Hackers leak El Salvador’s Chivo Bitcoin wallet code
El Salvador’s state-controlled Bitcoin wallet is embroiled in a second data breach incident after hackers published another batch of sensitive information.
On April 23, anonymous bad actors called CiberInteligenciaSV leaked some of Chivo’s source code and VPN credentials for state-operated Bitcoin (BTC) ATMs in El Salvador. The information was released on BreachForums, a platform for criminals and malicious hackers.
“This time I bring you the code that is inside the Bitcoin Chivo Wallet ATMs in El Salvador. Remember that it is a government wallet, and as you know, we do not sell, we publish everything for free for you.”
CiberInteligenciaSV on BreachForums
Digital security startup VenariX warned citizens and the broader crypto community on X of an impending Chivo leak a day before the incident. According to the local initiative, CiberInteligenciaSV had teased the forthcoming BreachForums post on its Telegram Channel. The cybercriminal organization also seemingly invited government officials to negotiate.
El Salvador Chivo debacle
Chivo is the official Bitcoin storage solution provided by the government of El Salvador. The wallet became a national tool after President Nayib Bukele officially adopted Bitcoin as legal tender in September 2021, becoming the first country to do so worldwide.
Salvadorans can use Chivo to buy or sell Bitcoin. Chivo also allows citizens to withdraw cryptocurrency from BTC ATMs across El Salvador. Shortly after its launch, users reported issues with the wallet, such as slow execution, app crashes, and other bugs.
The government partnered with U.S. white-label software firm AlphaPoint to address technical glitches, as crypto.news reported in 2022.
Matters escalated earlier this month after the personal info of some five million Salvadorans was exposed online. Per DataBreaches, the 144GB leak was extracted from a former national security advisor named Alejandro Muyshondt. The hackers reportedly accessed the files from a cloud backup.
Initially, the source was unclear and mistaken for a vaccination database since it features details like full names, dates of birth, individual profile photos, and addresses. However, experts later linked the files to Chivo sign-up requirements. Bukele’s administration has not commented on or issued a statement regarding what happened.