A fake version of Wasabi wallet, probably designed to steal bitcoins, has emerged online at wasabibitcoinwallet.org. (Don’t visit that site.)
According to Wasabi developer nopara73 (the only confirmed identity he has), the site is only trying to assault Windows users. Only the Windows version of the wallet is actually non-legitimate. The rest of the download links on the site direct to Wasabi’s actual Github repository.
Nopara73 downloaded the off-brand version of the wallet and the anti-virus software he’s using found no problems with it. For him, that makes the issue all the more concerning:
An insecure or compromised Bitcoin wallet can cost someone thousands of dollars. Wasabi is not the first wallet to have a pretender emerge. Fake Electrum wallets have come out in the past, but the community is pretty quick to warn people.
The nature of open source software is that anyone can create a clone and change it anyway they want. This is actually the intended effect. The terms of the GNU Public License, however, make it illegal to release a product of the same name.
Therefore, if an open source developer is able to identify someone who does this, they have an enforceable licensing agreement to sue based upon. Unfortunately, open source license based lawsuits are rare.
Nevertheless, open code is viewed as more secure. Vulnerabilities are found quickest when the widest number of people are able to look for them.
Wasabi wallet has grown in popularity. The official website for it is wasabiwallet.io. Wasabi implements native “coin joining,” a strategy to Bitcoin wallets. It is one of the first wallets to do this natively in Bitcoin. The concept is not unlike the privacy features implemented by Evan Duffield into DarkCoin, which later became Dash. According to the Wasabi website, the platform works best when a lot of people are using it.
An in-depth explanation of how Wasabi implements privacy can be found here.
Despite the transparency of the Bitcoin network, it’s difficult to know the actual distribution of wallet usage. Many wallets use a backend like bitcoind or connect remotely to a node, as is the case with most mobile wallets. However, Wasabi is reportedly one of the most popular wallets in Iran, a country where using cryptocurrency is technically illegal although the country launched its own blockchain.
A fake version of a reliable Bitcoin wallet is a serious financial risk, especially if someone is switching wallets and inadvertently imports an existing private key. The effect can be devastating and quick. Fortunately, the news of this fake Wasabi site has spread pretty quickly. It’s unlikely to be the last. The Internet, for all its safeguards and policing, remains very much the wild west.
If it turns out that the false Windows version of the wallet isn’t stealing coins, it could be something much worse: an attempt to de-anonymize Wasabi users.
Open source software has a history of being infected with malware or adware and redistributed.