Updated: Sunday, December 17
We have published the results of our detailed analysis of the suspicious file, including a list of about 30 Vulnerable wallets created because of this file. Please see our detailed post, Vulnerable Wallets and the Suspicious File.
The original post follows.
Updated: Sunday, November 26, 2017, 17:00 UTC
NOTE: We have expanded the recall window for the Windows Wallet installer. Carefully note the expanded times/dates indicated below. The files currently available on Github through our web site are correct; always check the SHA-256 checksum against your downloaded files.
Please be aware that for approximately 4.5 days, a link on our Download page and the file downloads on our Github release page have been serving two suspicious files of unknown origin.
Until we know otherwise, all users should presume these files were created with malicious intent – to steal cryptocurrencies and/or user information. The file does not trigger antivirus / anti-malware software, but do not presume the file is safe.
Any user who verified the SHA-256 checksum of the download against the checksum listed on our Download pages is already aware the file is not authentic and should not have used the file, but nobody should assume that all users take this important step.
Anyone who downloaded the Windows Wallet file between November 21, 2017, 09:39 UTC, and November 25, 2017, 22:30 UTC, should not use the file in any way. If the file was used, the computer on which it was used should be addressed with extreme caution; the file should be deleted, the machine should be thoroughly checked for malware and viruses (or wiped clean), and any cryptocurrencies with wallets accessible on that machine should be moved to new wallet addresses immediately.
The currently posted files are safe, but users should always confirm their downloaded files via SHA-256 checksum.
Relevant pages and links
Project Github Repository:
https://github.com/BTCGPU/BTCGPU/releases/tag/0.15.0.1
Project Download Page:
https://btgofficial.org/downloads/
Windows file Download SHA-256: 53e01dd7366e87fb920645b29541f8487f6f9eec233cbb43032c60c0398fc9fa bitcoingold-0.15.0-win64-setup.exe
Linux file Download SHA-256 Hash:
SHA-256: 25d7bf0deb125ecf5b50925a1c58e98c4b0b0a524470379c952f6b9310e97cfe bitcoingold-0.15.0-x86_64-pc-linux-gnu.zip
Additional Details
UPDATE: Sunday, November 26, 2017, 17:00, UTC – as corrected above, the recall window for the Windows Installer File has been expanded. Two different suspicious files were uploaded to the Github over the course of several days, one after the other. Neither file matched the publicly posted SHA-256 checksum. All users who worked with the suspicious files are advised to take the safest possible course of action or to engage knowledgeable professionals to assist them. The text below is unchanged, but we will be investigating both of these suspicious files fully.
The links on our Download page point to the Github repository for the project. This is standard practice to associate the source code with the compiled files.
An unknown party gained access to the Github repository and replaced the compiled Windows file with a different one. Until the file can be closely analyzed, we do not know what the intent was. We know that the file does not immediately trigger antivirus/trojan warnings. The Linux file was not changed.
The Github repo has been secured and we do not believe a second attempt is possible. The suspicious file has already been replaced with a known safe file whose checksum matches. Our team is performing a security audit to ensure the safety of all other systems, and we will attempt to ascertain the purpose of the file.
The source code was unchanged. Any user who downloaded the source code to compile it themselves should be unaffected, but best practice suggests that they ensure their local repository matches the current Github repo and exercise extreme caution.