BR091 - AnchorWatch Trident Vault, Ledger Co-founder Kidnapped, Blue Wallet, M17, The Case for Multi-vendor Setups, Tails removes HWW Support + MORE ft. Craig & Rob
I’m joined by guests Craig Raw and Rob Hamilton to go through the list.
Housekeeping
00:01:11 Ross Ulbricht receives ‘a full and unconditional pardon’ from U.S President Donald Trump [Fundraiser]
00:03:44 New Marketing Manager position open at Coinkite
00:03:48 Exchanges BullBitcoin, River, Strike, Relai, CashApp, and Swan were added to BitcoinSecurity.guide
00:04:15 Check out Olas Awesome new nostr app from Pablo
00:04:48 Call for guests: If you are a maker, working on bitcoin projects, we would love to have you on the show. Reach out at producer@coinkite.com
Urgent Vulnerability Disclosures
00:05:58 Ledger co-founder David Balland released after kidnapping [Bloomberg]
David Balland, co-founder of French crypto wallet startup Ledger SAS, was kidnapped from his home in central France on Tuesday, kidnappers demandning a substantial ransom in cryptocurrency.
Balland was freed on Wednesday night following a police operation and being rescued by the GIGN. He is currently receiving treatment from emergency services.
The kidnappers are said to have sent a finger as part of their request for money.
00:12:28 AxeOS CSRF Vulnerability: Using CSRF Attack to update the Payout Address on BitAxe Bitcoin Miners [Snotra’s disclosure]
AxeOS, the firmware for Bitaxe Bitcoin miners, lacks authentication and CSRF protections in its web interface, enabling unauthorized users on the same network to alter settings, including the stratum user, which determines the Bitcoin address for payouts.
A proof-of-concept demonstrates that visiting a malicious website can change a Bitaxe’s settings without user consent, redirecting mining rewards to an attacker’s Bitcoin address.
The web server’s permissive CORS headers further exacerbate the vulnerability, possibly allowing attackers to change hardware settings or upload malicious firmware.
Bitcoin
Software Releases & Project Updates
00:12:58 AnchorWatch launches U.S. service for bitcoin holders [Announcement]
AnchorWatch offers a bitcoin custody service with insurance from Lloyd’s of London, targeting U.S. customers holding between $250K and $100M in bitcoin.
Key features of AnchorWatch’s service:
Insured custody for bitcoin without requiring users to give up their keys
Lloyd’s of London Coverholder
Trident Vault provides protection through signing transactions while insured
Seamless transition to self-custody when policy ends
AnchorWatch aims to provide protection against various risks, including theft, loss of keys, and death.
Mint-005 is a 3 key joint custody vault that provides a way for a Principal to secure bitcoin with the help of an Agent.
It uses a negative control approach, where by default funds cannot be moved unless both the Principal and the Agent sign the transaction.
There are recovery mechanisms in place for situations where a party loses their keys or the agreement between the Principal and the Agent expires.
00:47:28 Bitcoin Core v28.1
This release includes new features, various bug fixes and performance improvements, as well as updated translations.
P2P
When the
-portconfiguration option is used, the default onion listening port will now be derived to be that port + 1 instead of being set to a fixed value (8334 on mainnet). This re-allows setups with multiple local nodes using different-portand not using-bind, which would lead to a startup failure in v28.0 due to a port collision.#30568 addrman: change internal id counting to int64_t
Key: #31166 key: clear out secret data in DecodeExtKey
Build:
#31013 depends: For mingw cross compile use
-gcc-posixto prevent library conflict#31502 depends: Fix CXXFLAGS on NetBSD
Test:
#31016 test: add missing sync to feature_fee_estimation.py
#31448 fuzz: add cstdlib to FuzzedDataProvider
#31419 test: fix MIN macro redefinition
#31563 rpc: Extend scope of validation mutex in generateblock
Doc: #31007 doc: add testnet4 section header for config file
CI: #30961 ci: add LLVM_SYMBOLIZER_PATH to Valgrind fuzz job
Misc:
#31267 refactor: Drop deprecated space in
operator""_mst#31431 util: use explicit cast in MultiIntBitSet::Fill()
00:48:10 Wasabi Wallet v2.4.0
Add support sending to Silent Payment addresses: receiving is a work in progress
Instead of TestNet 3, Wasabi now uses TestNet 4
Release Notes are now also available in the client
A donation button has been added on the main screen
00:48:15 BDK v0.30.1 - DEPRECATED
The bdk library is now deprecated and replaced by bdk_wallet. All projects should migrate to bdk_wallet 1.0.0 or newer as soon as possible.
Update bdk 0.30.x README docs to deprecate the bdk library
00:48:27 Nunchuk Android v1.9.59
Taproot multisig wallets
Revamp add key flow
Honey Badger Premier
00:48:37 Specter Desktop v2.1.1
Add wallet export to Jade via QR
Expose internal node to localhost only
HWI upgrade to 2.4.x
Make Specter work with Bitcoin Core 28.0
Remove BLE code for Jade
00:49:02 Bitcoin Keeper
00:49:18 Blue Wallet v7.0.7
Import xpub as zpub/ypub if it was ever used
New wallet export screen
Display Lightning details in Invoice View
Add HKD fiat
Add loading indicator to Edit Vault row
Set preferred server from menu
Keyboard accessory on vault modal
Android menu icons
And many fixes
00:50:32 BTC Pay Server v2.0.6
This release contains a security fix for merchants using refunds/pull payments On-Chain with automated payout processors
New features
SEO: Add ability to customize HTML meta tags and HTML lang attribute for crowdfund and PoS
Add the ability for merchants to manually transition a payout from the
InProgressstate toAwaitingPayment
00:55:39 Liana v9.0 - It’s over 90.00k !
Breaking changes
Running Liana v9 on an existing installation will migrate its database. Once migrated the database won’t be compatible with previous versions of Liana.
The new Minimum Supported Rust Version of the GUI software is now 1.80
Liana daemon / library
The daemon feature was removed, we expect user to use their own process manager like systemd
Three new columns are added to the table transaction: the number of inputs, the number of outputs and if the transaction is a coinbase transaction
A new column is added to the coins table:
is_from_selfand a newfield is_from_selfis added to the coin entry of thelist_coinscommand
Liana GUI
New button on the transactions panel allows user to do an export of their transactions to an external file using the CSV format
Bitcoind and electrum information in the settings panel can now be copied to clipboard
Coins that are change from transactions that user control are now part of the balance
Unconfirmed coins can now be selected by the automatic selection if the coins is from transaction which inputs are controlled by the wallet
00:55:58 Blockstream
Green QT v2.0.17
Add graphical assets for Jade Plus
Support video promo on Linux
Show total spent amount in transaction details
00:57:58 BoltzExchange
boltz-web-app v1.6.1
Safety check before calculating fees
Show when no lockup can be found for refund
Show routing fees
Pro build configuration
00:58:00 Live Wallet v1.0.0
Transaction privacy analyzing
Transaction output labeling (KYC, do not spend)
00:58:11 Kyoto
00:58:19 ESP-Miner
00:58:21 Bitcoin Safe v1.0.1
Add dark mode support
Add delete coin category (via right click context menu) additionally to the “drag to delete button” method
Fixes missing USB (HWI) support in Windows and Mac builds
00:58:40 BTC Map
Project spotlight
00:58:44 Bitaxe Touch: A new touch screen single ASIC chip Bitcoin solo miner [Announcement]
The Bitaxe Touch, developed by Open Source Miners United, is a touch screen Bitcoin miner featuring an 800×480 pixel LCD that displays real-time Bitcoin price, Mempool data, power usage, hashrate, and temperature.
It is powered by the Bitaxe 601 Gamma, and utilizes the BM1370 ASIC chip from the Bitmain S21 Pro, with a hash rate of up to 1.6 TH/s.
00:58:51 Coinswap: Functioning, minimal-viable binaries and libraries to perform a trustless, p2p Maxwell-Belcher Coinswap Protocol [Github]
The project offers a minimal viable implementation of a trustless, peer-to-peer Maxwell-Belcher Coinswap protocol using HTLCs on Bitcoin.
It includes automated integration testing on Bitcoin Regtest and operates over Tor by default. The system supports multiple users (makers, taker, and directory server).
Coinswap releases its [v0.1.0]
(https://github.com/citadel-tech/coinswap/releases/tag/v0.1.0) - First Public Beta ReleaseComplete Protocol Specification:
The full Coinswap protocol has been formalized and documented in detail
Explore the Coinswap Protocol Specification to understand how it ensures decentralized, private, and censorship-resistant swaps
Functional Test Coverage:
A robust set of functional tests has been introduced to simulate swap scenarios and ensure protocol correctness
Dive into the tests and explore various swap situations: Functional Tests
Modular Protocol Design: All protocol components have been modularized for flexibility, extensibility, and easier integration into other Bitcoin applications
Command-Line Applications: Coinswap introduces three key command-line apps:
makerd: Run as a swap service provider and earn feesmaker-cli: Manage your maker server via a command-line interfacetaker: Act as a client and perform swaps with multiple makers
00:59:20 Scure: Audited & minimal library for creating, signing & decoding Bitcoin transactions [Github]
The library allows users to create, sign, and decode Bitcoin transactions, including support for classic and SegWit addresses.
Scure provides functionality for Schnorr & Taproot BIP340/BIP341, and BIP174 PSBT, with minimal dependencies.
00:59:28 Bitcoin Is Data: A comprehensive Bitcoin metrics and visualizations platform launches two new sections related to UTXOs, Quantity of UTXOs and Balances of UTXOs, segmented by Bitcoin transaction types.
Bitcoin Fee Indicator: A system tray application that fetches and displays current Bitcoin transaction fee rates [Github]
It shows various fee rates, including fastest, half-hour, hourly, economy, and minimum, updating every 5 minutes.
Kernel-Node: An experimental bitcoin node written in Rust using the libbitcoinkernel library [Github]
Its primary function is to validate blocks but not to serve them to the network. The implementation highlights the limited initial API of the kernel library.
00:59:43 Qoinstr: A GUI tool for rust-joinstr [Github]
Qoinstr is a work-in-progress graphical user interface designed to interact with the rust-joinstr library
First Rshiny: An interactive visualization tool used to explore Bitcoin’s dollar-cost averaging performance
00:59:53 TollGate: A tool enabling WiFi routers to accept Bitcoin payments for internet access
TollGate allows users with a router and internet connection to operate as internet service providers by accepting Bitcoin payments for access.
Explore Mempool.space through two new lenses:
Mempoo.space, a Bitcoin Poo Explorer showing ordinals as poo emojis
Memepool.space, a Bitcoin Meme Explorer, showing memes in blocks
BitcoinFax: Send faxes worldwide with bitcoin payments over the Lightning Network
Vulnerability Disclosures
01:01:27 Unique 0-click deanonymization attack targeting Cloudflare-backed apps, Signal and Discord users vulnerable [Disclosure]
A researcher discovers a 0-click attack leveraging Cloudflare caching to locate users within a 250-mile radius. This method uses the cf-ray HTTP header to identify the closest datacenter based on cached resource requests.
A tool called Cloudflare Teleport briefly exploited this before being patched
01:02:00 UEFI secure boot vulnerability allows malicious bootkit deployment [The Hacker News]
ESET researchers discover CVE-2024-7344, a vulnerability enabling attackers to bypass UEFI Secure Boot, leading to potential deployment of malicious bootkits.
The flaw exists in a UEFI application signed by Microsoft’s third-party UEFI certificate, affecting multiple real-time system recovery software suites.
Exploitation allows execution of untrusted code during system boot, granting persistent access even on systems with Secure Boot enabled.
01:02:23 Google Ad directs users to malicious homebrew clone [Twitter post]
A sponsored Google ad linked users to a fake Homebrew site with a cURL command distributing malware. The malicious site’s URL differed by just one letter from the official Homebrew site.
01:03:01 Critical rsync vulnerability on Linux and Unix systems, affecting versions 3.2.7 to 3.4.0, necessitates urgent updates [Cyberciti]
A heap-based buffer overflow vulnerability, identified as CVE-2024-12084, is found in the rsync daemon due to improper handling of attacker-controlled checksum lengths. This flaw allows an attacker to write out of bounds in the sum2 buffer.
01:03:31 January 2025 Patch Tuesday: 10 critical vulnerabilities and eight zero-days among 159 CVEs [Crowdstrike Blog post]
Three zero-day vulnerabilities in Windows Hyper-V NT Kernel Integration VSP are actively exploited, allowing attackers to gain SYSTEM privileges
Other zero-day vulnerabilities affect Microsoft Access, Windows App Package Installer, and Windows Themes, potentially leading to remote code execution or elevation of privileges.
01:03:48 Unsecured tunneling protocols expose 4.2 million hosts, including VPNs and routers [The Hacker News]
Researchers identify security flaws in tunneling protocols, affecting 4.2 million hosts, including VPN servers and routers.
Affected protocols lack authentication and encryption, allowing attackers to inject malicious traffic and perform denial-of-service attacks.
01:03:58 Apple’s CUPS printing system vulnerable to spoofing attacks [CyberInsider]
Security researcher Simone Margaritelli discloses a critical vulnerability in Apple’s Common UNIX Printing System (CUPS), highlighting its failure to verify TLS certificates. This flaw permits attackers on the same network to impersonate IPP-over-HTTPS (IPPS) printers, enabling them to intercept, modify, or redirect print jobs, potentially exposing sensitive data and compromising systems.
The vulnerability arises from CUPS’s integration with Apple’s Bonjour discovery service, which automatically trusts network printers without proper authentication.
01:04:11 Security researcher Thomas Roth demonstrates code execution on Apple’s ACE3 USB-C controller, enabling firmware extraction [Forbes]
Apple acknowledges the attack’s complexity and does not perceive it as an immediate threat, opting not to address it currently.
01:05:32 Five dollars wrench attacks:
A Canadian, volunteer moderator on a cryptocurrency forum, becomes the target of individuals who believe he possesses significant wealth in bitcoin [La Presse]
Suspects, including two minors, allegedly plan to kidnap and torture him to extract his passwords, assuming he holds millions in cryptocurrency
A 56-year-old man found tied up in car trunk after kidnapping in eastern France [France Bleu]
The victim, kidnapped on December 31, 2024, was found tied up in the trunk of a car intercepted by police, 600 kilometers from his home.
The kidnappers, armed and masked, reportedly demanded a ransom from the victim’s son, a cryptocurrency influencer based in Dubai, after holding the family hostage.
Pakistani trader kidnapped, forced to transfer $340,000 in cryptocurrency, seven arrested [Decrypt]
Seven individuals, including a Counter-Terrorism Department officer, were arrested for kidnapping crypto trader Mohammed Arsalan in December 2024. Arsalan was abducted and forced to transfer $340,000 from his Binance account. The criminals later released him after the ransom was paid.
Turkish man tied up and robbed of nearly $300,000 in cryptocurrency by three individuals in Pattaya, Thailand [Bangkok Post]
The assailants binded Erkol’s hands and ankles, leaving him to seek help from a condominium security guard
Korean bitcoin trader rescued after abduction in Batangas, Philippines [Philstar]
Taehwa Kim, a 40-year-old Korean bitcoin trader, is rescued in Batangas, after being kidnapped in Makati City.
Kim meets a prospective buyer for his car at his condominium. During a test drive, three men force him into another vehicle, blindfold and tie his hands, and detain him for three days.
Feds arrest a gang of 4 men accused of plotting to kidnap Miami jeweler for cryptocurrency [Local10]
The group used a Telegram group chat to plan the kidnapping of a Miami jeweler and theft of $2 million in cryptocurrency. Unbeknownst to them, an informant in their group chat alerted the FBI, leading to their arrest.
The suspects, armed with firearms, allegedly planned to kidnap the jeweler using a wired SUV provided by an undercover agent. The group intended to exchange watches for cryptocurrency as a ruse, then hold the victim for ransom.
Privacy & Other Related Bitcoin Projects
Software Releases & Project Updates
01:07:17 Tails v6.11
Critical security fixes
Prevent an attacker from installing malicious software permanently
Prevent an attacker from monitoring online activity
Prevent an attacker from changing the Persistent Storage settings
New feature: Detection of partitioning errors
Sometimes, the partitions on a Tails USB stick get corrupted. This creates errors with the Persistent Storage or during upgrades.
Tails now warns about such partitioning errors earlier.
Changes and updates
Remove support for hardware wallets in Electrum. Trezor wallets stopped working in Debian 12 (Bookworm), and so in Tails 6.0 or later.
Add a link to the Tor Connection assistant from the menu of the Tor status icon on the desktop.
01:09:52 Module_17, M17 modem board for 9600-baud capable radios [Github]
Reticulum MeshChat v1.19.0
Add setting to enable and disable transport mode
Add ability to cancel sending messages
Add button to open an LXMF address when no conversations are open
Add button to open a nomadnet url without having to click a random node first
Telemetry requests from Sideband no longer show up as empty messages
SideBand v1.3.0
Increased performance by updating included RNS and LXMF to latest versions
Add ability to cancel outgoing messages
Add ability to render messages formatted with markdown
Add ability to compose messages with markdown
Add ability to query peer telemetry from the map by right-clicking on the peer
Add auto-switching of message mode on attachment
Add indication if receiver rejects message
Add support for SX1280 bandwidth options to RNode configuration
Add ability to launch RNode flasher directly from utilities
NomadNet v0.5.7
Add sync transfer rate to PN list display
Update urwid API calls to handle deprecations
Mullvad VPN v2024.4
introduces split tunneling in version for macOS, allowing users to exclude specific apps from the VPN
Limitations include the inability to exclude Safari and other WebKit-based apps, performance overhead due to additional tunneling, and availability restricted to macOS 13 and above
Project spotlight
Peergos: A p2p, secure file storage, social network and application protocol [Github]
Peergos is an open-source platform that can be self-hosted and enables secure, peer-to-peer file storage and sharing without central nodes.
PrivacySpreadsheet: A privacy evaluation of messaging apps [Github]
cjdns: An encrypted IPv6 network using public-key cryptography for address allocation and a distributed hash table for routing [Github]
cjdns leverages a distributed hash table for routing, which enables scalable, near-zero-configuration networking.
Botan: An open-source cryptography library for C++ with extensive features including TLS, X.509, modern and post-quantum cryptography, plus TPM and RNG support [Github]
It provides APIs in C++, C, and Python, alongside other language bindings, and includes a command-line interface.
Sticktock: Share TikToks Safely. No Ads, No Spyware, No Phone App. [Github]
StickTock is an open-source tool allowing users to watch TikTok videos privately, without ads or tracking. [Onion]
Lightning + L2+
Project spotlight
Valet: A Bitcoin + Lightning wallet for Android [Github]
Valet is a non-custodial Lightning wallet designed to offer stable purchasing power for users through hosted channels.
Developed as a fork of the Simple Bitcoin Wallet, features include coin control, batching, and hardware wallet integration.
Eggstr: A platform that enables users to deploy and manage Bitcoin and Lightning applications with their own domain
It offers a variety of self-hosted apps, including LNBits, Alby Hub, Strfry (a Nostr relay), Nostr Address, and Blossom Server.
Rizful: A service offering instant disposable Lightning nodes
Rizful offers cloud-hosted, disposable Lightning nodes designed for fast, high-uptime performance, with instant inbound capacity.
Zeus2Koinly: A script to convert Zeus Wallet’s export format into Koinly’s import format [Github]
pWallet: A lightweight UI for Phoenix Server that can be set up and run entirely using Docker [Github]
LNBeats: A value-for-value music streaming app, using the Lightning Network
Software Releases & Project Updates
Rust Lightning v0.1 - “Human Readable Version Numbers”
API Updates
The
lightning-liquiditycrate has been moved into therust-lightninggit tree, enabling support for both sides of the LSPS channel open negotiation protocolsThis release includes support for BIP 353 Human Readable Names resolution
On-chain state resolution now more aggressively batches claims into single transactions, reducing on-chain fee costs when resolving multiple HTLCs for a single channel force-closure
And many more
Performance Improvements
LDK now verifies
channel_updategossip messages without holding a lock, allowing additional parallelism during gossip syncLDK now checks if it already has certain gossip messages before verifying the message signatures, reducing CPU usage during gossip sync after the first startup
Node Compatibility: LDK now handles fields in the experimental range of BOLT 12 messages
Security: v0.1 fixes a funds-theft vulnerability when paying BOLT 12 offers as well as a funds-lockup denial-of-service issue for anchor channels.
Alby
Hub v1.13.0 - Eva Galperin
In this release we add some cool new apps to the app store, an auto-unlock feature for self-hosted hubs, extra information about pending closed channels, and some security improvements for isolated apps and budgeting.
Auto unlock for self-hosted hubs
ZapPlanner custom app
Add simple boost widget app
Add Clams to Hub’s Store
Include funding transaction in pending closing channel message
Add balance details for pending channel closures
JS SDK v3.9.0
Add nip 44 and versioning support
Mostro v0.13.0
This version dramatically improves privacy for users with keys management implementation: a way clients rotate keys for every trade adding another privacy layer to gift wrap previous implementation.
BitBanana v0.8.9
Add Payment Path view (LND)
Implement “Enable Offer” command for Core Lightning >=24.11
Allow offers without description (Core Lightning)
Add description and payer note for paid bolt12 offers in transaction history
Increase VPN start timeout to improve UX on slow internet connection
Nutshell v0.16.4
This release brings two new protocol spec updates to nutshell, NUT-19 and NUT-20. It also includes a new HTTP compression middleware.
Add MPP methods key to info endpoint
Add HTTP compression middleware
NUT-19: Cached Requests and Responses
NUT-20 (signatures on quotes) for mint and wallet side
Add period at the end of the phrase
Add NUT-19 example for caching responses
Nostr
Project spotlight
Nstart: A straight-forward nostr onboarding wizard [Github]
Nstart is a user-friendly onboarding tool for Nostr, offering key features like local backups and customizable contact suggestions.
It incorporates a multi-signer bunker to protect Nsec keys, allowing for easy recovery and access even in case of failure or theft.
Kanbanstr: A new nostr client for task management [Github]
Users can log in via nsec, npub, or NIP-07, create boards with customizable columns, and organize tasks using cards.
Current features include markdown support in cards, automatic mapping of cards to columns by status, and assigning tasks with “zap” tags to facilitate payment. Pending updates include programmatic functionalities and enabling direct zaps for task payments.
Noshtastic: A geo-specific virtual Nostr relay for Meshtastic [Github]
Noshtastic operates as a decentralized Nostr relay independent of the internet, using Meshtastic devices for communication.
It employs negentropy-based synchronization and region-specific geohash tagging to distribute messages locally without internet connectivity.
Alexandria: A Nostr knowledge base and long-form article reader [Github]
Alexandria is designed to display modular, long-form articles in a clean, distraction-free interface for focused reading.
It supports Nostr events, allowing users to interact with organized content in a structured format.
Nosotros: A nostr web client optimized for both mobile and desktop usability [Github]
Built using TypeScript, it includes testing support and a progressive web app design for smooth functionality.
Bostr: A nostr relay bouncer [Code repository]
Bostr is a minimalist HTTP server built with Go, designed to serve static files efficiently. It also acts as a nostr relay aggregator proxy, consolidating data from multiple relays.
Bostr2, is a bostr next generation project
Tides: A Nostr messenger browser extension for Chrome & Brave [Github]
Tides is a browser extension that provides secure, private messaging using the Nostr protocol. It supports real-time encryption, contact management, and media sharing.
Users can log in via NIP-07 extension, Chrome storage, or manual key input
CLN NWC: Nostr Wallet Connect plugin for CLN [Github]
Users can configure or manually start the plugin, create connections with budgets, list active connections, and revoke them as needed.
Payment requests are routed via Nostr relays.
Emojito: A platform based on the nostr application framework ngine to create personalized emoji sets
Nostr interactions: users can use personalized reactions, provided their client supports NIP-30
Nostr Llama 3.1 8B: A model built on Nostr notes from around 7,000 users
Fine-tuned using multiple datasets, including Evol-Instruct-Code and CodeFeedback-Filtered-Instruction.
With 8.03B parameters, this model is based on Meta’s Llama 3.1
Granary: A social web translator that fetches and converts data between platforms, formats, and protocols, including Nostr [Github]
It supports social networks, HTML, and JSON with microformats2, ActivityStreams 1 and 2 (including ActivityPub), Atom, RSS, and JSON Feed. It works as a Python library and REST API, supporting read and write operations for data interoperability.
Software Releases & Project Updates
Olas
Notedeck Latest codebase changes
Add
ttags for hashtagsUse HashSet, lowercase, and add emoji tests
Add test and format
Adjust context menu/grip circle sizes
Extract timing from AppSizeHandler to TimedSerializer
Introduce ZoomHandler
Amethyst
Add iMeta tags to GIF urls to optimize GIF previews
Maintain note reaction visibility when scrolling
v0.94.1 - GIFs and Custom Emoji inputs
Add a
:command to link custom emojis on new posts and chats. Similar to the @ for user search, just start typing to find your custom emojis.Create your GIF and rection libraries on emojito.meme
v0.94.0 - Encrypted Media on DMs
Adds support for encrypted media uploads on NIP-17 DMs
Integrates with Pokey’s Broadcast receiver
Shows NIP-22 replies in the replies tab of the user profile
New upload screen for chats
Add support for multiple media uploads at the same time.
Add support to display PictureEvents with multiple images at the same time
Add QR code private key export dialog
Add new picture and video events to the user profile gallery
Add basic support for RelationshipStatus to Quartz
And much more
YakiHonne
Web - v4.2.3 - Add support for uploading multiple images or videos in notes, comments, and messages - Refine the search mechanism for better accuracy and performance
Add language support for Spanish, Portuguese, Thai, Japanese, and Italian
Enable support for processing invoice payments in notes
Mobile v1.6.1
Add language support for Spanish, Portuguese, Thai, Japanese, and Italian
Add ability to multi-select and upload media
Introduce enhanced video player
Add media through your camera into notes
Enable support for processing invoice payments in notes
Flotilla
Add NIP 56 reports for messages and threads
Add ToS and privacy policy
Add avatar fallback icons
Add mark as read to chats
Add send button to chat compose
Accommodate onion URLs
Improve loading and notifications
Improve performance, as well as scrolling and loading
Improve NIP 29 compatibility
Refine notifications
Add join space CTA
Njump.me Latest codebase changes
Add support for kind:20 photos
0xChat App
Add reactions and mention notification button to chats
Long press the “Like” button on moments to select an emoji
Add support for NIP46 login
Adapt UI for tablet devices
Introduce connection ping status
Implement search functionality for Moments
Set default relays for first login
Add default reaction emojis
Citrine v0.7.0
Update quartz dependency
Check if events are deleted
Recover service after crash
Add back button in the events screen
nos.social v1.1
Nos now publishes the hashtags it finds in your note when you post
Update the default relays that are added when you create an account
Add feed picker view (UI only)
Add feed source customizer drop-down view
Make feed source selector work
Add empty state for lists/relays drop-down
Add support for decrypting private tags in kind 30000 lists
Add pop-up tip for feed customization
Add remembering which feed source is selected
Nostur v1.17.0
Sync already seen/read across multiple devices
New 😂-feed
Support new Olas/picture format (viewing)
Support Frost/multi-sig login
Support for .heic image format in posts
Show extra autopilot relays used on Post Preview (default off)
Login with nip05 (read-only)
Undelete button for deleted posts
Nostrmo v2.9.5
Add Pc tray support
Add Pc notice support
Add support for some linux packages
Relay dtail page can jump to jumble.social
User can config their Client tag
Add note tail support
Nostrss v1.1.0
Optional cache: A default size can still be set with env values, however if no env value is provided and no cache size is defined for a feed, no limit will be set.
Dependencies updates: Note that this new version uses a version on tokio-cron-scheduler which changes the scheduler pattern to be used.
Zapstore
Voyage v0.17.2
Force nip22 usage when reply has 6 or less characters
Use v2 replies by default for new installs
Don’t set grandparent p-tags
Strfry v1.0.4
New config: maxReqFilterSize. This allows REQs with many more filters
Default
maxReqFilterSizewas increased to 200Reduce log spam by not dumping full invalid events
In sync and stream commands, provide the connected URL to write policy plugins
Nostrss v1.1.0
Dependencies updates: Note that this new version uses a version on tokio-cron-scheduler which changes the scheduler pattern to be used.
Optional cache: The feed cache is now optional. A default size can still be set with env values, however if no env value is provided and no cache size is defined for a feed, no limit will be set.
Amber
Algo Relay v0.1.3
Uselessly preallocate some slices
Dev refresh feeds
Saving the Social Graph
Purge Data Functionality
Wot Relay v0.1.16
Ignore follow list for people who follow spammers
Feeder v2.8.0
Add native Nostr NIP-23 feed support
Boosts
01:12:29 Thanks to everyone who streamed sats, and shoutout to our top boosters:
[🏆 TOP BOOSTER] @Anonymous (3,333 sats) “I don’t know who this Rob guy is but congrats to him on the launch of his new fishing company!”
@manbyt (2,100 sats) “Itm!”
@agichoote (1,000 sats) “I see the new ep out and I don’t even need to see what else is out there”
@btconboard (300 sats) “The people using miniscript are people too despite their extra extra autism, NVK”
Tech Tip of the Day
ITOA: A web-based tool that converts images into ASCII art, with support for both monochrome and color output [Github]
Bitcoin Optech Newsletter
Highlights from recent Bitcoin Optech Newsletters
Continued discussion about rewarding pool miners with tradeable ecash shares
Offchain DLCs: developer conduition posted to the DLC-dev mailing list about a contract protocol that allows an offchain spend of the funding transaction signed by both parties to create multiple DLCs
336 - Investigating mining pool behavior before fixing a Bitcoin Core bug: Abubakar Sadiq Ismail posted to Delving Bitcoin about a bug discovered in 2021 by Antoine Riard that results in nodes reserving 2,000 vbytes in block templates for coinbase transactions rather than the intended 1,000 vbytes
Contract-level relative timelocks: Gregory Sanders posted to Delving Bitcoin about finding a solution for a complication he discovered about a year ago (see Newsletter #284) when creating a proof-of-concept implementation of LN-Symmetry
Multiparty LN-Symmetry variant with penalties for limiting published updates: Daniel Roberts posted to Delving Bitcoin about preventing a malicious channel counterparty from being able to delay channel settlement by deliberately broadcasting old states at a higher feerate than an honest counterparty is paying for confirmation of the final state
News:
Deanonymization attacks against centralized coinjoin: Yuval Kogman posted to the Bitcoin-Dev mailing list details about several privacy-reducing vulnerabilities in the centralized coinjoin protocols used by current versions of the Wasabi and Ginger wallets, plus past versions of the Samourai, Sparrow, and Trezor Suite software wallets
Updated ChillDKG draft: Tim Ruffing and Jonas Nick posted to the Bitcoin-Dev mailing list a link to the current draft BIP for ChillDKG, which describes a distributed key generation protocol compatible with FROST scriptless threshold signatures for Bitcoin
Changing consensus:
CTV enhancement opcodes
Adjusting difficulty beyond 256 bits
Transitory soft forks for cleanup soft forks
Quantum computer upgrade path
Consensus cleanup timewarp grace period
News & Noteworthy
Bitcoin
Clavis: A new hardware wallet by Xellox Wallet
Clavis is designed for online and offline bitcoin storage. It features a capacitive fingerprint sensor, passcode protection, and is IP68 rated.
Judge dismisses man’s bid to recover 8,000 bitcoin from landfill [Ars Technica]
James Howells’ 11-year effort to retrieve a hard drive containing the private keys valued at approximately $765 million, ends as High Court Judge Keyser KC rules against him.
The judge cites environmental concerns and legal ownership, stating that excavating the landfill could release harmful substances.
Lightning
Zeus increases its LSP maximum channel lease duration from 6 to 12 months [Announcement]
Business & Finance
Block Inc fined $80 million for inadequate anti-money laundering controls in Cash App [Reuters]
BitMEX is fined an additional $100 million for Bank Secrecy Act violations between 2015 and 2020 [DOJ Press release]
Prosecutors sought a $417 million fine, arguing BitMEX hadn’t fully accepted responsibility, noting the company earned approximately $1.3 billion while ignoring U.S. regulations over five years.
Coinbase launches Onchain Reputation API and Bitcoin-backed loans
Coinbase introduces a public beta of the Onchain Reputation API, offering a reputation score for wallet addresses, ENS, and Basename IDs, ranging from -100 to +1000.
The company also announced Bitcoin-backed loans using its Base protocol, clarifying that the loans aren’t backed by Bitcoin nor based on its blockchain.
Unchained now supports passkey support for enhanced account security [Blog post]
River introduces ForceField, an extra layer of protection to secure Bitcoin against theft and scams [Announcement]
It features a 5-day delay on withdrawals, offering users time to respond to unauthorized access attempts.
Tether has filed a lawsuit against Swan Bitcoin in the High Court of England and Wales, alleging major violations of their commercial agreements related to their 2022 Bitcoin mining joint venture, 2040 Energy [Blockspace]
In September 2024, Swan sued former employees, accusing them of stealing proprietary information to establish Proton Management, which now oversees Bitcoin mining assets with Tether.
Bitcoin miner MARA deploys 16% of its BTC holdings (7,377 BTC, worth about $730 million) in short-term loans to third parties, aiming to generate a “modest single-digit yield” from these loans [The Miner Mag]
MARA surpassed its December hash rate target of 50 EH/s and increased its total BTC holdings to 44,893 BTC, including the loans.
Canaan launches Avalon Mini 3 (37.5 TH/s) and Nano 3S (6 TH/s) Bitcoin miners, respectively $899 and $249 [Blog post]
The Avalon Mini 3 doubles as a home heater, offering a sustainable, multi-purpose solution for home mining.
Tradfi
BlackRock introduces the iShares Bitcoin ETF in Canada, trading under the ticker IBIT [Business Wire]
Education
Applications for the Sovereign Engineering Cohort 4 (SEC-04) are now open [Registration]
SEC-04, titled ‘Building it Right’, will take place from March 3 to April 11, 2025.
The Bitcoin Students Network launches its Layer Zero program to empower students worldwide in building Bitcoin’s social layer and community [Forbes]
The program offers hands-on experience by connecting students with Bitcoin entrepreneurs.
Funding
OpenSats grants additional funding to three dedicated Bitcoin Core contributors: @L0rinc, @kevkevinpal, and @danielabrozzoni
BDK announces the pseudonymous John Galt as its newest grantee:
John will lead the efforts in partnerships, membership program and onboarding new members.
Vinteum awards its fourth grant to plebhash for contributions to Stratum V2 and decentralized Bitcoin mining
Finney Freedom Prize honors (blocks 210,000-420,000) Bitcoin pioneers Pieter Wuille and Gregory Maxwell for their contributions to Bitcoin usability, scalability, and privacy. [Announcement]
The BTC Pay Server Foundation receives a $25,000 grant in bitcoin from Unbank, a cash focused Bitcoin exchange [Bitcoin Magazine]
Alpen Labs announces raising $8.5M in a strategic round to support the development of Strata, a Bitcoin ZK rollup aimed at improving the Bitcoin ecosystem with self-custody, privacy, and interoperability.
Fold Inc. secures $30 million convertible note financing with ATW Partners backed by its bitcoin assets [FFNews]
JAN3 raises $5 million in a seed funding round for AQUA Wallet development [Blog post]
Mining
Fifteen transactions involving OFAC-sanctioned addresses were missing from blocks, prompting investigation into mining pool behavior [b10c Blog post]
F2Pool may be filtering sanctioned transactions, though other factors like transaction propagation or job publication may be responsible for some exclusions.
Hashrate Index publishes a list ranking the top bitcoin mining countries of 2025 [Blog post]
Privacy
Telegram provided U.S. authorities with data on 2,253 users in 2024, a significant increase in requests fulfilled [404 Media]
Between January and September, Telegram fulfilled 14 requests involving 108 users; the number surged in the final quarter.
Following Telegram CEO Pavel Durov’s arrest, the company updated its privacy policy to share user data with law enforcement when legally required.
GeoSpy, developed by Graylark Technologies, can pinpoint photo locations based on visual clues like soil, vegetation, and spatial relationships. [404 Media]
Initially available to the public, GeoSpy has now restricted access, offering its tool to law enforcement and government agencies.
Experts warn that the widespread use of GeoSpy could pose privacy risks, as it enables mass geolocation without traditional metadata.
The UN General Assembly adopts the United Nations Convention against Cybercrime, aimed at strengthening global cooperation to combat cybercrime and protect societies [UN News]
Critics, including human rights activists and tech companies, raised concerns over potential misuse by authoritarian governments
Apple agrees to a $95 million settlement following allegations that Siri recorded users without consent [CyberInsider]
Despite denying wrongdoing, Apple commits to deleting certain pre-October 2019 audio recordings and clarifying data collection practices
Cybercrime
Gang exploited Bitcoin glitch for £20m fraud, authorities recover full compensation [UK News]
An international crime gang exploited a flaw in an Australian cryptocurrency exchange in 2017, stealing over £20m.
The victim was compensated in full due to the rise in Bitcoin’s value, with excess funds distributed to authorities.
Protocol
Bitcoin Core #28121: Include verbose “reject-details” field in testmempoolaccept response [Merged]
BDK #1592: Introduce Architectural Decision Records (ADRs) to document major changes by detailing the problem, decision drivers, considered alternatives, advantages and disadvantages, and the final decision. [Merged]
BDK #1670: Introduce O(n) canonicalization algorithm: This PR introduces an
O(n)algorithm to determine the canonical set of transactions inTxGraph[Merged]LDK #3435: Authenticate blinded payment paths: introduces an authentication field to the blinded path payment context message, allowing the payer to include a Hash-based Message Authentication Code (HMAC) and a nonce [Merged]
LDK #3340: Batch on-chain claims more aggressively per channel: introduces batching of on-chain claim transactions with pinnable outputs, reducing block space usage and fees in force-closure scenarios [Merged]
Eclair #2936: Delay considering a channel closed when seeing an on-chain spend: introduces a 12 block delay [Merged]
Rust Bitcoin #3792: Add BIP324 V2 p2p network message support [Merged]
NIP #1695: NIP-60: clarify privkey is optional [Open]
NIP #1706: Introduce support for signing and encryption/decryption on hardware based Nostr Signing Devices over BLE [Open]
NIP #1696: nostr over reticulum: allows nostr clients/relays to communicate over Reticulum networks [Draft]
NIP #1674: Adds Open Graph “iMeta” tags: for clients to preview URLs without having to ping them [Open]
NIP #1681: NIP-88: DLC oracle announcement/attestation event kinds [Open]
Government & Political
At the World Economic Forum (WEF) Annual Meeting 2025, Spanish Prime Minister Pedro Sánchez calls for “an end to anonymity on social media” and for forcing “all these platforms to link every user account to an European Digital Identity Wallet.” [Reclaim The Net ]
U.S. court overturns sanctions on Tornado Cash mixer [The Block]
A U.S. District Court in the Western District of Texas orders the Office of Foreign Assets Control (OFAC) to remove Tornado Cash-related addresses from its Specially Designated Nationals and Blocked Persons (SDN) list.
The court rules that Tornado Cash’s immutable smart contracts are not “property” under the International Emergency Economic Powers Act (IEEPA), as they cannot be owned or controlled.
Despite the sanctions reversal, the U.S. Department of Justice states that this decision does not affect ongoing criminal proceedings against Tornado Cash developers, including Roman Storm.
Operators of Blender and Sinbad custodial bitcoin mixers arrested and charged with money laundering, facing over 25 years in prison if convicted [DOJ Press release]
The U.S. Department of Justice indicts three Russian nationals for operating unlicensed crypto mixers Blender.io and Sinbad.io
Blender.io operated from approximately 2018 to 2022, advertising a “No Logs Policy” and requiring no user registration.
Donald and Melania Trump launch the $TRUMP and $MELANIA meme coins ahead of inauguration [Coin Telegraph]
Both tokens are built on the Solana blockchain. For $TRUMP coin, an initial supply of 200 million coins is set, with plans to expand to 1 billion over three years.
The token’s website states that $TRUMP is “not intended to be, or the subject of” an investment opportunity or any type of security, and is “not political and has nothing to do with” Trump’s campaign, office, or government agency.
Trump-backed World Liberty Financial token extends sale [Coin Telegraph]
World Liberty Financial extended its token sale after raising $300 million, selling 20% of 100 billion WLFI tokens at 1.5 cents each. The extension added 5 billion tokens at 5 cents, aimed at raising an additional $250 million.
A tweet from WLFI announced significant strategic purchases “to commemorate the inauguration of Donald J. Trump as the 47th President of the United States,” including $47 million in ETH and wBTC, alongside smaller investments in cryptocurrencies.
The U.S. Department of Justice received court approval to liquidate 69,370 bitcoin following a four-year legal battle [Decrypt]
U.S. government recommends returning the 94,000 stolen bitcoin from 2016 Bitfinex hack to exchange as in-kind restitution [The Block]
This recommendation aligns with prior court filings where both defendants and Bitfinex’s parent company, iFinex, acknowledged the exchange as the sole victim of the 2016 hack.
U.S Internal Revenue Service (IRS) postpones bitcoin cost-basis reporting rules to 2026 [The Block]
The IRS delays new bitcoin tax reporting rules until January 1, 2026, granting brokers additional time to adapt to cost-basis regulations for centralized platforms.
Coin Center Fellow Michael Lewellen is suing the DOJ for criminalizing the creation of non-custodial software, like his Pharos protocol [Coin Center Blog post]
The DOJ argues that developers who enable money movement, like those behind Tornado Cash, must register as money transmitters, a position Lewellen contests as unconstitutional and anti-innovation.
Texas court orders Coinbase user to surrender access to his $124 million bitcoin holdings [Bloomberg]
Frank Ahlgren, was sentenced to two years for underreporting profits from $3.7 million in bitcoin sales.
Ahlgren must surrender access to his bitcoin holdings including private keys and passphrases, to settle a $1 million restitution, and disclose the location of 1,287 bitcoins moved via a mixing service in 2020.
A U.S federal appeals court overturned the FCC’s net neutrality rules, limiting its authority to regulate wireless and broadband services, citing the Loper Bright case. [Reuters]
The ruling prevents ISPs from throttling or blocking content, but allows state-level neutrality rules to remain in effect.
Burma’s military junta is tightening control over online spaces through a new cybersecurity law targeting digital platform providers [AP News]
The law mandates providers to store user data for three years and share it with the state on request, penalizing non-compliance.
VPN use is criminalized, with violators facing up to six months in prison and fines.
Iran’s central bank abruptly blocks payment gateways to cryptocurrency exchanges amid currency crisis [Twitter post]
This action follows previous measures, including freezing bank accounts of cryptocurrency exchanges and suspending payment processing services in November, due to concerns over speculation in the Tether market and money laundering risks.
Thai police seize 996 bitcoin mining devices [Bangkok Post]
Authorities raided JIT Co in Chon Buri, seizing 996 bitcoin miners, which were being run using modified power meters, stealing electricity.
Kazakhstan shut down 36 unauthorized crypto exchanges in 2024, seizing assets worth $112 million [Coin Telegraph]
Authorities are working on a digital currency, the digital tenge, and are collaborating with Visa and Mastercard to integrate it into global payment systems.
Events
Bitcoin Educators Unconference: Mi Primer Bitcoin fourth conference for educators, meetup organizers and community leaders
April 10, 2025 in Nashville, U.S
Bitcoin Is For Everyone: An immersive full-day Bitcoin Experience in Portland, OR
August 1st, 2025 in Portland, U.S
Reads
Here’s a list of our top recently published reads:
Privacy matters because it empowers us all, by Carissa Véliz [Essay]
A Spark of Defiance: A guide to Solo mining with a Bitaxe to a RasPi full node & a self-hosted Public Pool stratum server, by econoalchemist [The 256 Foundation]
How to run an economic node, by Scoresby [Guide]
Quantum Leap? Disentangling fact from fiction in bitcoin and quantum computing, by John [Ten31 Blog post]
Nostr is the world’s biggest bitcoin circular economy, by Frank Corva [Bitcoin Magazine]
A Day in the Life of a Prolific Voice Phishing Crew, by Krebs On Security [Blog post]
Buckets of blind signatures, by Cashu [Blog post]
Episode submission ideas
We’re looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.
Get in touch with the pod
Nostr & LN ⚡nvk@nvk.org (not an email!)