Bitcoin Gold: Project Loses User Funds to Scam

A wallet vulnerability affected early adopters of Bitcoin Gold, stealing up to 300 BTC.

While the Bitcoin Gold price was recovering, another hassle beset the project. An early wallet version for eager adopters, MyBtgWallet, turned out to cause a leak of funds, reportedly stealing up to 300 BTC along with newly minted BTG rewards.

On November 21, the site for the wallet was gone, and deemed insecure. New wallets are adding Bitcoin Gold every day, but the initial offer of a third-party wallet seems to have caused problems. The wallet that lost funds comes in addition to a series of fake coin-splitting sites launched around the early days of the hard fork.

The loss of funds happened around November 13-14, just a day after the main net launched for Bitcoin Gold. Soon after that, the team withdrew its recommendations for the wallet, which was initially pronounced safe on the Slack channel. The BTG team then prompted users to report the losses and promised further investigation.

Users lost funds by providing their private keys which led to a full wallet. Reddit users have advised to only split coins from an empty wallet and never use it again.

The probable loss from sending private keys to MyBTGWallet is estimated around $550,000.

Users believe the BTG team did not intentionally include the compromised wallet, but was merely careless to list it on the official site, from where it has been removed. The code was the work of developer John Dass. Later, the JavaScript exploit was discovered and described by Reddit user Uejji:

"So, to summarize, every time someone entered their mnemonic seed into MyBTGWallet.com, their mnemonic was Base64 encoded, stored on the website cookie and then transmitted to Google, where the scammer was free to decode it and have full access to that person's private keys derived from that seed."

This was achieved with a few lines of code hidden in the web-based wallet page, handing over the private seed for the hacker to view later. Browser kidnappings of private seeds are a known threat to crypto users, so it is best to avoid revealing the seed of a wallet, or to do it just for an empty wallet.

The Bitcoin Gold community added an apology in a special message, but already too late, adding to the problems.

The theft of Bitcoin Gold and the corresponding amount of Bitcoin is just one in a series of breeches in the past weeks, where funds were lost or compromised, intentionally or not, underlining the high risk of handling cryptocurrencies.