Bitcoin Forum

Introduction
The release and hype of Bitcoin has given birth to plenty of alternative crypto currencies. This has come to the point that new coins are released daily and it is easier than ever to “fork” one of these coins. The biggest reason for these new coins is simply the fact that people want to own “the new Bitcoin”. While this might not be true if you look at it from the developers point of view the fact remains that people wish to mine or buy a small share of a new coin that will bring them great wealth. Most often the intent of the new coins is to improve upon Bitcoin and offer a leap in technology. While this is a great argument in itself, there is always winners and losers when investing in these coins.

This article is not intended to discuss which coin is better than the other nor to dismiss the fact that there might be a “new Bitcoin” one day. Rather pointing out the danger in using the software these coins provide.

Why did I write this?
This text might give birth to new scams(probably already out there) but it may also enlighten people to be more careful. While there are those among us with great knowledge in programming, there is also those with less knowledge in this field who needs to be reminded about the danger with downloading software. I do not claim to be an expert in this field but I know the basics. I’m neither a “Linux geek” but I don’t see how this could not hurt Linux users just as well.

The release of a new coin
Most of the time new coins are released by an anonymous person. They probably remain anonymous to be able to ignore the people trading at a loss or if the coin is destroyed. It might also be the fact that the developer just wants to give up developing the coin and leaves it to die. The new coins are often presented with a compiled Linux and Windows wallet, some fancy webpage and promise of wealth and glory. The source code for the wallets are sometimes released while other developers choose not to upload their code. Most of this does not really matter.

This is how it works: The coin is announced, miners download the compiled wallet then they start to mine. This is usually the recipe for a newly released coin.

The danger in compiled wallets
This is the main point in this article. Even if the code for the wallet might be uploaded, there is no guarantee that the wallet provided by the developer is the same as if you compile it yourself. This is where the ingenuity of this scam comes in.
While I did not mention it in the introduction, there are also scammers among the developers. Let’s say X wants to release a new coin. He copies an old coin and presents it with a snappy new name, let’s call it CountryCoin(as country coins have been very popular). CountryCoin is announced with the precompiled wallets, a nice looking webpage which comes with the whole package, you know. X seems like a nice developer and he really knows his stuff. The scam is that the compiled wallet is never the same as the one if you decide to compile it yourself. This gives X a great opportunity to implement hidden features to his compiled wallet. X can basically do/take whatever he/she wants from your computer without you ever knowing about it. It does not matter if you encrypt your other wallets, the infected wallet might log everything that is typed and so revealing the password to X. This is just an example of what X is capable of.

The beauty in this scam is that the coin itself works. Those who compile their wallets are not affected, while those who downloaded the compiled wallet might be compromised to theft.

I do not know if this issue has been raised by anyone earlier but I hope this raises some awareness with the danger associated with jumping on that new coin and downloading a newly released wallet. 

Got to love these one post newbies.  Any bets this guy will annouce a coin called "opensll" and declare himself to be the saviour of alts?

Are you saying people are that stupid? Nobody downloads anything before checking it with virustotal

If you insist on running precompiled binaries from anonymous coin developers,
then install it on a machine from which all sensitive data has been wiped,
let the miner run for a few days while studying the wallet source code.
When profitability drops off, save just the wallet private keys; wipe the machine
again, and compile the now verified wallet source code to move the mining proceeds
away to a safe newly generated address.

Nah; that sounds like way too much trouble. Let's just trust the developer instead...

Well if you decide who's advice you take based on how many posts members have you are not too bright. I'm not going to release any coin, not interested and don't have the time.

Try to understand there are a lot of dubious people in the crypto scene and one of the ways we assess a poster's credibility is their activity level (not really post count.) Generally if you get up to the higher member status levels we will know a bit about you and if you're a nut it will have been revealed in prior posts and you'll have a bit of a reputation.

You do make a few decent points but without any real history on the forum some people are going to assume you're just another diehard btc holder bashing altcoins.

I would not say stupid. They want to get in as quickly as possible, maybe ignorance would be a better word for it. I do not know how virustotal works or if it would notice this.

The point was that the wallet that is compiled by the user is never infected. I don't believe many of the miners compile their wallets, instead they choose the easy way and downloads the ready wallet. As I said, there is no guarantee that the executable wallet is the same as the wallet you compile yourself even if both work. No matter how much you research the "source code" you would never find anything dubious within it.

To some extent I agree with you, still there are so many trolls, nut's and "know it all's" on this forum it is hard to find one consistent member no matter how long they have been active. I do not care anymore for BTC than any other coin, in fact I don't even have a single satoshi of BTC while I hold some very small amounts of alt coins. I'm just stating the fact that it would be extremely easy to steal a lot of coins this way. Most often from the people who are eager to jump on every coin in hope to making a good profit. 

Well it certainly has happened, people have downloaded bad wallets and later lost btc or other coins due to trojans and other malware. You have to be careful naturally but that is true of almost everything online it's not unique to crypto.

I think there are alot of sock puppets here and this statement makes sense to me. OpenSSL how many hours do you think you have logged on bitcointalk? Post count does not matter, all information should be independently verified if your going to stand on it for sure, some of us have wished we had taken one post newbies advice at times.

a developer could easily publish his malicious code with the coin's source code. as if anybody would really check the code in detail.

Yeah, like they could make a coin and call it... i dunno something crazy like, rapecoin? and then when you install the wallet it would rape all your other wallets. (I kid, I kid.)

This is what VMs are for. Problem solved. Download away  ;D

I do not have any accurate numbers on my time on bitcointalk. I have only been reading this forum for about a year.

Do you think people install one VM per wallet? Otherwise this is a good option to increase security.

This is completely true, everyone wants to jump on the new coin. If the developer is a bit smart he releases a dirty wallet with clean code on bitbucket.

Yeah that's what I was thinking lol... I could see someone thinking this is a grand idea on paper, but after a week or two of trying to do it they would most likely give up on it. If you have hundreds of thousands invested sure, but the average user with several wallets? No way, not going to happen. We're lucky if they even scan the wallet package with AV software before extracting/installing.

thats all there is?

Just don't turn it, or you'll end up confusing it with 999 coin...

The name is pretty good.

or just use a program to encrypt your keystroke