Bitcoin.org, the website that was once the main landing portal for all things Bitcoin, today suffered an embarrassing hack that has already cost naive BTC users money. Instead of the usual front page, visitors were greeted with an invitation to send BTC to the “Bitcoin Foundation” with the promise to return double their sent amount.
— CryptoWhale (@CryptoWhale) September 23, 2021
For a few hours, the bitcoin.org main page displayed a popup window over the main content with the words:
“The Bitcoin Foundation is giving back to the community! We want to support our users who have helped us along the years. Send Bitcoin to this address, and we will send double the amount in return! Limited to the first 10000 users! Use this QR code or address below”.
The Bitcoin Foundation does not operate the bitcoin.org domain. As recently as mid-2021, the domain was controlled by a company whose online interactions are represented by the online nickname “Cøbra,” and contains information representing only the BTC network. Cøbra acknowledge the hack with a brief tweet:
https://t.co/OsFgRFRRZb has been compromised. Currently looking into how the hackers put up the scam modal on the site. May be down for a few days.
— Cøbra (@CobraBitcoin) September 23, 2021
Domain host NameCheap then disabled the domain.
Hello, Thank you for reporting this matter. We have temporarily disabled the domain.
— Namecheap.com (@Namecheap) September 23, 2021
Invitations to send money with the promise of sending back double is a (sadly) common scam in the blockchain world. They usually appear after a web page or social media account of a well-known person is compromised, or if a hacker can convincingly impersonate their profile.
Though the “offer” itself is laughably implausible, many naive users react quickly to these scams by sending money, apparently without ever wondering how a “send money and we’ll send you double back” invitation makes any logical sense.
There were four buttons on the hacked bitcoin.org site with the options to send BTC in amounts of $10, $100, $1,000 and $10,000. The address presented (first appearing on-chain on September 23, 2021) is static and a quick check of blockchain records shows it has received seven transactions, at least four of which match the $10 and $100 donation amounts. There is also a single transaction (that address’s first) for 0.4 BTC (US$17,440).
A single “sent” transaction of 0.40567808 BTC (US$17,688) emptied the address of over US$17,000 in BTC roughly two hours after it appeared. The appearance of transactions containing the exact amounts on the hacker’s popup interface suggests at least a few people have been duped by the scam, and at least one address has sent a $1.50 transaction to it since someone withdrew the $17K.
Soon after it appeared, BSV-based online service quality tracker Bitping detected an outage for the domain in four countries. It gradually disappeared from other countries as well in the next few hours.
— Bitping Outages (@BitpingOutages) September 23, 2021
The Bitcoin.org domain made headlines in January 2021 when Bitcoin creator Dr. Craig S. Wright sent copyright infringement notices to ” Cøbra” and the administrators of BitcoinCore.org and Bitcoin.com, asking them to remove hosted copies of his original 2008 Bitcoin white paper.
Though initially defiant, Cøbra eventually decided not to defend the case in the U.K. High Court of Justice and Dr. Wright won a default judgment in June 2021. His Honour Judge Hodge QC ordered Bitcoin.org admins to remove hosted links to the Bitcoin white paper for U.K. visitors, and ordered Cobra to pay Wright GBP£35,000 in legal costs.
GitHub user “Cobra-Bitcoin” later posted a request to code maintainers to comply with the U.K. order, saying:
“I don’t want anyone associated with the company behind Bitcoin.org, if ever identified, and if even temporarily in the UK, to be at risk of potentially 2 years in jail.”
It’s not known whether Cøbra, or “the company behind Bitcoin.org” has also complied with the court order to pay Dr. Wright’s legal costs, and CoinGeek has not received any information claiming it was paid.
Dr. Wright claimed he registered the Bitcoin.org domain name in August 2008, as Satoshi Nakamoto. Though Bitcoin.org says Satoshi “gave ownership of the domain to additional people,” Dr. Wright says he lost his own access control in the ensuing years, upon which others began to add details contrary to his original vision.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.