How the Bitcoin Gold Wallets Were Exposed: The Fallout
The most important thing- if a seed or key was ever exposed to MyBTGWallet, is it necessary to move the funds as fast as possible, the wallet has been compromised and should not be used again.
The latest losses from MyBTGWallet date from November 18, at least when they were reported. No one knows how many addresses were exposed, but the losses are estimated to around 300 BTC, 300 BTG and also some Ethereum and Litecoin.
Cryptovest talked to the Bitcoin Gold developer team, which is made up of international developers on a voluntary basis. Some of them joined at the last moment to create the code, which was incomplete.
But the dev team denies to be involved with the user John Dass, who showed up out of nowhere and offered first a service for checking BTG balances, and then a web-based wallet.
The Slack channel of Bitcoin Gold was chaotic in the first days, and so the offer and link to MyBTGWallet was thrown around. Shortly, it stood on the official Bitcoin Gold website before it was removed with a warning. Here is a snapshot from the wallets offered as late as November 12, via the Wayback Machine:
According to a representative of the Bitcoin Gold developer team, the most probable scenario was that the new user created a wallet, saw how easy it would be to steal the private keys and later injected the code to do it. The Bitcoin Gold network launched officially on November 12, and in the next couple of days users desperately asked for a lighter wallet and some chose the web-based service.
Fortunately, previous coin-splitting scams were obvious and caught early, but MyBTGWallet angered a lot of early Bitcoin Gold adopters, who are now seeking ways to discover the identity of the wallet's creator and take legal action to seize the stolen cryptocurrencies.
Earlier, the Exodus wallet added a warning on being careful with the private keys:
The user John Dass first showed up on a BountySource thread back in October, first raising concerns from devs that his presence was dubious. But later, as the project rolled on, John Dass somehow slipped into the Slack community and spread his wallet.
After the exploit was discovered, devs and the BTG community scoured whatever information they could find on the servers of John Dass and additional traces of identity. He had shared his data with Namecheap, and the BTG team used that information to contact the FBI and mount a request to expose the person. So far, the result of this action is unknown.
But the story does not end here- in the newly created group of affected users, a fake representative called LauraBTG has shown up, but was discovered to be unrelated to Bitcoin Gold. Users were urged not to share information with her or further expose private keys to wallets.
The community has confirmed that in fact there is nothing in the power of LauraBTG to change the situation.
The fallout has also affected the voluntary developers of Bitcoin Gold, who reported they received hostility, despite not endorsing the wallet and urging to run the core version of BTG.
What is even more worrisome is that after Bitcoin Gold, other similar hard forks may arrive and scammers may lurk to exploit the rush to get "free coins". It is best to wait and see which wallet services have proven safe.
At the moment, there is a known risk of another compromised wallet, Electron Gold, but this one is a known threat and has not been promoted by the community.
We will keep tracking the story as it unravels, and see if law enforcement is ready to assist the crypto community in recovering valuable assets.