On July 9, the privacy-focused Bitcoin wallet Wasabi Wallet was the target of a series of intense and sophisticated attacks. The attacks were organized by a coordinator named WasabiCoordinator, who attempted to steal funds gradually from users.
The wallet issued a statement warning users not to coinjoin with WasabiCoordinator to avoid potential financial losses.Â
User-Targeted Attacks
According to a statement by Wasabi Wallet on June 9, WasabiCoordinator exploited a vulnerability in the wallet to charge higher coordination fees than the user-specified.
The coordinator used suspicious parameters, including requiring only 2 inputs, creating rounds as fast as possible, and charging the maximum allowable coordination fee. The attack also involved changing the fee after a round failure. This was the most complex attack that the coordinator attempted.Â
The vulnerability was detected, and the wallet warned users to avoid coinjoining. Wasabi Wallet released a new version, version 2.1.0, which prevents such attacks.
According to the wallet, the attack was orchestrated by a coordinator since such an attack requires not only configuration or DevOps knowledge but also a deep understanding of the coinjoin protocol.
Attacks on Free Coordinators
The second type of attack by WasabiCoordinator was attacks on free coordinators, where Layer 7 DDoS attacks took down several of them.
According to the wallet, the coordinators have faced more attacks in a month than zkSNACKs’ coordinator did over six years. Coordinator attacks target the application layer, making distinguishing malicious requests from legitimate traffic hard.
“We believe the primary motivation behind these attacks is to redirect liquidity towards other coordinators, either for financial gain or malicious purposes,” said Wasabi Wallet in the statement.Â
Supply Chain Attack on GitHub Repository
The coordinator also compromised the supply chain by replacing the Windows installer with another file. Binary Watch brought This information to Wasabi Wallet’s attention on July 10.
Shortly after the discovery, Wasabi Wallet revoked access rights for zkSNACKs contributors to reduce the attack surface. However, an account with Write access was already compromised, forcing them to revoke additional access rights.
Moreover, the compromised file was removed, and the wallet assured users they were closely monitoring the releases.
Attack Impact Limited
According to Wasabi Wallet, sophisticated actors with in-depth and technical knowledge about coinjoins carefully planned the attacks for over a month. Despite the sophistication of the attack, the impact remained limited.
A coinjoin is a special Bitcoin anonymity service that allows users to carry out private Bitcoin transactions.
Transacting peers join their coins in a single transaction to make them anonymous, accumulating the same amount of Bitcoin.
The addresses of the peers mixed in the transaction, making it difficult to trace the origin of the coins.
What’s Next for Wasabi Wallet?
The attack on the Wasabi wallet comes a month after zkSNACKs shut down coinjoin coordination in compliance with the latest US regulations.
The ongoing battle between U.S. authorities and Bitcoin mixers is a longstanding issue. Bitcoin’s popularity stems from its anonymity and security. U.S. authorities, however, don’t like being unable to track money, particularly for taxing purposes.
With the shutdown of the coinjoining service, Wasabi Wallet is now operating as a standard Bitcoin wallet. The wallet seeks to maintain user anonymity and security without the coinjoining service. These include Tor integration, client-side filtering, and custom coin selection. These services provide some level of privacy to users.
Crackdown on Bitcoin Mixers
The shutdown of Wasabi Wallet’s coinjoining feature is similar to that of Bitcoin mixers like Tornado Cash and Samourai Wallet, reflecting a broader regulatory crackdown on crypto privacy tools.
Tornado Cash, an Ethereum-based mixer, was sanctioned by the U.S. Treasury Department in 2022 for reportedly being used to launder billions of dollars in crypto, including funds stolen by North Korean hackers.
Samourai Wallet, known for its whirlpool and coinjoining features, faced similar challenges. The wallet was seized in April 2024, when the U.S. Department of Justice (DoJ) announced that it had allegedly executed over $2 billion in unlawful transactions and facilitated over $100 million in money laundering transactions from illegal dark web markets.
Conclusion
The crackdown on Wasabi Wallet and similar services like Tornado Cash and Samourai Wallet indicates a tightening regulatory environment for cryptocurrency mixers.
Authorities increasingly target tools that hide transaction trails, highlighting the ongoing conflict between regulatory bodies and those who advocate for financial privacy.