DIY for Miniscript vaults
- Improve ColdCard NFC integration
- Improve import old wallets speed
- BlueWallet v7.1.0
- Add support for importing minikeys (Casascius Coin, Satori Coin etc.)
- Bitcoin Safe
- Bitkey App v2025.1.1
- Inheritance is here. You can now add a beneficiary of your Bitkey wallet in the app.
- It allows users to designate beneficiaries for their Bitcoin without sharing PINs or seed phrases
- libwally-core v1.4.0
- tx: Add caching to signature hash generation/PSBT signing making signing faster
- tx: Add support for generating Elements taproot signature hashes and signing Elements taproot inputs
- descriptor: Add support for âtr()/rawtr()â keyspend-only taproot descriptors
- descriptor: Add support for parsing Elements-core compatible descriptors, including taproot
- psbt: Add accessors for keypath/taproot related fields
- pset: Add support for ELIP-101 genesis hash
- psbt: Add support for serializing/parsing/combining signature-only PSBTs
- script: Add support for generating Elements p2tr scripts
- BIP85: Add support for deriving RSA keys via BIP85
- base64/psbt: Add support for parsing from known length (non-NUL terminated) strings
- build: Add Debian Bookworm docker build image
- Bisq2 v2.1.6
- Security update: To enhance security for buyers, sellers must have sufficient reputation to secure a trade for the specified amount. See new formula.
- New features:
- The new Profile Card comes with many features. Find the user profile details, trade terms, reputation, offers created and the public messages posted by clicking on the profile icon or profile name anywhere in the app.
- To improve on privacy, sensitive trade data will be automatically deleted after a certain period of time
- Improvements: The create offer wizard has been consolidated into three steps to improve quickness and ease of use
- RoboSats v0.7.4-alpha
- You can now see LNp2pBot orders on RoboSats mobile app
- Order creation view now displays all available payment methods
- Changed URLs to https://robosats.org and new onion (#Robosatsâ previous clearnet and onion domains are no longer accessible as the original maintainer, @Reckless_Satoshi, has been unreachable for months [Note])
- Libraries updates
- Boltz Exchange
- boltz-client v2.4.0
- With this release, boltz-client will start to use the highly anticipated Discount CT on the Liquid Network and introduces a new pro configuration option for using Boltz Pro fee rates
- boltz-web-app v1.6.2
- Transaction broadcasts via block explorer
- Add tropykus and speed as integrations
- boltz-backend v3.9.1
- Add custom fees and limits based on referrals
- Fixes for RSK swap
- Fixes for handling CLN xpay payment failures
- Lightning network information API
- boltz-client v2.4.0
- Zaprite v2025-02-17
- Copy Contact ID: Add an option to copy the Contact ID from the View Contact page
- Improve the UI for Bank/Wire Transfer payment information on our Checkouts
- Update the Delete Transaction modal to show more helpful messaging.
- Adjust login/sign-up page to fallback and use a Recaptcha Puzzle when necessary
- Blockstream Explorer API Update
- New features include a 99.9% SLA, transparent pricing, and an open beta with a free tier for developers.
- Built on open-source Esplora, the API simplifies blockchain data access, supporting wallets, exchanges, and other applications.
- Mempal v1.5.2
- Add welcome screen with quick tips
- Add hashrate, difficulty, and adjustments to dashboard
- Modify widget auto-refresh intervals
- Iris Wallet desktop v0.1.2 - First experimental release
- Attached you can find 2 versions running on different bitcoin networks, testnet and a shared public regtest.
- For the latter you can use our telegram bot to get some funds and play around.
- Utreexo
- ESP Miner v2.6.0b8
- Show firmware updates on the display
- Trim spaces from SSID
- Add sorting switch to swarm page for hostname and ip
- Show share reject reasons
- Remove unit test workaround for qemu
- Frequency transition
- UTXOracle is now available again [Announcement]
- UTXOracle is a tool that estimates Bitcoinâs daily price by analyzing on-chain transactions, avoiding reliance on exchange rates
- The tool uses a method involving clusters of on-chain payments at round USD amounts to calculate the price, offering an alternative to exchange-based averages
- Metamask announces âfull bitcoin supportâ for Bitcoin within its wallet coming in Q3 2025 [Roadmap]
Project spotlight
- Reorg Calculator: A calculator to estimate the probability of an attacker reorganizing
z
blocks, considering their hash power and the time ratio (Îş
) - Bitcoin Core Config Generator: A TUI for generating Bitcoin Core configuration [Github]
- Provides an interactive terminal interface to generate bitcoin.conf files for Bitcoin Core.
- Features include form-based configuration, real-time validation, and conditional field display.
- Bitcoin Core Snapshots: Fast-track your node setup with pre-synced blockchain data [Github]
- The website offers verified Bitcoin blockchain snapshots at specific points, reducing initial sync time for new nodes
- Snapshots are available for mainnet (pruned at block height 885,445), testnet4 (full at block height 71,808), and signet (full at block height 237,052)
- Boot Protocol: A decentralized protocol for bitcoin hashing nodes to share block rewards and reduce variance [Github]
- The protocol aims to solve Bitcoin mining centralization by enabling miners to share block rewards without traditional pools. It reduces variance up to 16x compared to solo mining while maintaining decentralization.
- The system operates through a âWinners Listâ of 15 addresses that have provided the highest difficulty hashes. Block rewards are split between these addresses and the block finderâs address.
- multisig-backup: Encrypt and inscribe your k-of-n multisig descriptor â recover with any k seeds [Github]
- Sensitive data, such as master fingerprints and xpubs, is encrypted to prevent unauthorized decryption, requiring multiple seeds to recover the descriptor.
- It utilizes Shamirâs Secret Sharing and ChaCha20 for encryption, and integrates with hardware wallets for the recovery process.
- regtest-in-a-pod
- Companion to the Using Podman Containers for Regtest Bitcoin Development blog article.
- Allows you to create a robust regtest environment which you can turn on and off at will using Podman. The final environment includes a lot of useful tools, namely:
- A bitcoin core node and daemon (serving compact block filters)
- bitcoin-cli enabled
- An Electrum server
- An Esplora server
- A block explorer
- Useful just commands for working with the daemon from your command line
- Wallet backup: A document standardizing Bitcoin wallet backup formats [Github]
- The document proposes a JSON-based format to export wallet data, including accounts, descriptors, keys, labels, transactions, and PSBTs.
- Explora: A visual tool to follow a chain of transactions [Github]
- The tool utilizes APIs from mempool.space and ankr.com to retrieve transaction data
- Users can input a transaction ID, view transaction details, and navigate through related inputs and outputs
- Panopticon: A tool to monitor Bitcoin addresses privately [Github]
- Users receive alerts from their own Electrum server, while notifications are sent locally, not through Google or Appleâs notification systems.
- brute-samourai: A resumable samourai.txt backup file cracker, written in Go [Github]
- A tool that enables brute-force attacks on Samourai Wallet backup files, based on Calin Culianuâs brute38
- Users can specify character sets, passphrase lengths, patterns, or input files.
- Genesis Key: A 256-bit private key designed for durable offline Bitcoin storage
- The key ensures privacy by avoiding electronics and microchips, with entropy generated offline.
- 21e15: A Micro-Seed kit to stamp seed phrases on a single stainless steel washer
- The kit allows users to store up to 240 characters (120 per side) on a quarter-sized washer.
- Cypherbox: A modular Bitcoin-Lightning application for self-custody [Github]
- Cypherbox is a fork of BlueWallet v6.5.1, made to onboard newer users to advanced self-custody, supports integration with hardware wallets, and utilizes the Coinos.io API.
- BitSpenda: Send bitcoin and receive mobile money instantly. No account. No KYC.
- BitSpenda allows users to send Bitcoin, converting it into mobile money for recipients in Ghana, with plans for expansion.
- Coinflip: A PoC exploring multiparty contracts on Ark
- Real-time coordination is achieved through Nostr, while Ark handles validation and settlement.
- Bitcoin Forking Guide: A guide aimed at achieving consensus before code changes
- The guide outlines a six-phase process: Research and Development, Power User Exploration, Industry Evaluation, Investor Review, Finalization, and Activation.
Vulnerability Disclosures
- JavaScript injection attack: Safe{Wallet} confirms targeted TraderTraitor attack on Bybit resulting in $1.4 billion stolen [Bybitâs Audit report] [Safe{Wallet} Investigation update]
- Forensic analysis confirms that the threat group TraderTraitor successfully compromised a Safe{Wallet} developerâs machine, extracted AWS session tokens from that machine in order to bypass multi-factor authentication.
- It then enabled the attackers to target Bybit by spoofing their UI interface during transaction signing.
- âAs @adam3us suggests, #Web3 and #DeFi visibility is a general intrinsic problem of ALL Hardware Wallets, not of a specific vendor. A low power, air-gapped, small screen device will never be a good place to verify a complex Web3 or DeFi transaction.â [Tal Beâery]
- Malicious PyPI package âset-utilsâ steals Ethereum private keys by hooking wallet functions [The Hacker News]
- The âset-utilsâ package, mimicking popular Python utilities, targeted software wallet developers.
- It intercepted Ethereum private keys during wallet creation and exfiltrated them through regular on-chain transactions.
- Brain Wallet vulnerability?: A user withdraws 0.024 and 0.06 bitcoin from an exchange to a low-entropy or compromised address [Twitter post]
- Bots snipped both transactions from the mempool and stole the funds within milliseconds, ensuing a Replace-By-Fee bidding war burning the entire amount in fees.
- OpenSSH vulnerabilities expose clients and servers to attacks [Qualys Security Advisory]
- The Qualys Threat Research Unit has identified two OpenSSH vulnerabilities:
- CVE-2025-26465: MitM attack against OpenSSHâs VerifyHostKeyDNS-enabled client: allows machine-in-the-middle attacks when the VerifyHostKeyDNS option is enabled, even without user interaction.
- CVE-2025-26466: DoS attack against OpenSSHâs client and server: permits pre-authentication denial-of-service attacks, consuming system resources and potentially disrupting SSH services.
- The Qualys Threat Research Unit has identified two OpenSSH vulnerabilities:
- USB side-channel attacks: A new privacy threat through hub congestion [CyberInsider]
- Security researchers discover a novel USB side-channel attack that exploits hub congestion to monitor user activities without physical access or malware installation. The attack analyzes traffic patterns in shared USB bus architecture.
- The keystroke recovery attack uses a rogue USB mouse to detect typing patterns, achieving 36.3% accuracy for password prediction within top 10 guesses. Website fingerprinting attacks reach 83.4% accuracy in identifying visited sites.
- Cellebrite: Critical Android security flaws exploited to target student activist in Serbia [TechCrunch]
- Amnesty International discovers three zero-day vulnerabilities in Androidâs Linux USB kernel, potentially affecting over a billion devices. Google has since fixed these flaws, which were used by Cellebriteâs forensic tools to unlock phones.
- The vulnerabilities were uncovered during an investigation of a Serbian student activistâs phone, who was targeted by the Serbian Security Information Agency. The authorities used Cellebrite software to unlock the Samsung A32 phone without consent.
- Messengers vulnerabilities:
- Meshtastic firmware vulnerability allows user impersonation [Disclosure]
- A flaw was discovered in Meshtastic firmware versions up to 2.5.18, enabling attackers to send messages that appear as if sent by any user.
- The vulnerability involved crafting MQTT messages misinterpreted as direct text messages. However, it did not bypass PKI but caused packets to be displayed as received via PKI when actually sent using the channel key.
- EvilLoader: Android Telegram vulnerability enables malicious APK distribution through fake video files [Mobile Hacker]
- It works by manipulating HTML files with MP4 extensions, causing Telegram to misidentify them as legitimate videos. When users attempt to play these files, they are prompted to install external applications that could contain malware.
- Russian hackers exploit Signalâs device-linking feature for espionage [Google Threat Intelligence Group]
- Attackers send phishing messages with spoofed QR codes, tricking victims into linking their Signal accounts to devices controlled by the hackers, enabling real-time message interception without full device compromise.
- Googleâs Threat Intelligence Group warns that these techniques may be used against other encrypted messaging services like WhatsApp and Telegram.
- Meshtastic firmware vulnerability allows user impersonation [Disclosure]
- GitVenom: A cryptocurrency theft campaign using fake GitHub projects [Secure List]
- Threat actors have created hundreds of fake GitHub repositories, posing as legitimate projects like Instagram automation tools and Bitcoin wallet managers.
- These repositories contain malicious code that deploys stealers and backdoors, to compromise usersâ systems.
- A clipboard hijacker within the malicious code replaces copied cryptocurrency wallet addresses with attacker-controlled ones.
- Stablecoin payment firm Infini loses $50M in exploit, developer deception suspected [Coin Telegraph]
- The firm lost $50 million in USDC due to an exploit by a rogue developer who retained administrative privileges after project completion.
- Five dollar wrench attacks:
- eNCA Report: Cryptocurrency is becoming a more common method for ransom demands in modern kidnappings
- Crime expert Yusuf Abramjee reports a rise in kidnapping cases with many involving express kidnappings or ransom demands.
- Kidnapping operations have become more sophisticated, with specialized teams handling different stages such as tracking, abduction, and ransom negotiations.
- Streamer Amouranth, reports being attacked in a home invasion by armed intruders demanding cryptocurrency [Daily Star]
- She says they pulled her from bed, pistol-whipped her, and forced her to log into her phone at gunpoint.
- Amouranth previously revealed her $20 million bitcoin holdings to her audience.
- In Vietnam, a Chinese man was successfully rescued from kidnappers by Ho Chi Minh City police [Tuoi Tre News]
- The criminal group, consisting of three Chinese nationals and three Vietnamese accomplices, attempted to extort 600,000 USDT from their victim, who was held in a remote area.
- Six men are accused of kidnapping and holding hostage a family and a nanny for five days, in October 2024, demanding $15 million in cryptocurrency. [Chicago Tribune]
- The FBI arrested one suspect in January, while others are believed to have fled to China. Around $9 million of the ransom remains unaccounted for.
- South Korean police arrest four individuals linked to the murder of a Chinese man in Jeju Island [Decrypt]
- The victim had traveled to Jeju Island to conduct a private cryptocurrency transaction of about $52,500.
- eNCA Report: Cryptocurrency is becoming a more common method for ransom demands in modern kidnappings
Audience Questions
- Thanks to everyone who sent in questions. Remember to send yours to questions@bitcoin.review.
- Audience question for guests to comment on a flaw in Bitcoin Core regarding mining pools and their vulnerability against block withholding attacks, referring to this post -@anon
Privacy & Other Related Bitcoin Projects
Software Releases & Project Updates
- SimpleX
- v6.3.0
- Better groups:
- Mention members and get notified when mentioned
- Send private reports to moderators
- Delete, block and change role for multiple members at once (Android and desktop only)
- Faster sending messages and faster deletion
- Better chat navigation
- Organize chats into lists to keep track of whatâs important:
- Jump to found and forwarded messages
- Better privacy and security
- Private media file names:
- Message expiration in chats
- Better groups:
- Privacy policy Update
- Add content license in groups, and stated that NO LICENSE is granted to the server operators or ourselves
- Add the conditions of access to preconfigured servers via modified 3rd party applications (The previous policy version prohibited it, unintentionally)
- Clarify definitions:
- âAggregate statisticsâ explicitly excludes any stats that can be related to particular users
- The content that can be removed changed from âidentified illegal contentâ to âillegal content identified in publicly accessible resourcesâ
- v6.3.0
- Sideband v1.4.0
- Add ability to export telemetry to MQTT brokers
- Add MQTT renderers for all telemetry types
- Add LXMF Propagation Node statistics sensor type to Telemeter
- Add RNS Transport statistics sensor type to Telemeter
- Add Connection Map sensor type to Telemeter
- Add periodic cleaning of old telemetry data from the database
- NomadNet v0.6.1
- Add tabs to the announce stream
- Improve LXMF propagation node list UI
- Add acceptance rate stat to propagation node list entries
- Rdsys v1.0 - First Rdsys table version
- The Tor Project replaces BridgeDB with Rdsys for distributing bridges
- moat: the type of the captcha bridge response is âmoat-bridgesâ
- bridgedb-metrics: use country if available
- The Tor Project replaces BridgeDB with Rdsys for distributing bridges
- Mullvad partners with Obscura VPN and launches a âtwo-party VPN service that uses our WireGuard VPN servers as its exit hopâ. [Announcement]
- Obscuraâs custom protocol, based on QUIC, mimics HTTP/3 to bypass firewalls and censorship.
- Mynymbox launches email hosting service [Announcement]
- Mynymbox introduces a privacy-oriented email hosting service supporting POP3, IMAP, SMTP, and webmail. Users can bring their own domain and are not restricted to a specific email client.
- Kagi now offers Privacy Pass, a cryptographic protocol that ensures user authentication without tracking personal data or searches [Announcement]
- The protocol adds an extra privacy layer by unlinking user searches from their identity.
Project spotlight
- Rayhunter: Rust tool to detect cell site simulators on an orbic mobile hotspot [Github]
- Rayhunter is an open-source tool that runs on affordable Orbic RC400L mobile hotspots to detect cell-site simulators used for mobile surveillance.
- The tool monitors control traffic between mobile networks and hotspots, alerting users to suspicious activities through a simple color-coded interface and storing detailed logs for expert analysis.
- RAVA: an Open Hardware True Random Number Generator based on Avalanche Noise [Github]
- RAVA is an open-source True Random Number Generator offering high-quality entropy with independent random bit generation.
- It features dual entropy cores, differential design, and full transparency with accessible hardware and software for customizability and integration.
- PrivX: A secure, private pastebin alternative without JavaScript [Github]
- It features AES-256 encryption, assigning unique keys to each paste, and employs a zero-knowledge architecture, preventing administrators from accessing stored data.
- PrivX is a fork of IncognitoBin, and is also available on Tor Onion.
- CypherHub: A verifiably secure dead drop for sharing Bitcoin addresses and other secrets [Description]
- A tool for sharing Bitcoin addresses and confidential information without logging into accounts
- Data encryption happens client-side in the browser, ensuring the server never receives unencrypted information. The recipient decrypts it using a shared password.
Nostr
Project spotlight
- 24242.io
- nostr.media
- Frostr: Simple t-of-n remote signing and key rotation protocol for nostr, using the powers of FROST [Github]
- FROSTR enables users to split their secret key into decentralized, distributable shares, enhancing security.
- Users can sign messages using t-of-n signing devices; if one share is compromised, the secret key remains safe.
- Shares can be discarded and replaced without changing the secret key or identity.
- nostr-double-ratchet: Implementing double ratchet encryption in nostr [Github]
- The implementation includes features such as invite links for secure session key exchange, with installation available via npm or yarn. (The project is currently a work in progress)
- DVMCP: Bridging MCP servers to Nostrâs data vending machine ecosystem [Github]
- DVMCP enables the integration of Model Context Protocol (MCP) servers with Nostrâs decentralized Data Vending Machine (DVM) ecosystem.
- The project includes packages for bridge implementation, discovery service for MCP tools, and shared utilities across components.
- Samiz: BLE mesh for nostr notes when the internet is down [Github]
- Samiz is a Bluetooth mesh system for sharing Nostr notes without internet, relying on local synchronization between devices.
- The system works by creating a session where devices near each other can automatically share and store notes, even in remote areas or during internet outages.
- Welshman: A nostr toolkit focused on creating highly a configurable client system, extracted from the Coracle nostr client [Github]
- âA series of independent libraries for managing every aspect of your Nostr application.â
- Norma: A Nostr Relay Management Panel [Github]
- Norma (Nostr Relay Manager), is a nostr client based on NIP-86 (Relay Management API)
- Wallet Relay: High performance relay for enabling NWC & Cashu Wallets [Github]
- âWallet Relay is a specialized relay for wallet service providers to process NWC and Cashu Wallet events.â
- Nostr0: A web application that allows you to search and visualize Nostr events using npubs [Github]
- nAuth Protocol: decentralized two-party Authentication and secure document transmission [Github]
- The nAuth protocol enables two parties to authenticate each other and securely share documents without third-party involvement
- Designed for scenarios like patient-physician interactions, nAuth allows either party to initiate authentication, accommodating devices with limitations such as the absence of a camera.
- Hostr: Rental accommodation using purely peer-to-peer technologies such as Nostr [Github]
- The projects implements several NIPs: NIP-01 for event creation and subscription, NIP-05 for mapping Nostr keys to DNS-based identifiers, and NIP-33 for creating and updating listings and bookings.
Software Releases & Project Updates
- Primal
- v2.1.9
- Multi-account feature
- Deep-linking
- Articles pagination
- Share photo/video via Primal app
- Bigger previews for Github links
- Legends contributions
- nevent with relay hints when copy note id
- nevent and nprofile when creating primal share links
- nevent and nprofile in the note editor for mentioned notes and users
- Ellipsis links in note content
- v2.1.6
- Improved feeds
- Deep linking threads, articles, profiles
- v2.1.9
- Coracle
- v0.6.8
- Correctly fetch and render NIP 22 comments
- v0.6.7
- Add note info to DMs
- Make lnurl parsing more robust
- v0.6.6
- Show complete website/lnurl
- Scan images for sensitive content
- Make muting on feeds more strict
- Apply muted words to nip05
- v0.6.1
- Use wasted space on mobile notes
- Show PoW difficulty in settings
- v0.6.0
- Add support for tor/local relays
- Use nstart for onboarding process
- Show more details on reaction notifications
- Improve mutes, add setting to completely hide muted people
- Add kind 20 rendering support
- Add pinned note support
- Remove broadcasting of note parents
- Add note scheduling via DVM
- v0.6.8
- Flotilla
- Iris Update
- Deploy double ratchet messaging (See Iris software release)
- Yakihonne
- Web v4.4.0
- Zap polls can now be added directly from the list or created instantly within notes and comments
- Muting users is now more reliable
- Users can download and export their NWC secret for wallets
- Wallets and account credentials are automatically saved upon signup and logout
- Faster login and signup when interacting with Yakihonne while logged out
- Mobile v1.6.6
- Ability to export your NWC wallets and your keys
- Blink wallet is now available as one of the external wallets that can be used
- Private messages drafts are now available
- Notes stats optimised
- Wallet management overall performance has been improved
- Web v4.4.0
- nos.social
- v1.2.1
- Add Lists view and two ways to navigate to it
- Add view for editing a listâs title and description
- Add List detail view
- Add view for managing users in a list
- Add ability to delete lists
- Add analytics for feed source selection and lists
- Internal Changes:
- Add function for creating a new list and a test verifying list editing
- Localized strings on the feed filter drop-down view
- Audit codebase for strict access control and mutability annotations
- v1.2.1
- Keychat App
- v1.27.2 - Amber Login
- Support for logging in or importing accounts using amber app
- Support for amberâs signMessage, signEvent, nip04, and nip44
- Refactored routing for the room settings page
- Browser support for sharing URLs to rooms
- v1.26.8
- Add a scan button to the Cashu page
- Remove pubkeys from listening when disabling the chat identity
- v1.27.2 - Amber Login
- Amber
- Algo Relay
- v0.2.0
- User Dashboard:
- Allows any npub to login to the relay
- Ability to view the data used by the algorithm to generate a feed
- Ability to customize the weights to curate your own feed
- User Dashboard:
- v0.1.5
- Switch import back to 30 days
- Default to kind 1 if empty filter
- Sequential Migrations
- Page Handlers: introduces a new pattern to define static pages and api endpoints with a mux router
- v0.2.0
- 0xChat App v1.4.7-beta
- Major Updates:
- Private chat implementation changed to NIP-104 Nostr MLS (NIP-104 MLS is still in beta and should be used for testing purposes only.)
- Other Updates:
- NIP-17 and NIP-29 messages now support
q
tags - You can swipe left to reply on your own messages
- Chat messages now support code block display
- Copy images from the clipboard
- NIP-17 and NIP-29 messages now support
- Major Updates:
- Nostur v1.18.1
- Floating mini video player
- Videos:
- Save to library
- Copy video URL
- Add bookmark
- Improve video stream / chat view
- Top zaps on live chat
- Posting to Picture-first
- Profile view:
- Show interactions with you (conversations, reactions, zaps, reposts)
- Show actual reactions instead of only Likes
- Improve search + Bookmark search
- Detect nsfw / content-warning in posts
- âShow moreâ to show reactions outside Web of Trust
- âShow moreâ to show zaps outside Web of Trust
- Support .avif image format, .mp3, and .m4v video format
- Improve zap verification for changed wallets
- Improve outbox support
- Show label on restricted posts
- Low data mode: load media in app on tap instead of external browser
- Nowser v1.0.0
- Linux webview support
- NIP46 encrypt and decrypt method change to NIP44
- i18n support
- Android signer try to get code by currentUser
- URL input support direct search someting
- Web URl input add suggestion
- BitBanana
- v0.9.1
- Pick first hop on lightning payments (LND)
- Rebalance channels (LND, use first and last hop in a self-payment)
- Inspect LND and Core Lightning logs
- Add search and verbosity filter to log view
- v0.9.0
- Add Coin Control support
- âSend allâ option
- Support for custom BlockExplorers on Regtest nodes
- Fixes for nodes with more than 500 outgoing lightning payments
- Performance improvements for nodes with lots of payments
- v0.9.1
- Kyoto v0.9.0
- Introduce log level and optimize release builds to remove heap allocations for debug messages
- Configure a custom DNS resolver
- Mostro v0.13.2
- Feat: Put the userâs reputation updated in the events
- Feat: Do not allow a taker to take multiple orders at once
- Shows relay list on relay list event job
- Fix on some full privacy cases
- Correct full privacy mode check when orders arrives
- Grain v0.3.0
- Nostr Login & Profile Page:
- Introduce Nostr login to the front end, allowing users to authenticate using their Nostr key.
- Future updates will add more front-end functionality, including event management, delete requests, relay configuration for operators, and a dashboard with relay statistics.
- User Sync (Experimental):
- New user sync functionality allows the relay to sync events for its users from their outboxes.
- Add configurable sync options: define which event kinds to sync, define a limit of how many events to retrieve, and exclude non-whitelisted users from sync.
- Nostr Login & Profile Page:
- Nostrmo v2.9.6
- This release mainly change remote signer (NIP-46) âs encrypt method from NIP-04 to NIP-44.
- OpenLibrarian v0.1.7
- Add Book reviews
- NIP-07 Login
- Extensive client-side rebuild
- Add retries of
get_default_pages
on progress objects
- GitPlaza: Nostr git stuff client for Desktop [Codeberg]
- GitPlaza is a Desktop Nostr client specialized in handling git stuff
- V0.1.0 - First release
- Login via nsec
- Show activity feed of people you follow
- Create issues
- Comment on issues
Lightning + L2+
Project spotlight
- Chantools: Tools for managing LND and Lightning Network channels [Github]
- Chantools is a collection of tools for managing LND and Lightning Network channels, especially in case of failures.
- It provides recovery options for scenarios like node crashes, missing backups, or issues with unconfirmed channels.
- Hashpool: An accountless mining pool that represents mining shares as ecash tokens [Github]
- The system utilizes âeHashâ tokens, which are ecash tokens backed by proof of work rather than bitcoin. These tokens mature over time and can be traded as mining futures, allowing miners to hedge risks and buyers to purchase bitcoin at discounted rates.
- While Hashpool operates on a custodial basis through ecash mints, it offers perfect privacy through blind signatures. The platform enables small-scale miners to participate without KYC requirements and maintains no minimum withdrawal thresholds.
- ZapGram: Bitcoin Lightning Wallet on Telegram [Github]
- ZapGram integrates a Bitcoin Lightning wallet directly into Telegram, permits transactions within the messaging platform.
- Quest for Sats: Geocaching with Bitcoin
- Quest for Sats combines geocaching with Bitcoin, allow users to find hidden containers in their area and withdraw their earnings using a Lightning wallet.
Software Releases & Project Updates
- CLN v25.02
- Highlights for users:
- Channel backup turns our peers into watchtowers by now allowing your node to generate penalty transactions
- Blacklisted runes can now be restored via
relist
- xpay has many, many bugfixes, and is now almost seamlessly compatible when
xpay-handle-pay
is used lightning-cli
has neater help output, and doesnât crash occasionally on xpay notificationssetconfig
does more safety checks and uses a separate âconfig.setconfigâ file for runtime changes
- Highlights for the network:
- Splicing: stricter checking for better interoperability with Eclair.
- Highlights for developers:
- clnrest is now a rust plugin
listpeerchannels
now contains fieldstheir_max_htlc_value_in_flight
andour_max_htlc_value_in_flight
to better calculate channel limits- New notifications
plugin_stopped
andplugin_started
fetchinvoice
now has BIP353 DNS payment instruction support
- Highlights for users:
- Lightning Terminal v0.14.1
- This version of Lightning Terminal (LiT) ships the first update to the non-experimental version of Taproot Asset Channels
- Breaking changes
- Taproot Asset Channels: Taproot Asset channels are NOT backward compatible with any previous version of Lightning Terminal
- Oracle RPC: The RPC protobuf definitions for the Price Oracle have changed. Asset exchange rates are now expressed as FixedPoint to achieve better precision
- Configuration changes: The configuration value and command line flag now needs a value and is no longer a boolean. The value now controls whether the nodeâs universe database can be accessed over RPC and either read or written to or both.
litcli
changes: The Taproot Asset Channel related sub commands oflitcli ln
no longer require a custom macaroon to be specified, they now work with the defaultlit.macaroon
- Phoenix Wallet v2.5.0
- (android) Improved scanner performances: The scanner should be able to read QR codes faster, and do so on a wider range of devices
- Access to Tor now requires a third-party Tor Proxy VPN app (e.g. Orbot): With the Tor connection managed as a persistent VPN by a dedicated app, the connection is more stable, and background payments work much better.
- (ios) Display the final wallet balance in the home screen: Pending on-chain funds are now displayed in an updated window in the Home screen ; it also shows the funds available in the final wallet.
- (android) Removed legacy app: The old legacy app has now been removed. Along with other optimisations, this means the APK is now much smaller (16.5 MB instead of 72.5 MB).
- Note that there has been a major database rework in this version, which is not visible to the user but impacted many files in the project.
- Phoenixd v0.5.0
- Major rework of the internal payments db
- No more linux native build issues due to old toolchain, should build with no dependency on most recent distributions
- Rolling log file
- Fixed a memory leak in the TCP reconnection logic
- New
--seed-path
configuration option - Ability to lookup outgoing payment by payment hash
- Zeus v0.10.0-rc5
- Renewable channels
- NWC client support
- Ability to create multiple Embedded LND ânode in the phoneâ wallets
- Ability to delete Embedded LND wallets
- Embedded LND: v0.18.5-beta
- New share button (share ZEUS QR images)
- Activity: highlight filter icon when filters active
- Tools: Export Activity CSVs, Developer tools
- Activity: filter by max amount, memo, and note
- CLNRest: add payment timeout setting
- Receive: add advanced settings toggle
- ZEUS Pay: ability to delete addresses
- Fedimint v0.6.0 - On-Chain for Everyone
- The on-chain wallet is no longer considered âexpert-onlyâ
- Other highlights since v0.5
- Federation will now reject attempt to reuse ecash blind nonces, preventing possibility of loss of funds even in the event of client-side bugs and data corruption
- Fedimint will now query (configurable) external sources for feerate information to improve real time fee estimation
- On-chain feerate multiplier have been lowered, as it no longer needs to be as conservative
- LN payment events are now tracked, allowing tracking profit and fees statistics
- Itâs now possible to customize LNv2 gateway fees
- Client recovery has been optimized and should be faster and use less data
- Core lightning gateway is no longer supported
- Work has been started on Iroh networking integration
- Fedimintd should use less memory now
- Alby
- Hub
- v1.15.0 - Ian Goldberg
- One-click connections for self-hosted hubs
- Add pagination to tx list
- Add peer and return_to query parameters to peer connection page
- Show app creation time in connection summary
- Show wallet pubkey on connection summary
- Add app cleanup page
- Add swap alert
- Show total and reserved balance in spending balance tooltip
- v1.14.2 - Mike Godwin
- In this release we also add some cool new widgets to the home screen and many new apps to the app store. Alby Hub now has a healthcheck indicator, better fiat support, NIP-44 encryption, and a way for self-hosters to support Alby! Weâve also added basic swap functionality to the node page so you can more easily manage your liquidity without having to open new channels.
- The Cashu backend was also updated - you can now recover stuck funds, and for new users you will have a recovery phrase which you can recover your funds in other wallets.
- New features:
- Add boltz.exchange swap out option
- Add boltz swap in dialog
- Use nip44 and versioning
- PostgreSQL support
- Enable multi-path payments in LND
- Node page revamp for web and mobile
- Display specific notes about counterparty above open channel buttons on increase incoming/outgoing flows
- Show failure reason on transaction modal in transaction list
- Add nostrcheck-server to Appstore
- Add new apps to Hubâs Store (nostter, btcpay, coracle, lnbits)
- Add new apps to appstore
- Phoenixd subwallets
- Add same counterparty alerts while opening channels
- Currency switcher
- v1.15.0 - Ian Goldberg
- Go v1.10.0
- Support for PicknPay QRs
- BTC Map to find places to spend sats
- Improve Skeleton animations across the app
- bitcoin-connect v3.7.0
- Add alby hub
- Add coinos connector
- Add connection success screen
- Add slide up animation on modal open in mobile
- Add disconnect button while connecting a wallet
- Add NWA & Alby Go
- js-sdk
- v4.1.0
- Simplify NWA flow
- Add sign message method to Alby OAuth Client
- v4.0.0
- In this release the NWC deeplink flow is improved to better support different kinds of http-accessible wallets
- We also remove a dependency on an ESM event emitter package which was causing build errors in some projects
- New features
- New NWC deeplink flow to support other relays and wallet pubkeys
- Add custom-timeout-values-for-requester-method
- Custom
EventEmitter
classes - Add optional metadata field to
get_info
response
- v4.1.0
- Hub
- Ark Labs HQ wallet-sdk v0.0.7
- export
ArkAddress
andVtxoTapscript
- Make the lib compatible with webpack
Settle
implementation
- export
- Ark v0.5.0 - Branch-only Signing Sessions and Connector Trees
- New Features
- Branch-only VTXO Tree Signing: Optimizes VTXO tree signing; drastically cuts down on the number of signatures you have to produce, making rounds quicker and less resource-intensive.
- Connector trees: Another notable addition is the move from a linear connector chain to a tree structure.
- Optimizations
- Network compatibility and transaction costs
- Round processing and client interaction
- Scalability improvements
- Client SDK API update
- New Features
- Taproots assets v0.5.1
- Database Migrations:
tapd
v0.5.1 contains non-revertible database migrations. - Breaking changes
- Downstream Projects:
litd
v0.14.x-alpha enhancements require both channel peers to upgrade to alitd
version >= v0.14.0-alpha to continue Lightning Channel functionality tapd
v0.5.x changes- Oracle RPC: The RPC protobuf definitions for the Price Oracle have changed
- Configuration changes: The configuration value and command line flag now needs a value and is no longer a boolean
- Downstream Projects:
- Database Migrations:
- lightning-kmp v1.9.0
- Rename
OfferIssuerId
- Simplify outgoing payment state machine
- Remove support for
push_amount
- Use shared inputâs txOut in
shouldSignFirst
- Make the project multi-modules
- Correctly set
next_commitment_number
during splice reconnect - Add
require_confirmed_input
to RBF messages - Add a
succeededAt
timestamp to payments
- Rename
- validating-lightning-signer v0.13.0 - Celestial Citadel
- Added:
- configure SimplePolicy values using vlsd2.toml
- fuzz: basic fuzzing of the vls-core crate
- developer flag for dev messages and fields
- core: oid derivation for ldk channel id
- protocol: implement sign_holder_htlc_tx for LDK / phase-2 code path
- Changed:
- core: Add new and oid methods to ChannelId and remove the oid/channel_id utility methods
- LSS: split lightning-storage-server into library and lssd
- Added:
- SideSwap v1.7.0
- New swaps API
- Fee discount
- Cross-wallet swaps
- Peg-in/peg-out wallet balance
- CDK v0.7.1
- Mint builder add ability to set custom derivation paths
- eNuts is no longer maintained [Note]
Boosts
- Thanks to everyone who streamed sats, and shoutout to our top boosters:
- [đ TOP BOOSTER] @sean (3,000 sats) âOpen sourced decentralized CIA? Sounds like yâall need to tap into the intellectual Silk Road đŹâ
- @pink monkey (2,000 sats)
- @Anonymous (2,000 sats)
- @martinbarilik (750 sats) âShort AI intro đ right âŚâ
- @Momo Tahmasbi (100 sats) âArkansas Traveler was a great song recommendation!â
- @jespada (100 sats) âZzzzapâ
Tech Tips of the Day
- Encoding data within emoji using unicode variation selectors [Paul Butlerâs Blog post]
- A demonstration on how to encode arbitrary data within a single emoji by utilizing Unicode variation selectors, which modify character presentation without visible changes.
- By appending sequences of these selectors to a base character, data can be concealed within any Unicode character.
- Bypassing hotspot restrictions for data [Article by Juraj Bednar]
- Mobile carriers often detect tethering by monitoring Time to Live (TTL) values in data packets. Standard mobile devices send packets with TTL of 64, while tethered devices show TTL of 63.
- The solution involves setting device TTL to 65, making tethered traffic appear as direct phone traffic with TTL 64.
- WA-Tunnel: Tunneling Internet traffic over Whatsapp [Github]
- WA-Tunnel allows TCP data tunneling via WhatsApp, useful for bypassing network restrictions such as limited carrier data.
- The system works by sending network packages as WhatsApp messages, splitting large data into files or text to avoid message limits.
Bitcoin Optech Newsletter
- Highlights from recent Bitcoin Optech Newsletters
- 344
- Disclosure of fixed LND vulnerability allowing theft: Matt Morehouse posted to Delving Bitcoin to announce the responsible disclosure of a vulnerability that affected LND versions before 0.18.
- Discussion about Bitcoin Coreâs priorities: several blog posts by Antoine Poinsot about the future of the Bitcoin Core project were linked in a thread on Delving Bitcoin
- 343
- Ignoring unsolicited transactions: Antoine Riard posted to Bitcoin-Dev two draft BIPs that would allow a node to signal that it will no longer accept tx messages that it had not requested using an inv message, called unsolicited transactions.
- 342
- Allowing mobile wallets to settle channels without extra UTXOs: Bastien Teinturier posted to Delving Bitcoin about an opt-in variation of v3 commitments for LN channels that would allow mobile wallets to settle channels using the funds within the channel for all cases where theft is possible.
- Continued discussion about an LN quality of service flag: Joost Jager posted to Delving Bitcoin to continue discussion about adding a quality of service flag to the LN protocol to allow nodes to signal that one of their channels was highly available.
- 341
- Continued discussion about probabilistic payments: following Oleksandr Kurbatovâs post to Delving Bitcoin last week about emulating an OP_RAND opcode
- Continued discussion about ephemeral anchor scripts for LN: Matt Morehouse replied to the thread about what ephemeral anchor script LN should use for future channels
- Stats on orphan evictions: developer 0xB10C posted to Delving Bitcoin with statistics about the number of transactions evicted from the orphan pools for his nodes
- Updated proposal for updated BIP process: Mark âMurchâ Erhardt posted to the Bitcoin-Dev mailing list to announce that his draft BIP for a revised BIP process has been assigned the identifier BIP3 and is ready for additional review
- 344
News & Noteworthy
Bitcoin
- The Satoshi Nakamoto Institute introduces The Reorg, a new podcast hosted by @Bitstein, exploring âthe SNI archives to reexamine our ideas after years of accumulated proof-of-work.â
Business & Finance
- Proton Wallet officially launches and is now accessible on iOS, Android, and web platforms, for all users [Announcement]
- Custodial Lightning wallet service LifPay temporarily suspends operations to align with regulatory requirements [Announcement]
- Users are advised to withdraw their bitcoin within 60 days by submitting a withdrawal request.
- Orange Pill App introduces Lightning-enabled bitcoin wallet [Announcement]
- The wallet aims to enhance community engagement through features like mass zapping, and plans to introduce geo-zapping, enabling users to send Bitcoin to others based on geographic locations.
- Brazilian financial solutions company Transfero partners with Lightspark to add speed and cost efficiency to Bitcoin transactions using the Lightning Network [Press release]
- Tropic Square introduces pre-production samples of TROPIC01, an open architecture RISC-V secure element [CNX Softwareâs Article]
- TROPIC01 ensures tamper-proof hardware Root of Trust, enabling secure cryptographic key management and data storage in devices like hardware wallets and IoT products. [Product brief]
- Fold introduces its Bitcoin Rewards Credit Card, offering cashback in bitcoin [Press release]
- Canaan announces the Avalon Q, a home mining device with a hash rate of 90 TH/s. [Announcement]
Funding
- OpenSats receives $250,000 donation from HRFâs Bitcoin Development Fund, directed at its Operations Budget [Announcement]
- Vinteum announces its fifth grant to Pins for their work on LND [Blog post]
- The donation has been divided for three non-profit organizations Brink, OpenSats, and the Human Rights Foundation
- Blockstream opens its grant application portal for Bitcoin L2 projects, taking place on-site at the Lugano Research Hub [Portal]
- Brink receives a $50,000 contribution to their open source Bitcoin development efforts from VanEck, and another $50,000 contribution from River
- Bitwise donates $150,000 to support Bitcoin open-source developers [Announcement]
- The University of Austin invests $5 million of its endowment in Bitcoin, partnering with Unchained for the initiative. [Announcement]
Mining
- Bitaxe miner with 3.3Th of hashrate successfully mines a Bitcoin block, defying odds of 1 in 250,000,000 [Block 887212]
- The device found a block with 719T difficulty, exceeding current difficulty levels, and has reportedly been operating for less than a month, generating approximately 350M shares.
- Braiins reveals plans to open-source its BCB 100 control board [Announcement]
- The release includes software (OpenWrt-based distribution, Linux support, and firmware source code) and hardware specifications (schematics, BOM, and CAD data), excluding the mining software.
- All materials will be available under GPLv3 on the Braiins GitHub repository by the end of March.
Privacy
- Bisq trade trends: An analysis of trading trends on the Bisq protocol in 2024
- The number of trades on Bisq decreased in 2024, but USD volume per trade increased, indicating higher value per transaction.
- Payment methods like Strike, Zelle, and Cash By Mail showed different trends in the volume and average value of trades in 2024.
- Bisqâs surveillance discount was typically smaller than expected, with Cash By Mail offering the best rate and Strike the worst in 2024.
- UK Government orders Apple to create backdoor for encrypted iCloud accounts [TechCrunch]
- The UK Home Secretaryâs office has issued a secret order under the Investigatory Powers Act of 2016, requiring Apple to provide access to user data protected by its Advanced Data Protection for iCloud.
- In response, Apple has withdrawn support for Advanced Data Protection in the UK, and goes to court to fight UKâs demand.
- Mozilla revises Firefox terms after user backlash over data usage [TechCrunch]
- Mozilla has revised its Firefox Terms of Use, removing the explicit promise to ânever sell personal dataâ, citing evolving legal definitions of data sales.
- In response to feedback, Mozilla updates the terms to clarify that they do not claim ownership of user data and that data usage is limited to operating Firefox as described in the Privacy Notice.
- Krakenâs 2024 Transparency Report: Kraken received 6,826 data requests from law enforcement and government agencies across 71 countries, marking a 38.6% increase from 2023
- U.S. agencies accounted for 28.6% of these requests, with the FBI submitting 614. Kraken provided data for 57% of all requests, covering 10,369 accounts, primarily linked to clients in the U.S. (34.5%), the U.K. (8.8%), and Germany (8.5%).
- X blocks Signal.me links, prompts error messages indicating potential harm or spam [Disruptionist]
- The company cites security issues with the domain, threatening to user safety.
Protocol
- Bitcoin Core #25832: tracing: network connection tracepoints [Merged]
- âThis adds five new tracepoints with documentation and tests for network connectionsâ
- Bitcoin Core #27432: contrib: add tool to convert compact-serialized UTXO set to SQLite database [Merged]
- BIP #1712: BIP3: Updated BIP Process [Merged]
- Rust Bitcoin #4114: Policy: Relax MIN_STANDARD_TX_NONWITNESS_SIZE to 65 [Merged]
- Rust Payjoin #434: Multiparty Senders: NS1R [Merged]
- LND #9491: Allow coop closing a channel with HTLCs on it via lncli [Merged]
- LDK #3440: Support receiving async payments [Merged]
- LDK #3575: PeerStorage: Add feature and store peer storage in ChannelManager [Merged]
- Eclair #2989: Add router support for batched splices [Merged]
- Eclair #2979: Check peer features before attempting wake-up [Merged]
- BOLT #1228: Zero-fee commitments using v3 transactions [Draft]
- NIP #1807: Add On-Chain Send/Receive to NWC #1807 [Open]
- NIP #1777: NWC Deep Links: a standard for using deeplinks to communicate between a wallet and a nostr client [Open]
Government & Political
- President Trump confirms the creation of a U.S. Strategic Crypto Reserve, including BTC, ETH, XRP, SOL, and ADA [Truth social post]
- U.S. President brokers a prisoner swap, releasing BTC-e founder Alexander Vinnik [The Block]
- Vinnik, co-founder of BTC-e, pleaded guilty to money laundering charges in the U.S. and France.
- The U.S. SECâs Division of Corporation Finance states that meme coins are akin to collectibles, not securities [Statement]
- Consequently, transactions involving meme coins do not require registration with the SEC, leaving purchasers and holders unprotected by federal securities laws.
- Bitcoin asset seizure and civil contempt order [Court order]
- A U.S.federal judge holds Mr. Reynoso in civil contempt for violating a seizure warrant requiring him to transfer 119.65 BTC to a government-controlled wallet within 24 hours. Within hours of the warrant being served, Reynoso moved the bitcoin through multiple wallets, invalidating any claims of inability to access the funds. [Transaction]
- The FBI discovered Ledger software on Reynosoâs laptop, and authorities confirmed his Bitcoin address through both the software interface and a text file in his Apple account.
- U.S. Marshals Service struggles with managing seized cryptocurrencies [CoinDesk]
- Previous reports and audits have criticized the agencyâs inability to track forked assets and its reliance on insecure methods like unencrypted email for sharing bitcoin deposit addresses.
- Nigeriaâs release of Binance Executive Tigran Gambaryan linked to U.S. surveillance assistance deal [The Rage]
- In October 2024, Nigeria released Binance executive Tigran Gambaryan, who had been detained since February 2024 on money laundering charges.
- The same day, the U.S. and Nigeria announced a âBilateral Liaison Group on Illicit Finance and Cryptocurrenciesâ, providing Nigeria with US âresources and expertiseâ in investigating cybercrimes.
- Argentinaâs President Javier Milei faces legal and political backlash over failed LIBRA memecoin launch [Reuters]
- Milei denies any involvement, claiming he had no prior knowledge of the tokenâs issues and is now calling for an internal investigation.
- CBP intensifies ASIC miner seizures, expands scope to MicroBT and Canaan units [Blockspace]
- U.S. Customs and Border Protection (CBP) is seizing Bitcoin mining ASICs at ports of entry, including Bitmain, MicroBT, and Canaan units, at the request of the Federal Communications Commission.
Central Banking
- The IMF requests El Salvadorâs public sector to halt Bitcoin purchases as part of a $1.4 billion loan agreement [Atlas21] [Press release]
- The IMFâs conditions include banning public sector Bitcoin accumulation and mining, restricting issuance of Bitcoin-linked tokenized debt, and revoking Bitcoinâs legal tender status.
- The European Central Bank announced an expansion of the Eurosystem initiative for settling transactions using distributed ledger technology in central bank money [Press release]
- The initiative will explore how DLT can settle transactions within the Eurosystem.
- Heraclius: A Byzantine fault tolerant database system with potential for modern payments systems [Research paper]
- Heraclius is a project by the U.S. Federal Reserve which attempts to replicate Bitcoinâs decentralized security while keeping control in central hands.
- The Fed paper acknowledges Bitcoin as âthe longest running electronic payment system that tolerates byzantine faults todayâ
Events
- Barcelona Cyphers Conference: Unleashing Decentralized Freedom
- June 6-7, 2025 in Barcelona, Spain
Reads
- Hereâs a list of our top recently published reads:
- How Big Brother can attack Bitcoin without spending a dime, by Harsha Goli [Opinion]
- Prosecuting Privacy: Examining Samourai Wallet, Money Transmitters, and the Criminalization of Innovation, by Spencer Peek [Research paper]
- Atlas Mined, by Jon [Article]
- The Logic of Spending Bitcoin, by Parker Lewis [Read]
- Whatâs Driving Bitcoin Adoption in 2025?, by Sam Baker [Riverâs Research report]
- Every App Needs Bitcoin, by Miljan [Note]
- Why Keys Matter, by Holdbod [Note]
- Bybitâs $1.4b breach started with stock invest malware [Crypto.news]
Episode submission ideas
- Weâre looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.
Get in touch with the pod
- Podcast Twitter
- Podcast Nostr
- NVK Twitter
- Telegram
- Nostr & LN âĄnvk@nvk.org (not an email!)
Did I get anything wrong above? Help me correct it producer@coinkite.com