BR093 - ECDSA Key Extraction, ESP32 Security Concerns, COLDCARD, Cove Wallet, Krux, Nunchuk, Invalid Mining Jobs, Javascript Injection Attack, CTV Back on the table? + MORE ft. Rob & Vivek
I’m joined by guests Rob Hamilton & Vivek to go through the list.
Housekeeping
00:01:18 Unleashed.chat rebrands to dataMachine and enables Nostr Wallet Connect.
Urgent Vulnerability Disclosures
00:01:52 ECDSA private key extraction upon signing a malformed input in Elliptic library [Vulnerability disclosure]
The elliptic library versions up to 6.6.0 have a critical vulnerability allowing private key extraction when signing malformed inputs, such as strings or numbers.
This issue arises because the library, by design, accepts hex strings as input types, leading to potential nonce reuse during the signing process.
00:09:12 ESP32 Security Concerns
CVE-2025-27840: Undocumented commands in ESP32 Bluetooth chip raise security concerns [Tarlogic Security’s disclosure]
Tarlogic Security researchers discover undocumented HCI commands in ESP32 microcontrollers, which are present in over one billion IoT devices worldwide. These proprietary commands allow memory access and modifications to the chip’s functionality.
Post-exploitation: The hidden commands require physical HCI access and high privileges on the controller, making remote exploitation via Bluetooth impossible.
Tarlogic introduces BluetoothUSB, a free tool designed to democratize Bluetooth security testing across operating systems, helping manufacturers and security experts conduct comprehensive device audits without expensive hardware requirements.
Undocumented commands found in Bluetooth chip used by a billion devices [Bleeping Computer]
[NVK Tweet] [esp32.fail]
ESP32 is an amazing platform, but not good for securing things, especially not securing #Bitcoin.
Here are a few known Secure Boot Bypass Methods, including both hardware (fault injection, EMFI) and software-based attacks with emojis!
Unpatched Bypasses (Active Threats)
CVE-2023-35818 – EMFI attack bypasses Secure Boot V3 on ESP32 rev 3.0/3.1, allowing unsigned code execution & plaintext flash readout.
🔹 Not patchable in software, requires future silicon fix.
📄 USENIX WOOT ’24 Paper
📄 Espressif Security Advisory AR2023-005AR2023-007 – Power analysis + voltage glitch on ESP32-C3 & ESP32-C6 extracts Flash Encryption Key & bypasses Secure Boot.
🔹 No fix yet, Espressif confirmed future silicon will mitigate.
📄 Espressif Security Advisory
Patched Bypasses (Fixed in Newer Hardware)
CVE-2020-13629 – EMFI attack on ESP32 (rev 0/1) bypasses Secure Boot & Flash Encryption. Attackers inject faults to force execution of unsigned code.
🔹 Patched in ESP32 V3+ (ECO3).
📄 Raelize Research BlogCVE-2019-15894 – Voltage glitch skips Secure Boot digest check, allowing execution of unsigned firmware if Flash Encryption is off.
🔹 Patched in ESP32 V3 (ECO3).
📄 Espressif Security AdvisoryCVE-2019-17391** – Fault injection allows reading Secure Boot & Flash Encryption keys from eFuses, permanently compromising security.
🔹 Patched in ESP32 V3.
📄 Espressif Security Advisory
00:21:32 Coinos revokes NWC connection secrets due to security leak concerns [Announcement]
Users experiencing issues with Coinos zaps via NWC are advised to generate a new connection at Coinos settings and update their Nostr app.
Vivek’s Corner
00:22:51 Invalid mining jobs by AntPool & friends during forks [b10c]
AntPool and associated pools (CloverPool, Ultimus, Rawpool, Poolin) published invalid mining jobs with excessive coinbase output values, indicating a bug in their coinbase creation code.
Invalid jobs were observed during block races, particularly on March 1, 2025, and in December 2024, suggesting a pattern of errors linked to these pools.
Historical data shows that invalid jobs often reused coinbase output values from previous blocks, hinting at a caching issue in the coinbase building process.
The behavior does not appear to be a selfish mining attempt but rather a result of technical glitches in job templates or coinbase code.
The consistent invalid job publication reinforces the idea that these pools are interconnected and potentially operated by the same entity, warranting the label “AntPool & friends.”
Mempool Partitioning and Identifying Mining Nodes [crypt-iq]
The study aimed to identify influential mining nodes on the Bitcoin network to assess potential attack vectors, such as mempool partitioning and pinning attacks.
A list of approximately 5,700 listening p2p nodes was created, filtering out those that did not accept incoming connections or participated in transaction relay.
Using the Candidate Selection algorithm from the CoinScope paper, the researcher conducted 100 trials, finding that major miners like Foundry and AntPool accounted for a significant portion of mined conflicts.
The top 200 influential nodes represented about 40% of the network’s hashrate, while a refined list of influential nodes from individual mining pools improved the representation to 50%.
The high rate of unintentional mempool partitioning (91%) indicates that attackers could exploit this for effective partitioning attacks, suggesting further analysis and refinement of the influential node list is warranted.
BIP-119 (OP_CHECKTEMPLATEVERIFY) (no activation) #31989
Bitcoin
Software Releases & Project Updates
00:37:44 COLDCARD
New COLDCARD Release: v5.4.1 (Mk4) and v1.3.1 (Q)
New (Message) Signing Features:
Sign message from secure note text, or password note
Sign message with key resulting from positive ownership check. Press (0) and enter or scan message text to be signed
Sign message with key selected from Address Explorer Custom Path menu. Press (2) and enter or scan message text to be signed
JSON message signing. Use JSON object to pass data to sign
Delta Mode Enhancements:
Hide Secure Notes & Passwords in Deltamode. Wipe seed if notes menu accessed
Hide Seed Vault in Deltamode. Wipe seed if Seed Vault menu accessed
Catch more DeltaMode cases in XOR submenus
Address Display Changes:
New address display format improves address verification on screen by splitting addresses into groups of 4 and showing with a space between them
Related: Added option to show/export full multisg addresses without censorship
Other Changes:
Both Mk4 and Q
Enhancement: Add ability to switch between BIP-32 xpub, and obsolete SLIP-132 format in Export XPUB
Enhancement: Use the fact that master seed cannot be used as ephemeral seed, to show message about successful master seed verification
Enhancement: Allow devs to override backup password
Enhancement: If derivation path is omitted during message signing, derivation path default is no longer root (m), instead it is based on requested address format (m/44h/0h/0h/0/0 for p2pkh, and m/84h/0h/0h/0/0 for p2wpkh)
Mk4 Specific Changes
Enhancement: Export single sig descriptor with simple QR.
Q Specific Changes
New Feature: Verify Signed RFC messages via BBQr
New Feature: Sign message from QR scan (format has to be JSON)
Enhancement: Sign/Verify Address in Sparrow via QR
Enhancement: Sign scanned Simple Text by pressing (0). Next screen query information about which key to use
Enhancement: Add option to “Sort By Title” in Secure Notes and Passwords
New COLDCARD EDGE Release: v6.3.5X (Mk4) and v6.3.5QX (Q) - Catch-Up Release
Update the startup warning which now reads: “This firmware version is qualified for use with wallets (such as AnchorWatch) that keep redundant key schemas for recovery independent of COLDCARD. We support the very latest Bitcoin innovations in the Edge Version.”
Catch up with latest releases
Qualified for use with miniscript wallets, such as AnchorWatch
Shared Changes - Both Mk4 and Q
Allow origin-less extended keys in multisig & miniscript descriptors
Static internal keys disallowed - all keys need to be ranged extended keys
00:52:47 Sparrow Wallet v2.1.3
OneKey Pro and Classic 1S hardware wallet support
Update BIP329 wallet labels export to include additional fields
Make BIP329 wallet labels import and export scannable
Add Copy Payment Code item to the transaction diagram outputs context menu for BIP47 outputs
Add Show Transaction as QR button to signed transaction tabs when offline
Upgrade libusb to v1.0.27 on all platforms
Add specific handling for invalid Windows device drivers on Trezor devices
Handle scanning and pasting server URLs in the Electrum (x.x.x.x:n:t/s) format
Additionally check for Trezor model against internal name and improve exception handling on no match
00:54:33 Lark v1.1.0
Add support for OneKey Pro and Classic 1S
Validate and sanitize multisig wallet names on Jade, BitBox02 and Ledger
Remove unnecessary public key field from BitBox02 pairing config
Add the Jade Plus to udev rules
Upgrade libusb to 1.0.27
Throw an error if trying to sign a Taproot input on legacy Ledger firmware
Additionally check for Trezor model against internal name and improve exception handling on no match
Support Coldcard P2TR address display and show correct address for script type on message sign
Add specific handling for invalid Windows device drivers on Trezor devices
00:55:03 Krux v25.03.0
Taproot and WSH Miniscript support
Add an indented visualization of Miniscripts for improved readability
Implement Miniscripts policy and cosigner verification
Support custom derivations
Detect unspendable internal keys in Taproot
Include various UI and settings adjustments
Easter Eggs Reveal
Hints have been introduced to help users discover hidden features, such as:
Swiping sideways to change the keypad keyset
Switching between camera modes
Adjusting QR code brightness
Rearranged Keypad Keysets
Keypad keysets were organized to group similar keys and help with visibility
More Camera Modes
A zoomed camera mode is now available for all cameras
An anti-glare mode has been added for the GC0328 camera
More Intuitive Tamper Check
The Tamper Check Flash Hash is now displayed immediately after generating the Tamper Check code
Display Customization Options
Screen orientation can now be flipped on Yahboom and WonderMV devices
SD Card PSBT Signing Preserves All Fields
When signing PSBTs via SD card, all fields—including signatures from other keys—are preserved
This ensures a seamless signing process across multiple devices and locations, allowing a single PSBT file to be incrementally signed by different signers
Other Bug Fixes and Optimizations
New encrypted mnemonics now display a key strength score during confirmation
Address scanning for Blue Wallet has been updated to match its revised export format
A faster algorithm for double mnemonic calculation has been introduced
PSBT change detection has been made more restrictive
00:56:37 Cove Wallet
Add more plausible deniability to decooy PIN mode
Pretend to change PIN and trick PINs in the settings screen
Make it easier to click the “Change PIN” button in the settings screen
iOS Beta, is now available on TestFlight [Announcement]
It supports importing hardware wallets via NFC, file, and QR code.
Key features include creating and backing up hot wallets, sending Bitcoin via PSBTs, managing multiple wallets, and connecting to personal nodes. Users can also set Trick Pins for added security and lock wallets with Face ID or a PIN.
Upcoming updates will introduce CoinControl, TapSigner and SatsCard support, and UTXO locking/unlocking. An Android version is planned for release in a few months.
00:59:09 Nunchuk Desktop v1.9.43 / Android v1.9.64
New and improved encrypted group wallet:
End-to-end encrypted group wallet and communication
Single-file recovery using wallet descriptors
Compatibility with hardware signing devices
Supports both standard multisig and Taproot multisig
Automatic message deletion for enhanced privacy
01:00:32 BTCPayServer v2.0.7
Display fiat amount previews in Transaction Details page
Greenfield: Adding endpoint to set server email settings
01:00:44 Bitcoin Keeper v2.0.2
Redesign manage subscription screen
Support External Key for Miniscript vaults
Support Specter DIY for Miniscript vaults
Improve ColdCard NFC integration
Improve import old wallets speed
01:01:25 BlueWallet v7.1.0
Add support for importing minikeys (Casascius Coin, Satori Coin etc.)
01:02:08 Bitcoin Safe
01:03:15 Bitkey App v2025.1.1
Inheritance is here. You can now add a beneficiary of your Bitkey wallet in the app.
It allows users to designate beneficiaries for their Bitcoin without sharing PINs or seed phrases
01:04:05 libwally-core v1.4.0
tx: Add caching to signature hash generation/PSBT signing making signing faster
tx: Add support for generating Elements taproot signature hashes and signing Elements taproot inputs
descriptor: Add support for “tr()/rawtr()” keyspend-only taproot descriptors
descriptor: Add support for parsing Elements-core compatible descriptors, including taproot
psbt: Add accessors for keypath/taproot related fields
pset: Add support for ELIP-101 genesis hash
psbt: Add support for serializing/parsing/combining signature-only PSBTs
script: Add support for generating Elements p2tr scripts
BIP85: Add support for deriving RSA keys via BIP85
base64/psbt: Add support for parsing from known length (non-NUL terminated) strings
build: Add Debian Bookworm docker build image
01:06:00 Bisq2 v2.1.6
Security update: To enhance security for buyers, sellers must have sufficient reputation to secure a trade for the specified amount. See new formula.
New features:
The new Profile Card comes with many features. Find the user profile details, trade terms, reputation, offers created and the public messages posted by clicking on the profile icon or profile name anywhere in the app.
To improve on privacy, sensitive trade data will be automatically deleted after a certain period of time
Improvements: The create offer wizard has been consolidated into three steps to improve quickness and ease of use
01:06:04 RoboSats v0.7.4-alpha
You can now see LNp2pBot orders on RoboSats mobile app
Order creation view now displays all available payment methods
Changed URLs to https://robosats.org and new onion (#Robosats’ previous clearnet and onion domains are no longer accessible as the original maintainer, @Reckless_Satoshi, has been unreachable for months [Note])
Libraries updates
01:06:08 Boltz Exchange
boltz-client v2.4.0
With this release, boltz-client will start to use the highly anticipated Discount CT on the Liquid Network and introduces a new pro configuration option for using Boltz Pro fee rates
boltz-web-app v1.6.2
Transaction broadcasts via block explorer
Add tropykus and speed as integrations
boltz-backend v3.9.1
Add custom fees and limits based on referrals
Fixes for RSK swap
Fixes for handling CLN xpay payment failures
Lightning network information API
01:06:10 Zaprite v2025-02-17
Copy Contact ID: Add an option to copy the Contact ID from the View Contact page
Improve the UI for Bank/Wire Transfer payment information on our Checkouts
Update the Delete Transaction modal to show more helpful messaging.
Adjust login/sign-up page to fallback and use a Recaptcha Puzzle when necessary
01:06:13 Blockstream Explorer API Update
New features include a 99.9% SLA, transparent pricing, and an open beta with a free tier for developers.
Built on open-source Esplora, the API simplifies blockchain data access, supporting wallets, exchanges, and other applications.
01:07:22 Mempal v1.5.2
Add welcome screen with quick tips
Add hashrate, difficulty, and adjustments to dashboard
Modify widget auto-refresh intervals
01:07:29 Iris Wallet desktop v0.1.2 - First experimental release
Attached you can find 2 versions running on different bitcoin networks, testnet and a shared public regtest.
For the latter you can use our telegram bot to get some funds and play around.
01:07:31 Utreexo
01:07:34 ESP Miner v2.6.0b8
Show firmware updates on the display
Trim spaces from SSID
Add sorting switch to swarm page for hostname and ip
Show share reject reasons
Remove unit test workaround for qemu
Frequency transition
UTXOracle is now available again [Announcement]
UTXOracle is a tool that estimates Bitcoin’s daily price by analyzing on-chain transactions, avoiding reliance on exchange rates
The tool uses a method involving clusters of on-chain payments at round USD amounts to calculate the price, offering an alternative to exchange-based averages
Metamask announces “full bitcoin support” for Bitcoin within its wallet coming in Q3 2025 [Roadmap]
Project spotlight
01:07:38 Reorg Calculator: A calculator to estimate the probability of an attacker reorganizing
zblocks, considering their hash power and the time ratio (κ)01:07:51 Bitcoin Core Config Generator: A TUI for generating Bitcoin Core configuration [Github]
Provides an interactive terminal interface to generate bitcoin.conf files for Bitcoin Core.
Features include form-based configuration, real-time validation, and conditional field display.
01:09:05 Bitcoin Core Snapshots: Fast-track your node setup with pre-synced blockchain data [Github]
The website offers verified Bitcoin blockchain snapshots at specific points, reducing initial sync time for new nodes
Snapshots are available for mainnet (pruned at block height 885,445), testnet4 (full at block height 71,808), and signet (full at block height 237,052)
01:09:11 Boot Protocol: A decentralized protocol for bitcoin hashing nodes to share block rewards and reduce variance [Github]
The protocol aims to solve Bitcoin mining centralization by enabling miners to share block rewards without traditional pools. It reduces variance up to 16x compared to solo mining while maintaining decentralization.
The system operates through a “Winners List” of 15 addresses that have provided the highest difficulty hashes. Block rewards are split between these addresses and the block finder’s address.
01:09:18 multisig-backup: Encrypt and inscribe your k-of-n multisig descriptor — recover with any k seeds [Github]
Sensitive data, such as master fingerprints and xpubs, is encrypted to prevent unauthorized decryption, requiring multiple seeds to recover the descriptor.
It utilizes Shamir’s Secret Sharing and ChaCha20 for encryption, and integrates with hardware wallets for the recovery process.
01:10:04 regtest-in-a-pod
Companion to the Using Podman Containers for Regtest Bitcoin Development blog article.
Allows you to create a robust regtest environment which you can turn on and off at will using Podman. The final environment includes a lot of useful tools, namely:
A bitcoin core node and daemon (serving compact block filters)
bitcoin-cli enabled
An Electrum server
An Esplora server
A block explorer
Useful just commands for working with the daemon from your command line
01:09:58 Wallet backup: A document standardizing Bitcoin wallet backup formats [Github]
The document proposes a JSON-based format to export wallet data, including accounts, descriptors, keys, labels, transactions, and PSBTs.
Explora: A visual tool to follow a chain of transactions [Github]
The tool utilizes APIs from mempool.space and ankr.com to retrieve transaction data
Users can input a transaction ID, view transaction details, and navigate through related inputs and outputs
Panopticon: A tool to monitor Bitcoin addresses privately [Github]
Users receive alerts from their own Electrum server, while notifications are sent locally, not through Google or Apple’s notification systems.
brute-samourai: A resumable samourai.txt backup file cracker, written in Go [Github]
A tool that enables brute-force attacks on Samourai Wallet backup files, based on Calin Culianu’s brute38
Users can specify character sets, passphrase lengths, patterns, or input files.
Genesis Key: A 256-bit private key designed for durable offline Bitcoin storage
The key ensures privacy by avoiding electronics and microchips, with entropy generated offline.
21e15: A Micro-Seed kit to stamp seed phrases on a single stainless steel washer
The kit allows users to store up to 240 characters (120 per side) on a quarter-sized washer.
Cypherbox: A modular Bitcoin-Lightning application for self-custody [Github]
Cypherbox is a fork of BlueWallet v6.5.1, made to onboard newer users to advanced self-custody, supports integration with hardware wallets, and utilizes the Coinos.io API.
BitSpenda: Send bitcoin and receive mobile money instantly. No account. No KYC.
BitSpenda allows users to send Bitcoin, converting it into mobile money for recipients in Ghana, with plans for expansion.
Coinflip: A PoC exploring multiparty contracts on Ark
Real-time coordination is achieved through Nostr, while Ark handles validation and settlement.
Bitcoin Forking Guide: A guide aimed at achieving consensus before code changes
The guide outlines a six-phase process: Research and Development, Power User Exploration, Industry Evaluation, Investor Review, Finalization, and Activation.
Vulnerability Disclosures
01:11:56 JavaScript injection attack: Safe{Wallet} confirms targeted TraderTraitor attack on Bybit resulting in $1.4 billion stolen [Bybit’s Audit report] [Safe{Wallet} Investigation update]
Forensic analysis confirms that the threat group TraderTraitor successfully compromised a Safe{Wallet} developer’s machine, extracted AWS session tokens from that machine in order to bypass multi-factor authentication.
It then enabled the attackers to target Bybit by spoofing their UI interface during transaction signing.
“As @adam3us suggests, #Web3 and #DeFi visibility is a general intrinsic problem of ALL Hardware Wallets, not of a specific vendor. A low power, air-gapped, small screen device will never be a good place to verify a complex Web3 or DeFi transaction.” [Tal Be’ery]
01:15:05 Malicious PyPI package ‘set-utils’ steals Ethereum private keys by hooking wallet functions [The Hacker News]
The ‘set-utils’ package, mimicking popular Python utilities, targeted software wallet developers.
It intercepted Ethereum private keys during wallet creation and exfiltrated them through regular on-chain transactions.
Brain Wallet vulnerability?: A user withdraws 0.024 and 0.06 bitcoin from an exchange to a low-entropy or compromised address [Twitter post]
Bots snipped both transactions from the mempool and stole the funds within milliseconds, ensuing a Replace-By-Fee bidding war burning the entire amount in fees.
01:16:57 OpenSSH vulnerabilities expose clients and servers to attacks [Qualys Security Advisory]
The Qualys Threat Research Unit has identified two OpenSSH vulnerabilities:
CVE-2025-26465: MitM attack against OpenSSH’s VerifyHostKeyDNS-enabled client: allows machine-in-the-middle attacks when the VerifyHostKeyDNS option is enabled, even without user interaction.
CVE-2025-26466: DoS attack against OpenSSH’s client and server: permits pre-authentication denial-of-service attacks, consuming system resources and potentially disrupting SSH services.
01:17:05 USB side-channel attacks: A new privacy threat through hub congestion [CyberInsider]
Security researchers discover a novel USB side-channel attack that exploits hub congestion to monitor user activities without physical access or malware installation. The attack analyzes traffic patterns in shared USB bus architecture.
The keystroke recovery attack uses a rogue USB mouse to detect typing patterns, achieving 36.3% accuracy for password prediction within top 10 guesses. Website fingerprinting attacks reach 83.4% accuracy in identifying visited sites.
01:17:37 Cellebrite: Critical Android security flaws exploited to target student activist in Serbia [TechCrunch]
Amnesty International discovers three zero-day vulnerabilities in Android’s Linux USB kernel, potentially affecting over a billion devices. Google has since fixed these flaws, which were used by Cellebrite’s forensic tools to unlock phones.
The vulnerabilities were uncovered during an investigation of a Serbian student activist’s phone, who was targeted by the Serbian Security Information Agency. The authorities used Cellebrite software to unlock the Samsung A32 phone without consent.
01:17:49 Messengers vulnerabilities:
Meshtastic firmware vulnerability allows user impersonation [Disclosure]
A flaw was discovered in Meshtastic firmware versions up to 2.5.18, enabling attackers to send messages that appear as if sent by any user.
The vulnerability involved crafting MQTT messages misinterpreted as direct text messages. However, it did not bypass PKI but caused packets to be displayed as received via PKI when actually sent using the channel key.
EvilLoader: Android Telegram vulnerability enables malicious APK distribution through fake video files [Mobile Hacker]
It works by manipulating HTML files with MP4 extensions, causing Telegram to misidentify them as legitimate videos. When users attempt to play these files, they are prompted to install external applications that could contain malware.
Russian hackers exploit Signal’s device-linking feature for espionage [Google Threat Intelligence Group]
Attackers send phishing messages with spoofed QR codes, tricking victims into linking their Signal accounts to devices controlled by the hackers, enabling real-time message interception without full device compromise.
Google’s Threat Intelligence Group warns that these techniques may be used against other encrypted messaging services like WhatsApp and Telegram.
01:17:56 GitVenom: A cryptocurrency theft campaign using fake GitHub projects [Secure List]
Threat actors have created hundreds of fake GitHub repositories, posing as legitimate projects like Instagram automation tools and Bitcoin wallet managers.
These repositories contain malicious code that deploys stealers and backdoors, to compromise users’ systems.
A clipboard hijacker within the malicious code replaces copied cryptocurrency wallet addresses with attacker-controlled ones.
01:18:10 Stablecoin payment firm Infini loses $50M in exploit, developer deception suspected [Coin Telegraph]
The firm lost $50 million in USDC due to an exploit by a rogue developer who retained administrative privileges after project completion.
01:18:18 Five dollar wrench attacks:
eNCA Report: Cryptocurrency is becoming a more common method for ransom demands in modern kidnappings
Crime expert Yusuf Abramjee reports a rise in kidnapping cases with many involving express kidnappings or ransom demands.
Kidnapping operations have become more sophisticated, with specialized teams handling different stages such as tracking, abduction, and ransom negotiations.
Streamer Amouranth, reports being attacked in a home invasion by armed intruders demanding cryptocurrency [Daily Star]
She says they pulled her from bed, pistol-whipped her, and forced her to log into her phone at gunpoint.
Amouranth previously revealed her $20 million bitcoin holdings to her audience.
In Vietnam, a Chinese man was successfully rescued from kidnappers by Ho Chi Minh City police [Tuoi Tre News]
The criminal group, consisting of three Chinese nationals and three Vietnamese accomplices, attempted to extort 600,000 USDT from their victim, who was held in a remote area.
Six men are accused of kidnapping and holding hostage a family and a nanny for five days, in October 2024, demanding $15 million in cryptocurrency. [Chicago Tribune]
The FBI arrested one suspect in January, while others are believed to have fled to China. Around $9 million of the ransom remains unaccounted for.
South Korean police arrest four individuals linked to the murder of a Chinese man in Jeju Island [Decrypt]
The victim had traveled to Jeju Island to conduct a private cryptocurrency transaction of about $52,500.
Audience Questions
Thanks to everyone who sent in questions. Remember to send yours to questions@bitcoin.review.
01:20:00 Audience question for guests to comment on a flaw in Bitcoin Core regarding mining pools and their vulnerability against block withholding attacks, referring to this post -@anon
Privacy & Other Related Bitcoin Projects
Software Releases & Project Updates
SimpleX
Better groups:
Mention members and get notified when mentioned
Send private reports to moderators
Delete, block and change role for multiple members at once (Android and desktop only)
Faster sending messages and faster deletion
Better chat navigation
Organize chats into lists to keep track of what’s important:
Jump to found and forwarded messages
Better privacy and security
Private media file names:
Message expiration in chats
Add content license in groups, and stated that NO LICENSE is granted to the server operators or ourselves
Add the conditions of access to preconfigured servers via modified 3rd party applications (The previous policy version prohibited it, unintentionally)
Clarify definitions:
“Aggregate statistics” explicitly excludes any stats that can be related to particular users
The content that can be removed changed from “identified illegal content” to “illegal content identified in publicly accessible resources”
Sideband v1.4.0
Add ability to export telemetry to MQTT brokers
Add MQTT renderers for all telemetry types
Add LXMF Propagation Node statistics sensor type to Telemeter
Add RNS Transport statistics sensor type to Telemeter
Add Connection Map sensor type to Telemeter
Add periodic cleaning of old telemetry data from the database
NomadNet v0.6.1
Add tabs to the announce stream
Improve LXMF propagation node list UI
Add acceptance rate stat to propagation node list entries
Rdsys v1.0 - First Rdsys table version
The Tor Project replaces BridgeDB with Rdsys for distributing bridges
moat: the type of the captcha bridge response is ‘moat-bridges’
bridgedb-metrics: use country if available
Mullvad partners with Obscura VPN and launches a “two-party VPN service that uses our WireGuard VPN servers as its exit hop”. [Announcement]
Obscura’s custom protocol, based on QUIC, mimics HTTP/3 to bypass firewalls and censorship.
Mynymbox launches email hosting service [Announcement]
Mynymbox introduces a privacy-oriented email hosting service supporting POP3, IMAP, SMTP, and webmail. Users can bring their own domain and are not restricted to a specific email client.
Kagi now offers Privacy Pass, a cryptographic protocol that ensures user authentication without tracking personal data or searches [Announcement]
The protocol adds an extra privacy layer by unlinking user searches from their identity.
Project spotlight
Rayhunter: Rust tool to detect cell site simulators on an orbic mobile hotspot [Github]
Rayhunter is an open-source tool that runs on affordable Orbic RC400L mobile hotspots to detect cell-site simulators used for mobile surveillance.
The tool monitors control traffic between mobile networks and hotspots, alerting users to suspicious activities through a simple color-coded interface and storing detailed logs for expert analysis.
RAVA: an Open Hardware True Random Number Generator based on Avalanche Noise [Github]
RAVA is an open-source True Random Number Generator offering high-quality entropy with independent random bit generation.
It features dual entropy cores, differential design, and full transparency with accessible hardware and software for customizability and integration.
PrivX: A secure, private pastebin alternative without JavaScript [Github]
It features AES-256 encryption, assigning unique keys to each paste, and employs a zero-knowledge architecture, preventing administrators from accessing stored data.
PrivX is a fork of IncognitoBin, and is also available on Tor Onion.
CypherHub: A verifiably secure dead drop for sharing Bitcoin addresses and other secrets [Description]
A tool for sharing Bitcoin addresses and confidential information without logging into accounts
Data encryption happens client-side in the browser, ensuring the server never receives unencrypted information. The recipient decrypts it using a shared password.
Nostr
Project spotlight
01:22:32 24242.io
01:22:49 nostr.media
01:22:58 Frostr: Simple t-of-n remote signing and key rotation protocol for nostr, using the powers of FROST [Github]
FROSTR enables users to split their secret key into decentralized, distributable shares, enhancing security.
Users can sign messages using t-of-n signing devices; if one share is compromised, the secret key remains safe.
Shares can be discarded and replaced without changing the secret key or identity.
01:23:33 nostr-double-ratchet: Implementing double ratchet encryption in nostr [Github]
The implementation includes features such as invite links for secure session key exchange, with installation available via npm or yarn. (The project is currently a work in progress)
01:23:44 DVMCP: Bridging MCP servers to Nostr’s data vending machine ecosystem [Github]
DVMCP enables the integration of Model Context Protocol (MCP) servers with Nostr’s decentralized Data Vending Machine (DVM) ecosystem.
The project includes packages for bridge implementation, discovery service for MCP tools, and shared utilities across components.
01:23:53 Samiz: BLE mesh for nostr notes when the internet is down [Github]
Samiz is a Bluetooth mesh system for sharing Nostr notes without internet, relying on local synchronization between devices.
The system works by creating a session where devices near each other can automatically share and store notes, even in remote areas or during internet outages.
01:24:00 Welshman: A nostr toolkit focused on creating highly a configurable client system, extracted from the Coracle nostr client [Github]
“A series of independent libraries for managing every aspect of your Nostr application.”
01:24:09 Norma: A Nostr Relay Management Panel [Github]
Norma (Nostr Relay Manager), is a nostr client based on NIP-86 (Relay Management API)
01:24:20 Wallet Relay: High performance relay for enabling NWC & Cashu Wallets [Github]
“Wallet Relay is a specialized relay for wallet service providers to process NWC and Cashu Wallet events.”
01:24:27 Nostr0: A web application that allows you to search and visualize Nostr events using npubs [Github]
01:24:35 nAuth Protocol: decentralized two-party Authentication and secure document transmission [Github]
The nAuth protocol enables two parties to authenticate each other and securely share documents without third-party involvement
Designed for scenarios like patient-physician interactions, nAuth allows either party to initiate authentication, accommodating devices with limitations such as the absence of a camera.
01:24:43 Hostr: Rental accommodation using purely peer-to-peer technologies such as Nostr [Github]
The projects implements several NIPs: NIP-01 for event creation and subscription, NIP-05 for mapping Nostr keys to DNS-based identifiers, and NIP-33 for creating and updating listings and bookings.
Software Releases & Project Updates
Primal
Multi-account feature
Deep-linking
Articles pagination
Share photo/video via Primal app
Bigger previews for Github links
Legends contributions
nevent with relay hints when copy note id
nevent and nprofile when creating primal share links
nevent and nprofile in the note editor for mentioned notes and users
Ellipsis links in note content
Improved feeds
Deep linking threads, articles, profiles
Coracle
Correctly fetch and render NIP 22 comments
Add note info to DMs
Make lnurl parsing more robust
Show complete website/lnurl
Scan images for sensitive content
Make muting on feeds more strict
Apply muted words to nip05
Use wasted space on mobile notes
Show PoW difficulty in settings
Add support for tor/local relays
Use nstart for onboarding process
Show more details on reaction notifications
Improve mutes, add setting to completely hide muted people
Add kind 20 rendering support
Add pinned note support
Remove broadcasting of note parents
Add note scheduling via DVM
Flotilla
Iris Update
Deploy double ratchet messaging (See Iris software release)
Yakihonne
Web v4.4.0
Zap polls can now be added directly from the list or created instantly within notes and comments
Muting users is now more reliable
Users can download and export their NWC secret for wallets
Wallets and account credentials are automatically saved upon signup and logout
Faster login and signup when interacting with Yakihonne while logged out
Mobile v1.6.6
Ability to export your NWC wallets and your keys
Blink wallet is now available as one of the external wallets that can be used
Private messages drafts are now available
Notes stats optimised
Wallet management overall performance has been improved
nos.social
Add Lists view and two ways to navigate to it
Add view for editing a list’s title and description
Add List detail view
Add view for managing users in a list
Add ability to delete lists
Add analytics for feed source selection and lists
Internal Changes:
Add function for creating a new list and a test verifying list editing
Localized strings on the feed filter drop-down view
Audit codebase for strict access control and mutability annotations
Keychat App
v1.27.2 - Amber Login
Support for logging in or importing accounts using amber app
Support for amber’s signMessage, signEvent, nip04, and nip44
Refactored routing for the room settings page
Browser support for sharing URLs to rooms
Add a scan button to the Cashu page
Remove pubkeys from listening when disabling the chat identity
Amber
Algo Relay
User Dashboard:
Allows any npub to login to the relay
Ability to view the data used by the algorithm to generate a feed
Ability to customize the weights to curate your own feed
Switch import back to 30 days
Default to kind 1 if empty filter
Sequential Migrations
Page Handlers: introduces a new pattern to define static pages and api endpoints with a mux router
0xChat App v1.4.7-beta
Major Updates:
Private chat implementation changed to NIP-104 Nostr MLS (NIP-104 MLS is still in beta and should be used for testing purposes only.)
Other Updates:
NIP-17 and NIP-29 messages now support
qtagsYou can swipe left to reply on your own messages
Chat messages now support code block display
Copy images from the clipboard
Nostur v1.18.1
Floating mini video player
Videos:
Save to library
Copy video URL
Add bookmark
Improve video stream / chat view
Top zaps on live chat
Posting to Picture-first
Profile view:
Show interactions with you (conversations, reactions, zaps, reposts)
Show actual reactions instead of only Likes
Improve search + Bookmark search
Detect nsfw / content-warning in posts
‘Show more’ to show reactions outside Web of Trust
‘Show more’ to show zaps outside Web of Trust
Support .avif image format, .mp3, and .m4v video format
Improve zap verification for changed wallets
Improve outbox support
Show label on restricted posts
Low data mode: load media in app on tap instead of external browser
Nowser v1.0.0
Linux webview support
NIP46 encrypt and decrypt method change to NIP44
i18n support
Android signer try to get code by currentUser
URL input support direct search someting
Web URl input add suggestion
BitBanana
Pick first hop on lightning payments (LND)
Rebalance channels (LND, use first and last hop in a self-payment)
Inspect LND and Core Lightning logs
Add search and verbosity filter to log view
Add Coin Control support
“Send all” option
Support for custom BlockExplorers on Regtest nodes
Fixes for nodes with more than 500 outgoing lightning payments
Performance improvements for nodes with lots of payments
Kyoto v0.9.0
Introduce log level and optimize release builds to remove heap allocations for debug messages
Configure a custom DNS resolver
Mostro v0.13.2
Feat: Put the user’s reputation updated in the events
Feat: Do not allow a taker to take multiple orders at once
Shows relay list on relay list event job
Fix on some full privacy cases
Correct full privacy mode check when orders arrives
Grain v0.3.0
Nostr Login & Profile Page:
Introduce Nostr login to the front end, allowing users to authenticate using their Nostr key.
Future updates will add more front-end functionality, including event management, delete requests, relay configuration for operators, and a dashboard with relay statistics.
User Sync (Experimental):
New user sync functionality allows the relay to sync events for its users from their outboxes.
Add configurable sync options: define which event kinds to sync, define a limit of how many events to retrieve, and exclude non-whitelisted users from sync.
Nostrmo v2.9.6
This release mainly change remote signer (NIP-46) ‘s encrypt method from NIP-04 to NIP-44.
OpenLibrarian v0.1.7
Add Book reviews
NIP-07 Login
Extensive client-side rebuild
Add retries of
get_default_pageson progress objects
GitPlaza: Nostr git stuff client for Desktop [Codeberg]
GitPlaza is a Desktop Nostr client specialized in handling git stuff
V0.1.0 - First release
Login via nsec
Show activity feed of people you follow
Create issues
Comment on issues
Lightning + L2+
Project spotlight
Chantools: Tools for managing LND and Lightning Network channels [Github]
Chantools is a collection of tools for managing LND and Lightning Network channels, especially in case of failures.
It provides recovery options for scenarios like node crashes, missing backups, or issues with unconfirmed channels.
Hashpool: An accountless mining pool that represents mining shares as ecash tokens [Github]
The system utilizes “eHash” tokens, which are ecash tokens backed by proof of work rather than bitcoin. These tokens mature over time and can be traded as mining futures, allowing miners to hedge risks and buyers to purchase bitcoin at discounted rates.
While Hashpool operates on a custodial basis through ecash mints, it offers perfect privacy through blind signatures. The platform enables small-scale miners to participate without KYC requirements and maintains no minimum withdrawal thresholds.
ZapGram: Bitcoin Lightning Wallet on Telegram [Github]
ZapGram integrates a Bitcoin Lightning wallet directly into Telegram, permits transactions within the messaging platform.
Quest for Sats: Geocaching with Bitcoin
Quest for Sats combines geocaching with Bitcoin, allow users to find hidden containers in their area and withdraw their earnings using a Lightning wallet.
Software Releases & Project Updates
CLN v25.02
Highlights for users:
Channel backup turns our peers into watchtowers by now allowing your node to generate penalty transactions
Blacklisted runes can now be restored via
relistxpay has many, many bugfixes, and is now almost seamlessly compatible when
xpay-handle-payis usedlightning-clihas neater help output, and doesn’t crash occasionally on xpay notificationssetconfigdoes more safety checks and uses a separate “config.setconfig” file for runtime changes
Highlights for the network:
Splicing: stricter checking for better interoperability with Eclair.
Highlights for developers:
clnrest is now a rust plugin
listpeerchannelsnow contains fieldstheir_max_htlc_value_in_flightandour_max_htlc_value_in_flightto better calculate channel limitsNew notifications
plugin_stoppedandplugin_startedfetchinvoicenow has BIP353 DNS payment instruction support
Lightning Terminal v0.14.1
This version of Lightning Terminal (LiT) ships the first update to the non-experimental version of Taproot Asset Channels
Breaking changes
Taproot Asset Channels: Taproot Asset channels are NOT backward compatible with any previous version of Lightning Terminal
Oracle RPC: The RPC protobuf definitions for the Price Oracle have changed. Asset exchange rates are now expressed as FixedPoint to achieve better precision
Configuration changes: The configuration value and command line flag now needs a value and is no longer a boolean. The value now controls whether the node’s universe database can be accessed over RPC and either read or written to or both.
litclichanges: The Taproot Asset Channel related sub commands oflitcli lnno longer require a custom macaroon to be specified, they now work with the defaultlit.macaroon
Phoenix Wallet v2.5.0
(android) Improved scanner performances: The scanner should be able to read QR codes faster, and do so on a wider range of devices
Access to Tor now requires a third-party Tor Proxy VPN app (e.g. Orbot): With the Tor connection managed as a persistent VPN by a dedicated app, the connection is more stable, and background payments work much better.
(ios) Display the final wallet balance in the home screen: Pending on-chain funds are now displayed in an updated window in the Home screen ; it also shows the funds available in the final wallet.
(android) Removed legacy app: The old legacy app has now been removed. Along with other optimisations, this means the APK is now much smaller (16.5 MB instead of 72.5 MB).
Note that there has been a major database rework in this version, which is not visible to the user but impacted many files in the project.
Phoenixd v0.5.0
Major rework of the internal payments db
No more linux native build issues due to old toolchain, should build with no dependency on most recent distributions
Rolling log file
Fixed a memory leak in the TCP reconnection logic
New
--seed-pathconfiguration optionAbility to lookup outgoing payment by payment hash
Zeus v0.10.0-rc5
Renewable channels
NWC client support
Ability to create multiple Embedded LND ‘node in the phone’ wallets
Ability to delete Embedded LND wallets
Embedded LND: v0.18.5-beta
New share button (share ZEUS QR images)
Activity: highlight filter icon when filters active
Tools: Export Activity CSVs, Developer tools
Activity: filter by max amount, memo, and note
CLNRest: add payment timeout setting
Receive: add advanced settings toggle
ZEUS Pay: ability to delete addresses
Fedimint v0.6.0 - On-Chain for Everyone
The on-chain wallet is no longer considered “expert-only”
Other highlights since v0.5
Federation will now reject attempt to reuse ecash blind nonces, preventing possibility of loss of funds even in the event of client-side bugs and data corruption
Fedimint will now query (configurable) external sources for feerate information to improve real time fee estimation
On-chain feerate multiplier have been lowered, as it no longer needs to be as conservative
LN payment events are now tracked, allowing tracking profit and fees statistics
It’s now possible to customize LNv2 gateway fees
Client recovery has been optimized and should be faster and use less data
Core lightning gateway is no longer supported
Work has been started on Iroh networking integration
Fedimintd should use less memory now
Alby
Hub
v1.15.0 - Ian Goldberg
One-click connections for self-hosted hubs
Add pagination to tx list
Add peer and return_to query parameters to peer connection page
Show app creation time in connection summary
Show wallet pubkey on connection summary
Add app cleanup page
Add swap alert
Show total and reserved balance in spending balance tooltip
v1.14.2 - Mike Godwin
In this release we also add some cool new widgets to the home screen and many new apps to the app store. Alby Hub now has a healthcheck indicator, better fiat support, NIP-44 encryption, and a way for self-hosters to support Alby! We’ve also added basic swap functionality to the node page so you can more easily manage your liquidity without having to open new channels.
The Cashu backend was also updated - you can now recover stuck funds, and for new users you will have a recovery phrase which you can recover your funds in other wallets.
New features:
Add boltz.exchange swap out option
Add boltz swap in dialog
Use nip44 and versioning
PostgreSQL support
Enable multi-path payments in LND
Node page revamp for web and mobile
Display specific notes about counterparty above open channel buttons on increase incoming/outgoing flows
Show failure reason on transaction modal in transaction list
Add nostrcheck-server to Appstore
Add new apps to Hub’s Store (nostter, btcpay, coracle, lnbits)
Add new apps to appstore
Phoenixd subwallets
Add same counterparty alerts while opening channels
Currency switcher
Go v1.10.0
Support for PicknPay QRs
BTC Map to find places to spend sats
Improve Skeleton animations across the app
bitcoin-connect v3.7.0
Add alby hub
Add coinos connector
Add connection success screen
Add slide up animation on modal open in mobile
Add disconnect button while connecting a wallet
Add NWA & Alby Go
js-sdk
Simplify NWA flow
Add sign message method to Alby OAuth Client
In this release the NWC deeplink flow is improved to better support different kinds of http-accessible wallets
We also remove a dependency on an ESM event emitter package which was causing build errors in some projects
New features
New NWC deeplink flow to support other relays and wallet pubkeys
Add custom-timeout-values-for-requester-method
Custom
EventEmitterclassesAdd optional metadata field to
get_inforesponse
Ark Labs HQ wallet-sdk v0.0.7
export
ArkAddressandVtxoTapscriptMake the lib compatible with webpack
Settleimplementation
Ark v0.5.0 - Branch-only Signing Sessions and Connector Trees
New Features
Branch-only VTXO Tree Signing: Optimizes VTXO tree signing; drastically cuts down on the number of signatures you have to produce, making rounds quicker and less resource-intensive.
Connector trees: Another notable addition is the move from a linear connector chain to a tree structure.
Optimizations
Network compatibility and transaction costs
Round processing and client interaction
Scalability improvements
Client SDK API update
Taproots assets v0.5.1
Database Migrations:
tapdv0.5.1 contains non-revertible database migrations.Breaking changes
Downstream Projects:
litdv0.14.x-alpha enhancements require both channel peers to upgrade to alitdversion >= v0.14.0-alpha to continue Lightning Channel functionalitytapdv0.5.x changesOracle RPC: The RPC protobuf definitions for the Price Oracle have changed
Configuration changes: The configuration value and command line flag now needs a value and is no longer a boolean
lightning-kmp v1.9.0
Rename
OfferIssuerIdSimplify outgoing payment state machine
Remove support for
push_amountUse shared input’s txOut in
shouldSignFirstMake the project multi-modules
Correctly set
next_commitment_numberduring splice reconnectAdd
require_confirmed_inputto RBF messagesAdd a
succeededAttimestamp to payments
validating-lightning-signer v0.13.0 - Celestial Citadel
Added:
configure SimplePolicy values using vlsd2.toml
fuzz: basic fuzzing of the vls-core crate
developer flag for dev messages and fields
core: oid derivation for ldk channel id
protocol: implement sign_holder_htlc_tx for LDK / phase-2 code path
Changed:
core: Add new and oid methods to ChannelId and remove the oid/channel_id utility methods
LSS: split lightning-storage-server into library and lssd
SideSwap v1.7.0
New swaps API
Fee discount
Cross-wallet swaps
Peg-in/peg-out wallet balance
CDK v0.7.1
Mint builder add ability to set custom derivation paths
eNuts is no longer maintained [Note]
Boosts
01:25:36 Thanks to everyone who streamed sats, and shoutout to our top boosters:
[🏆 TOP BOOSTER] @sean (3,000 sats) “Open sourced decentralized CIA? Sounds like y’all need to tap into the intellectual Silk Road 🚬”
@pink monkey (2,000 sats)
@Anonymous (2,000 sats)
@martinbarilik (750 sats) “Short AI intro 😁 right …”
@Momo Tahmasbi (100 sats) “Arkansas Traveler was a great song recommendation!”
@jespada (100 sats) “Zzzzap”
Tech Tips of the Day
Encoding data within emoji using unicode variation selectors [Paul Butler’s Blog post]
A demonstration on how to encode arbitrary data within a single emoji by utilizing Unicode variation selectors, which modify character presentation without visible changes.
By appending sequences of these selectors to a base character, data can be concealed within any Unicode character.
Bypassing hotspot restrictions for data [Article by Juraj Bednar]
Mobile carriers often detect tethering by monitoring Time to Live (TTL) values in data packets. Standard mobile devices send packets with TTL of 64, while tethered devices show TTL of 63.
The solution involves setting device TTL to 65, making tethered traffic appear as direct phone traffic with TTL 64.
WA-Tunnel: Tunneling Internet traffic over Whatsapp [Github]
WA-Tunnel allows TCP data tunneling via WhatsApp, useful for bypassing network restrictions such as limited carrier data.
The system works by sending network packages as WhatsApp messages, splitting large data into files or text to avoid message limits.
Bitcoin Optech Newsletter
Highlights from recent Bitcoin Optech Newsletters
Disclosure of fixed LND vulnerability allowing theft: Matt Morehouse posted to Delving Bitcoin to announce the responsible disclosure of a vulnerability that affected LND versions before 0.18.
Discussion about Bitcoin Core’s priorities: several blog posts by Antoine Poinsot about the future of the Bitcoin Core project were linked in a thread on Delving Bitcoin
Ignoring unsolicited transactions: Antoine Riard posted to Bitcoin-Dev two draft BIPs that would allow a node to signal that it will no longer accept tx messages that it had not requested using an inv message, called unsolicited transactions.
Allowing mobile wallets to settle channels without extra UTXOs: Bastien Teinturier posted to Delving Bitcoin about an opt-in variation of v3 commitments for LN channels that would allow mobile wallets to settle channels using the funds within the channel for all cases where theft is possible.
Continued discussion about an LN quality of service flag: Joost Jager posted to Delving Bitcoin to continue discussion about adding a quality of service flag to the LN protocol to allow nodes to signal that one of their channels was highly available.
Continued discussion about probabilistic payments: following Oleksandr Kurbatov’s post to Delving Bitcoin last week about emulating an OP_RAND opcode
Continued discussion about ephemeral anchor scripts for LN: Matt Morehouse replied to the thread about what ephemeral anchor script LN should use for future channels
Stats on orphan evictions: developer 0xB10C posted to Delving Bitcoin with statistics about the number of transactions evicted from the orphan pools for his nodes
Updated proposal for updated BIP process: Mark “Murch” Erhardt posted to the Bitcoin-Dev mailing list to announce that his draft BIP for a revised BIP process has been assigned the identifier BIP3 and is ready for additional review
News & Noteworthy
Bitcoin
The Satoshi Nakamoto Institute introduces The Reorg, a new podcast hosted by @Bitstein, exploring “the SNI archives to reexamine our ideas after years of accumulated proof-of-work.”
Business & Finance
Proton Wallet officially launches and is now accessible on iOS, Android, and web platforms, for all users [Announcement]
Custodial Lightning wallet service LifPay temporarily suspends operations to align with regulatory requirements [Announcement]
Users are advised to withdraw their bitcoin within 60 days by submitting a withdrawal request.
Orange Pill App introduces Lightning-enabled bitcoin wallet [Announcement]
The wallet aims to enhance community engagement through features like mass zapping, and plans to introduce geo-zapping, enabling users to send Bitcoin to others based on geographic locations.
Brazilian financial solutions company Transfero partners with Lightspark to add speed and cost efficiency to Bitcoin transactions using the Lightning Network [Press release]
Tropic Square introduces pre-production samples of TROPIC01, an open architecture RISC-V secure element [CNX Software’s Article]
TROPIC01 ensures tamper-proof hardware Root of Trust, enabling secure cryptographic key management and data storage in devices like hardware wallets and IoT products. [Product brief]
Fold introduces its Bitcoin Rewards Credit Card, offering cashback in bitcoin [Press release]
Canaan announces the Avalon Q, a home mining device with a hash rate of 90 TH/s. [Announcement]
Funding
OpenSats receives $250,000 donation from HRF’s Bitcoin Development Fund, directed at its Operations Budget [Announcement]
Vinteum announces its fifth grant to Pins for their work on LND [Blog post]
The donation has been divided for three non-profit organizations Brink, OpenSats, and the Human Rights Foundation
Blockstream opens its grant application portal for Bitcoin L2 projects, taking place on-site at the Lugano Research Hub [Portal]
Brink receives a $50,000 contribution to their open source Bitcoin development efforts from VanEck, and another $50,000 contribution from River
Bitwise donates $150,000 to support Bitcoin open-source developers [Announcement]
The University of Austin invests $5 million of its endowment in Bitcoin, partnering with Unchained for the initiative. [Announcement]
Mining
Bitaxe miner with 3.3Th of hashrate successfully mines a Bitcoin block, defying odds of 1 in 250,000,000 [Block 887212]
The device found a block with 719T difficulty, exceeding current difficulty levels, and has reportedly been operating for less than a month, generating approximately 350M shares.
Braiins reveals plans to open-source its BCB 100 control board [Announcement]
The release includes software (OpenWrt-based distribution, Linux support, and firmware source code) and hardware specifications (schematics, BOM, and CAD data), excluding the mining software.
All materials will be available under GPLv3 on the Braiins GitHub repository by the end of March.
Privacy
Bisq trade trends: An analysis of trading trends on the Bisq protocol in 2024
The number of trades on Bisq decreased in 2024, but USD volume per trade increased, indicating higher value per transaction.
Payment methods like Strike, Zelle, and Cash By Mail showed different trends in the volume and average value of trades in 2024.
Bisq’s surveillance discount was typically smaller than expected, with Cash By Mail offering the best rate and Strike the worst in 2024.
UK Government orders Apple to create backdoor for encrypted iCloud accounts [TechCrunch]
The UK Home Secretary’s office has issued a secret order under the Investigatory Powers Act of 2016, requiring Apple to provide access to user data protected by its Advanced Data Protection for iCloud.
In response, Apple has withdrawn support for Advanced Data Protection in the UK, and goes to court to fight UK’s demand.
Mozilla revises Firefox terms after user backlash over data usage [TechCrunch]
Mozilla has revised its Firefox Terms of Use, removing the explicit promise to “never sell personal data”, citing evolving legal definitions of data sales.
In response to feedback, Mozilla updates the terms to clarify that they do not claim ownership of user data and that data usage is limited to operating Firefox as described in the Privacy Notice.
Kraken’s 2024 Transparency Report: Kraken received 6,826 data requests from law enforcement and government agencies across 71 countries, marking a 38.6% increase from 2023
U.S. agencies accounted for 28.6% of these requests, with the FBI submitting 614. Kraken provided data for 57% of all requests, covering 10,369 accounts, primarily linked to clients in the U.S. (34.5%), the U.K. (8.8%), and Germany (8.5%).
X blocks Signal.me links, prompts error messages indicating potential harm or spam [Disruptionist]
The company cites security issues with the domain, threatening to user safety.
Protocol
Bitcoin Core #25832: tracing: network connection tracepoints [Merged]
“This adds five new tracepoints with documentation and tests for network connections”
Bitcoin Core #27432: contrib: add tool to convert compact-serialized UTXO set to SQLite database [Merged]
BIP #1712: BIP3: Updated BIP Process [Merged]
Rust Bitcoin #4114: Policy: Relax MIN_STANDARD_TX_NONWITNESS_SIZE to 65 [Merged]
Rust Payjoin #434: Multiparty Senders: NS1R [Merged]
LND #9491: Allow coop closing a channel with HTLCs on it via lncli [Merged]
LDK #3440: Support receiving async payments [Merged]
LDK #3575: PeerStorage: Add feature and store peer storage in ChannelManager [Merged]
Eclair #2989: Add router support for batched splices [Merged]
Eclair #2979: Check peer features before attempting wake-up [Merged]
BOLT #1228: Zero-fee commitments using v3 transactions [Draft]
NIP #1807: Add On-Chain Send/Receive to NWC #1807 [Open]
NIP #1777: NWC Deep Links: a standard for using deeplinks to communicate between a wallet and a nostr client [Open]
Government & Political
President Trump confirms the creation of a U.S. Strategic Crypto Reserve, including BTC, ETH, XRP, SOL, and ADA [Truth social post]
U.S. President brokers a prisoner swap, releasing BTC-e founder Alexander Vinnik [The Block]
Vinnik, co-founder of BTC-e, pleaded guilty to money laundering charges in the U.S. and France.
The U.S. SEC’s Division of Corporation Finance states that meme coins are akin to collectibles, not securities [Statement]
Consequently, transactions involving meme coins do not require registration with the SEC, leaving purchasers and holders unprotected by federal securities laws.
Bitcoin asset seizure and civil contempt order [Court order]
A U.S.federal judge holds Mr. Reynoso in civil contempt for violating a seizure warrant requiring him to transfer 119.65 BTC to a government-controlled wallet within 24 hours. Within hours of the warrant being served, Reynoso moved the bitcoin through multiple wallets, invalidating any claims of inability to access the funds. [Transaction]
The FBI discovered Ledger software on Reynoso’s laptop, and authorities confirmed his Bitcoin address through both the software interface and a text file in his Apple account.
U.S. Marshals Service struggles with managing seized cryptocurrencies [CoinDesk]
Previous reports and audits have criticized the agency’s inability to track forked assets and its reliance on insecure methods like unencrypted email for sharing bitcoin deposit addresses.
Nigeria’s release of Binance Executive Tigran Gambaryan linked to U.S. surveillance assistance deal [The Rage]
In October 2024, Nigeria released Binance executive Tigran Gambaryan, who had been detained since February 2024 on money laundering charges.
The same day, the U.S. and Nigeria announced a “Bilateral Liaison Group on Illicit Finance and Cryptocurrencies”, providing Nigeria with US “resources and expertise” in investigating cybercrimes.
Argentina’s President Javier Milei faces legal and political backlash over failed LIBRA memecoin launch [Reuters]
Milei denies any involvement, claiming he had no prior knowledge of the token’s issues and is now calling for an internal investigation.
CBP intensifies ASIC miner seizures, expands scope to MicroBT and Canaan units [Blockspace]
U.S. Customs and Border Protection (CBP) is seizing Bitcoin mining ASICs at ports of entry, including Bitmain, MicroBT, and Canaan units, at the request of the Federal Communications Commission.
Central Banking
The IMF requests El Salvador’s public sector to halt Bitcoin purchases as part of a $1.4 billion loan agreement [Atlas21] [Press release]
The IMF’s conditions include banning public sector Bitcoin accumulation and mining, restricting issuance of Bitcoin-linked tokenized debt, and revoking Bitcoin’s legal tender status.
The European Central Bank announced an expansion of the Eurosystem initiative for settling transactions using distributed ledger technology in central bank money [Press release]
The initiative will explore how DLT can settle transactions within the Eurosystem.
Heraclius: A Byzantine fault tolerant database system with potential for modern payments systems [Research paper]
Heraclius is a project by the U.S. Federal Reserve which attempts to replicate Bitcoin’s decentralized security while keeping control in central hands.
The Fed paper acknowledges Bitcoin as “the longest running electronic payment system that tolerates byzantine faults today”
Events
Barcelona Cyphers Conference: Unleashing Decentralized Freedom
June 6-7, 2025 in Barcelona, Spain
Reads
Here’s a list of our top recently published reads:
How Big Brother can attack Bitcoin without spending a dime, by Harsha Goli [Opinion]
Prosecuting Privacy: Examining Samourai Wallet, Money Transmitters, and the Criminalization of Innovation, by Spencer Peek [Research paper]
Atlas Mined, by Jon [Article]
The Logic of Spending Bitcoin, by Parker Lewis [Read]
What’s Driving Bitcoin Adoption in 2025?, by Sam Baker [River’s Research report]
Every App Needs Bitcoin, by Miljan [Note]
Why Keys Matter, by Holdbod [Note]
Bybit’s $1.4b breach started with stock invest malware [Crypto.news]
Episode submission ideas
We’re looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.
Get in touch with the pod
Nostr & LN ⚡nvk@nvk.org (not an email!)