WalletScrutiny

Know your wallet like you made it!

Our goal is to improve the security of Bitcoin wallets by examining products for transparency and potential attacks.

Public Key

npub1j9kttlc86w63emmldd4h74rekyqpksqup6p9trhp5gjsf374qlyszvuswx

NIP-05 Address

WalletScrutiny.com

Profile Code

nprofile1qqsfzm94lura8dguaalkk6ml23umzqqmgqwqaqj43ms6yfgycl2s0jgpr4mhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet5qy28wumn8ghj7un9d3shjtnyv9kh2uewd9hsyzhmv6

Publishing to

nostr-pub.wellorder.net

relay.damus.io

nostr-pub.semisol.dev

nostr.oxtr.dev

nos.lol

relay.plebstr.com

Author Public Key

npub1j9kttlc86w63emmldd4h74rekyqpksqup6p9trhp5gjsf374qlyszvuswx

Show more details

Last Notes

2025-02-26 17:19:20 GMT

The ByBit Hack Report [1] reveals interesting details.
While many blame ETH and its complexities, it's important to note that a combination of circumstances made this attack possible.
But the core issue clearly was a central point of failure. Multi Signature was used but all signers used the same hacked, remote server.
The server was trusted, supposedly running a well audited open source web wallet software but "open source" is not enough as the source run on that compromised server did not match the well audited code.
At WalletScrutiny we so far do not list web wallets because it is hard if not impossible to attest to the integrity of web wallet code when the server can serve different code every other second or depending on your IP address.
We are investigating options to list progressive web apps that give the user more control of what is being run. While standard PWA manifests primarily contain metadata, a security-focused implementation could leverage several mechanisms to establish stronger integrity guarantees:
Extending manifest files with cryptographic commitments to all resources
Implementing Subresource Integrity (SRI) checks to verify each script matches expected hashes
Using a trust-on-first-use (TOFU) signature model where developer keys are stored after initial verification
Creating transparent, user-controlled update processes that display cryptographic verification before applying changes
Such an approach would significantly reduce trust requirements in the server after initial installation, as the PWA could verify the integrity of updates against developer signatures before execution. Static analysis could also differentiate between PWAs with secure update mechanisms versus those with silent automatic updates.
While not eliminating all risks, this model would provide a more verifiable path than traditional web wallets, potentially bringing them closer to the verification standards we apply to other wallet types.
[1] https://docsend.com/view/s/rmdi832mpt8u93s7

2025-02-03 17:26:06 GMT

- reply

As described above. We will open up to more people attesting to the reproducibility of binaries and wonder what to call them. Are they attestators? Verifiers would be a more common word and also fit. Wittness would be even more common but sound somebody who only looks but doesn't do the heavy work of actually reproducing anything.

2025-02-03 17:03:23 GMT

English speakers please help us out here ...
We are close to launching "attestations" where anybody will be able to attest to the reproducibility of binaries. The process is technical and quite involved. Are those who do this ...
* Attestators
* Wittnesses
* Verifiers
* Certifiers
#askNostr

2024-11-14 22:03:55 GMT

Question for people who looked at individual reviews on http://WalletScrutiny.com: Should we remove the individual coloring of pages based on the product's logo?
Please comment below or vote on Xitter https://x.com/WalletScrutiny/status/1857181765762531729

2024-10-22 20:26:16 GMT

Today we welcome @npub1qw6…4882 as our new lead developer! He brings a lot of experience not only with Bitcoin and nostr but even was involved with two reproducible wallet builds already years ago besides many other bitcoin tools he contributed to.

2024-10-13 02:20:33 GMT

- reply

Yes, we are paying up to $8k/month for #FOSS development. Others pay for FOSS development, too. Your lack of appreciation for FOSS shows, so you might just not be the right guy for the job.
So far, 11 applied. 3 look like a good fit. We will see ...

2024-10-11 12:37:32 GMT

- reply

Our hope is to find a long term contributor.
As WalletScrutiny is a donations based project, funding can get tricky but the more progress we show, the easier it should get to find donors or grants. Therefore we want to hire somebody who can make considerable progress fast and who as a dev lead can also prioritize for impact, to not lose time on fringe, irrelevant details.
So in a sense, if the hire is worth a grant, he will stay around for longer.

2024-10-10 13:18:57 GMT

How do we get the attention of job seaking shadowy super-coders that would accept a modest payment (modest for super-coders) for being able to work for us?
* nostr
* bitcoin
* bitcoin only (no shitcoin)
* FOSS
* remote
#jobstr #jobs #bitcoin #bitvocation
#nevent1q…c9pz

2024-10-10 03:00:25 GMT

https://bitcoinerjobs.com/job/1579271-lead-software-developer-js-nostr-bitcoin-foss-walletscrutiny

2024-09-27 03:35:02 GMT

At least some 300,000 machines reachable on the internet are vulnerable to a remote code execution vulnerability that appears to be rather easy to execute on all of those.
The vulnerable package is cups-browsed - a tool for printing - which does get installed by default on many desktop linux systems but who knows ... maybe you are running some media server with your bitcoin wallet and your printer reachable via the same RaspberryPi?
Check your machines. Android appears not to run cups but if you run Linux or Mac, you might want to double-check if you're one of the lucky 300,000 that get to update their system **now**.
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

2024-09-26 02:56:42 GMT

At WalletScrutiny.com, we track 4574 apps on Google Play. 2956 of those are not on Google Play anymore. Can that be right?
The Apple App Store "only" shows 550 of 1291 apps as removed.
Either way, especially if you found a cool new wallet, assume the fun will not last.

2024-09-19 20:57:46 GMT

- reply

Funding is actually looking pretty good right now for achieving this tiny selection within months. If you want to help with funding to further expand our scope, donations are always welcome.
As for priorities with the many desktop wallets, we have not decided which ones to test first. Obviously Bitcoin Core is being tested intensely by others already but if you have ideas on how to prioritize desktop wallets, let us know. There is no easy popularity heuristic to go by. Google search results? Self reported downloads? Stars on GitHub? ... It's all sort of flawed.

2024-09-19 19:33:36 GMT

We have long been working on testing desktop wallets but it's really tricky as there is just so many binaries floating around for what claims to be the same product. Even Bitcoin Core is showing 8 download options depending on your operating system or distribution channel preference:
https://image.nostr.build/092675397042174186e3e764292629b3adb749ec409656972a229800b81f35ca.png
With snapcraft obviously being tricky:
https://image.nostr.build/772aa649432c3d57171f65eecabc4c87f0d031fa8edbf359c7a68c8df7e5ddb8.png
Either way, for desktop wallets, most of the time people have download links and want to verify those downloads, so Chris is working on a binary checker. It's still only a draft merge request and clearly needs a design but what it will enable is actually pretty cool:
https://a.nostr.build/DMmxAOaKtPYpb3M7.webm
WalletScrutiny calculates the hash of the file dropped onto it and if it's an apk, it also determines the appId which allows finding the right product. If the hash is known, the verdict is immediately displayed. If not, the page invites the user to upload the file for analysis.
The attestations for artifacts will live on nostr as signed events and nostr will also be used to advertise the existance of new binaries for reviewers.

2024-07-10 01:28:24 GMT

- reply

The designs look repetitive but the chosen materials appear to not always be clearly advertised. Maybe educated guesses are good enough if people ask about any particular new device.

2024-07-09 19:38:30 GMT

Not all metal backups are made equally. If you use metal to not have to also worry about your bitcoins when your house is on fire, don't use this product:
https://jlopp.github.io/metal-bitcoin-storage-reviews/img/devices/ellipal_metal_hot.jpeg
But running these tests must have been great fun, right @npub17u5…t4tp?
If we add these backup solutions to our website, we would certainly heavily lean on Jameson Lopp's work as a hydrolic press and acids isn't what we had planned to play around with ourselves for now.
Jameson are you planning to test more products any soon? Adding "backup tools" to WalletScrutiny might get excessive if we don't draw lines like you did. If it's not at least claiming to be heat resistant, we won't bother to list it or else we end up listing a million different ways to print on paper.

2024-07-08 20:02:13 GMT

- reply

Stay safe! Hope it all turns out well.

2024-07-03 02:25:31 GMT

Some fan art ✨ 🎶 🎶
Which one do you like best?
https://audio.nostr.build/79aad81cea8141b3fe4ec5d08319735be46420e04f45910453cf3a035ea706e4.mp3
https://audio.nostr.build/1392672adb8cb2f5752cc3241c2d38811ace25b8f5e498801a54918db243a235.mp3
https://audio.nostr.build/569718137b9d20b8c91cbc086179e7b7aab39d6c5e824294fe7324aa092584c2.mp3
https://audio.nostr.build/ec043e98cc163270ca4a66c3b3c46fe5da0695e7cb3a814e76678724a4d49e51.mp3
https://audio.nostr.build/d76cf4c1a3f59f5645a92c1a5126220468939f6ec3001ea9704718d056981541.mp3
https://audio.nostr.build/c09400bb09c8f4b894b88ff078ce28a0c15578c30b508a552f5b3c08dc4a9d41.mp3
https://audio.nostr.build/640d0512152b5edea6458e9196c108ebf32a864694ece156a1c85d36042dfb49.mp3
https://audio.nostr.build/42ddfde0e3ba5bd055d98f79fce2c7de757a4c774cddde5da1d91caf6c72e945.mp3

2024-04-29 15:38:39 GMT

If you still have funds trapped in Samourai, @npub1r70…sf7d wrote some tips on what to do next to recover them here:
https://walletscrutiny.com/android/com.samourai.wallet/

2024-04-19 15:03:19 GMT

https://image.nostr.build/a9f29836a1d10f7a9830add2c3256066c0e6aa21db09e2b881d848c009e3f3e7.png
Most people don't dig that deeply but when they do, they have this question. Computers are 1s and 0s. They are digital. How can they be non-deterministic??
Software development mostly revolves around performance both in the end product and the development process. Only very few developers even spend a thought on reproducibility. So if they compile something and it compiles 5 seconds faster, they can test the feature they were working on 5 seconds quicker. These two reasons result in stuff being non-reproducible as:
Files are processed in the order they come and that order depends on many factors. For example some file systems sort by date and others by file name.
Compilers can optimize the result, so compiling something with one version of the compiler will often give a different result than when compiled with another version.
The compiler might process multiple files in parallel and pack them into the result as they finish compiling.
Other sources of problems are timestamps or file paths that end up in the result.
Some tools on purpose use randomnes to generate IDs that are unique to every build.
Of the above issues, all result in non-reproducibility by our standards. While some lead us to comment on the build looking benign as the diff is only some random number appearing twice, others might also be benign but result in differences far too big to quickly judge with the tools we are using.
The more developers care about reproducibility over only performance, the better it will get but there are some widely used tools that consistently cause issues and maybe should just be avoided in wallets.

2024-04-10 01:09:37 GMT

- reply

@npub1r70…sf7d found something ... https://github.com/Coldcard/firmware/pull/332
So we list the product as unreleased for the time being.

2024-04-09 20:59:56 GMT

- reply

Well, not on nostr. At least that's Fiatjaf's marketing. Did he merge the shadowban nips?

2024-04-09 20:05:17 GMT

- reply

Apparently the Coinkite account is not so talkative ...
Pinging @npub1az9…m8y8

2024-04-09 19:23:06 GMT

Hi @npub1wu4…3vw0
We were asked to attest to the reproducibility of your Q1 wallet and while the shop looks like it's maybe not released, we think it's just out of stock? May we ask for a release date?
https://github.com/Coldcard/firmware/blob/master/stm32/repro-build.sh appears to not support compiling the firmware for the Q1, right? We found for example 2024-04-02T1416-v1.1.0Q-q1-coldcard.dfu at https://coldcard.com/downloads/ yet the script appears to assume the download always to contain "mk".
Where can we find the documentation to reproducibly build the Q1 firmware?

2024-03-26 17:43:44 GMT

- reply

In the end, reproducibility is something, people can attest to in order to extend trust or you have to reproduce it yourself which means you could as well just compile it from source always.
As we care about extending trust, we care about attestation and see jumping pixels more as a gimmick than anything else but if people like it, it's easy enough to record a screen session.

2024-03-25 19:04:23 GMT

https://walletscrutiny.com/android/com.samourai.wallet/
Samourai Wallet did not share source code for their latest version on Google Play.

2024-03-25 18:05:56 GMT

Has anybody noticed that we now have "screen recordings" in our reproducibility tests? As another project is sharing "video proof" of reproducibility, we were asked to also do so but it felt kind of pointless to produce GBs of data for every reproducibility test. We did however start playing around with console recordings that are somewhat more optimized as they record the ASCII on the screen and not every pixel. Resulting files are much more manageable but for example, running the compile script for the Electrum for Android app resulted in 72MB of output. As we test a lot, this is a lot to add in a single day.
Does anybody care about screen recordings? Can we throw them at some nostr relay instead of our git repo, with some expiry date in three months, so that interested users can grab it while it's hot? Any other ideas?
Currently the tiniest ascii cast is the one for the Schildbach "Bitcoin Wallet": https://walletscrutiny.com/android/de.schildbach.wallet/

2024-02-08 17:01:06 GMT

- reply

For all I know they might escalate this internally but certainly their staff should have protocols for this. After all, people that do lose their money to these apps also do contact them.

2024-02-08 16:52:17 GMT

It can be really frustrating to hunt after fake apps when not even the provider of the original seams to care ...
Here is our attempt at reporting a fraud at https://capital.com
https://image.nostr.build/a7daca6bd8eb4d4135b8a7b448ea0e941f788bec36951bece1262e2bc6c5c5bc.png
https://image.nostr.build/8412f75108b34a0214ebdc4d82d26e1f1668418e0ed77efff6e2a15a86bbc1ab.png
https://image.nostr.build/1509713b5cfd8c1372cded8c8461792d0752a24433f9cd15feaea89eb92beca9.png
https://image.nostr.build/3e4d4c4ccc09aeb79133534258617ea5acc77f0150e3d4287a839c9516e42d06.png
#nevent1q…xg72

2024-02-07 18:08:45 GMT

Does anybody know how
https://walletscrutiny.com/android/com.kapital.trade.crypto
relates to
https://walletscrutiny.com/android/com.capital.trading
The former has 500k users but looks like a fake app given the "typo" in the app ID and given that capitalCom links to the latter, only.

2023-12-31 18:08:04 GMT

Sadly Mycelium hasn't published any source code updates since June, yet their latest release on Google Play was days ago. As of now, Mycelium for Android has to be considered closed source.
We poked Alexander Pavlenko - the author of the last commit and probably maintainer - on Telegram yesterday but did not get a reply yet.
https://walletscrutiny.com/android/com.mycelium.wallet/

2023-11-22 18:12:40 GMT

https://image.nostr.build/b68eb33d5edf4142482e89f154714bb5c8b79ed04042161a92b3ca3bb7ada202.jpg
https://twitter.com/WalletScrutiny/status/1727388864216531429

2023-11-16 23:57:55 GMT

Good news eveyone! Spiral renewed the grant. We have high goals for this year with more community engagement and expansion to Desktop products.
https://twitter.com/spiralbtc/status/1725245018997174349

2023-10-25 23:29:07 GMT

We'll do another Twitter space tomorrow with Mo and Leo. Should we do a Nest next?
https://cdn.discordapp.com/attachments/1011450447392940085/1166328974499119134/wallet-scrutiny-call-231024.jpg
https://twitter.com/i/spaces/1PlKQDWmwNyxE?s=20

2023-10-15 00:36:47 GMT

- reply

We don't list web wallets so far. Mutiny appears to work for Android but is not on Google Play yet. https://play.google.com/store/search?q=mutiny%20wallet&c=apps
We analyze binaries that we pull from Google Play or the App Store.

2023-10-12 21:47:55 GMT

https://cdn.discordapp.com/attachments/1123708113980227747/1159839471794139257/image.png?ex=65327bae&is=652006ae&hm=55e8edc5a4ae9bba385f0ed8b48ac66c8f6314ca4790a8a7316bbebdbdec687f&
Join our Space! We will talk about Bitcoin Wallet security!
https://twitter.com/i/spaces/1ypJdkRQVZdGW?s=20

2023-10-08 15:46:15 GMT

- reply

@npub1xnf…lpr5

2023-10-08 15:41:20 GMT

Among the reproducible Android wallets, Zeus appears to be the first to have switched to Android App Bundles. We tested what we got from Google - the arm64-v8a version and found all bytes accounted for, giving it the verdict "reproducible" but with somewhat of a headache …
Android App Bundle or AAB in short allows Google to provide each user a tailored version of the product. For example in the case of this wallet, the older format contained binaries for arm64-v8a, armeabi-v7a, x86 and x86_64 CPUs. The new format only for "your" CPU.
https://void.cat/d/B44P1WNKFjQqSaYg6VTUng.webp
And that makes the app much smaller. In this case the zeus-universal.apk weighs 92MB while the zeus-arm64-v8a.apk only weighs 32MB.
With games where assets for bigger screens can be excluded for lower end devices, this can make even more of a difference.
But it also implies that Google gets the developer's signing key, theoretically enabling them to also tailor security aspects of your apps - on a case by case basis.
Google is pushing for AAB to trim MBs off all these apps but this comes at a cost:
* Security: Where before, only the developer could sign an update, now Google engineers can, too.
* Transparency: Where before, only one binary was circulating per version, now many circulate.
The full analysis of the latest Zeus wallet can be found here:
https://walletscrutiny.com/android/app.zeusln.zeus/

2023-09-25 13:45:27 GMT

Do you know a thing or two about compiling stuff? Do you care about people not getting rug-pulled by their Bitcoin wallets? Please help us stay on top of all these wallets!
We now list more than 6000 products and also those with a top verdict - reproducible - are thankfully getting more and more but that also means more and more on-going work as we test reproducibility not only once but ideally with every new release and for every build artifact (Bitcoin only edition and the shitcoins-included edition and x86_64 and armeabi, ...)
The latest tests performed - and all found to be reproducible - were for these three:
* https://walletscrutiny.com/android/de.schildbach.wallet/
* https://walletscrutiny.com/android/com.mycelium.wallet/
* https://walletscrutiny.com/android/org.electrum.electrum/

2023-07-06 19:28:47 GMT

The re-design is finally live!
Great thanks to
* Spiral for sponsoring us
* the Bitcoin Design Community for awesome improvements that we have refined over 16(?) calls and who knows how much research between the calls
* @npub1vwu…zl6z who implemented the very challenging changes over 350 commits!
Check it out at https://walletscrutiny.com/
Please be gentil. We probably have missed many details. Bug reports and feature requests are as always welcome at https://gitlab.com/walletscrutiny/walletScrutinyCom/-/issues

2023-06-04 22:12:41 GMT

PSA: If you use Atomic Wallet, **do not** open it with an internet connection. You **will lose your funds**.
Restore your backup in a compatible wallet and move the funds to a different seed.
https://void.cat/d/HGyTT2ooxf2A3M2QXcivw.webp

2023-05-26 16:22:00 GMT

So we were just released from our web hoster's DMCA jail. We had to temporarily remove Foxbit's listing but we brought back https://walletscrutiny.com/android/br.com.mercadobitcoin.android/ which was the reason for a similar down-time last year.

2023-05-21 15:31:57 GMT

What should we do about a bad actor making it to the top of our list? We don't test for being honest. We only test for source code transparency.
https://habla.news/a/naddr1qqxnzd3cxsmrgvejxvunqde5qy08wumn8ghj7mn0wd68yttsw43zuam9d3kx7unyv4ezumn9wshsz9thwden5te0wfjkccte9ejxzmt4wvhxjme0qy2hwumn8ghj7mn0wd68ytn00p68ytnyv4mz7qgawaehxw309ahx7um5wghxy6t5vdhkjmn9wgh8xmmrd9skctcprfmhxue69uhhyetvv9ujuam9d3kx7unyv4ezumn9wshszrnhwden5te0dehhxtnvdakz7qgcwaehxw309aex2mrp0yh8qmr9vfehgu3wvdhk6tcpzpmhxue69uhkumewwd68ytnrwghszgrhwden5te0dehhxarj9emkzmrvv46x7ennv96x7umgdyhxxmmd9uqkvamnwvaz7tmxd9k8getj9ehx7um5wgh8w6twv5hkuur4vgckwmfhw36hvu3ev96xxdn4xacnxem9we4xveteveuhvmtjd36kcdrexcmkkdm4xa5xx7r6w3arvdmrv4jhsuesxuu8ye3k8a38ymmpv33kzum58468yat9qyghwumn8ghj7mn0wd68ytnhd9hx2tcpr4mhxue69uhkummnw3ezumt4w35ku7thv9kxcet59e3k7mf0qgsydl97xpj74udw0qg5vkfyujyjxd3l706jd0t0w0turp93d0vvungrqsqqqa28dg0pjt

2023-05-18 04:17:18 GMT

Will Ledger recover from "Ledger Recover" backlash? Probably. Most customers will not notice. Most that do, will not understand what's going on. It will blow over but some will level up and learn what was long common knowledge for experts.
#ledgerrecover
Many users claim to prefer Ledger hardware wallets as they use a so called "secure element" or SE. This chip is advertised to resist sophisticated physical attacks but part of the defense of these chips is legal in nature - talking about flaws or details is forbidden.
To use an SE, companies have to sign NDAs and are required to not share aspects of the chip. This also includes to not share the code they run on said chip.
If you can't verify, you have to trust. Trust the claims of the provider. And these claims were unequivocally clear:
https://void.cat/d/PLsKyxPtoxzuR2adcKDhhy.webp
Yesterday Ledger announced a new product, enabled with a firmware update that does just what prior was advertised as being impossible: Send your keys to trusted parties with https://www.ledger.com/recover.
While many take aim at the potentially insecure storage of keys with such third parties and criticize the KYC required for it, the main issue here is that of trust. If this is possible and undetectable, have they maybe already built in legal confiscation features?
If you believe in "Don't trust. Verify!" your only option is to use verifiable tools. We list those and follow up with them. Check how transparent your preferred Bitcoin wallet is at https://walletscrutiny.com/

2023-05-16 03:10:05 GMT

- reply

Now with the bootloader compromised as was the case with this Trezor Model T, even all these measures might not be enough if the bootloader hot patches firmware updates.
Firmware providers could counter that by either making binary patching hard or by detecting modifications in likely areas of patches.

2023-05-15 16:34:25 GMT

- reply

Trezor wallets are always sold without firmware. If it has a firmware, it probably is not new and might have been tampered with. If it apparently has no firmware, it might still be tampered with but that's another story.
When installing/updating the firmware, verifiability is key! Trezor is fully open source and this sophisticated modified hardware would have turned into a useful tool for its user, had he updated to a genuine version but for that, some checks have to be possible:
1. The firmware has to be built from public source code so its code can be audited. Trezor is open source.
2. The firmware has to be **reproducible** so the firmware is provably built from the public source code. Trezor is reproducible.
3. The device has to show the cryptographic fingerprint of the about to be installed firmware so the user can make sure he is installing the correct firmware. A version number is not enough! Trezor did this, recently failed to do this but closed an issue about this recently so we are not sure about the situation.
4. The newly installed version has to contain visible changes that a hacker can't trivially anticipate. Showing an incremented version number is **not enough**.

2023-05-15 16:19:19 GMT

Kaspersky took apart a modified Trezor Model T. Key take aways:
* The modification was not detectable upon visual inspection
* The device performed like a normal device
* It had "firmware 2.0.4" installed, which to a normal user would not raise suspicion
* It used poor entropy - a set of only 20 possible seed phrases. This entropy is so small it probably is designed to let the user get new keys on demand but different victims would probably have different sets of keys as to not find other people's coins
* It prevented effective passphrase protection by only considering the first letter of a passphrase - the user would feel protected by seeing different wallets for different passphrases but the hacker could trivially brute force all possible passphrases
https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155

2023-05-15 15:38:38 GMT

Case study: fake hardware cryptowallet
Full review of a fake cryptowallet incident. It looks and feels like a Trezor wallet, but puts all your crypto-investments into the hands of criminals.
https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/
You really can't be paranoid enough. Unless there is no single points of failure, losing all your coins is always an option.

2023-04-18 20:47:07 GMT

Those links used to be all with the universal 🌐 globe symbol. Now the most common brands are easier to spot ...
https://void.cat/d/8v2YLo2F5a8xvwgo4BZQMu.webp

2023-04-16 02:12:38 GMT

- reply

So [Trust being closed source](https://walletscrutiny.com/android/com.wallet.crypto.trustapp/#analysis), this is either/or:
⚠️ a fork of many years back when it was still open source
⚠️ an app built from the decompiled Trust app
And then there is
⚠️ [last reviews all bad and scam accusations](https://play.google.com/store/apps/details?id=com.simplehold.app&gl=de) to one of which they replied to "Please write to us at [email protected]", a domain that is currently for sale?
The app appears to claim you forgot your password once you deposit funds.

2023-04-07 20:26:56 GMT

52 new verdicts were released today.
* 25 products were custodial
* 8 were closed source
* 8 were wallets but not for #Bitcoin
* 5 turned out to be no wallets at all
* 2 were vapor ware
* 1 did not support sending or receiving Bitcoin - only speculating on its value
* 1 was not released yet
* 1 was do-it-yourself
* 1 will need more investigations

2023-04-06 23:41:35 GMT

Cypherock X1 joins the group of reproducible Bitcoin wallets.
https://www.youtube.com/watch?v=vO8ajyhNfTQ
https://walletscrutiny.com/hardware/cypherockx1/

2023-04-06 23:33:25 GMT

- reply

The philosophy with WalletScrutiny always was to monitor what people actually are installing and with App- and Play Store that was straight forward. A verdict was relevant for all users but with 23 verdicts associated with the same brand, it's just too complex for a user to understand even if we had the man power to assign the 23 verdicts.

2023-04-04 14:16:53 GMT

In the past ten days we published **64 new wallet reviews** and another **60 updates** to verdicts.
Most of the research was done by #[0] and verified by #[1]
https://walletscrutiny.com/

2023-03-23 18:18:20 GMT

Our stated mission is to look into Bitcoin Wallets and with bearer tokens like the [Opendime](https://walletscrutiny.com/bearer/opendime/) we already ventured into products that clearly are not wallets but they are meant to keep your private keys safe, so users want to know: Do they really keep you safe from loss?
Now we came across products that are marketed as "crypto vaults" but they are more akin to [password managers](https://en.wikipedia.org/wiki/Password_manager) like LastPass - a general store of important data. By being marketed to keep your important data safe, they clear are being used for Bitcoin, too. The crypto-themed one we are looking at right now has 100k installs on Google Play.
Should we look into those or is that mission creep?

2023-03-22 01:11:37 GMT

https://media.nostrgram.co/i/90/media_901873f45a146.jpg
From the start we wanted to look into desktop wallets but it's really hard. For example for Electrum there is 23 different ways of getting the binary and those are probably +20 different binaries.
* We do not have the resources to check them all with every release.
* We have no idea how to communicate our findings to the user.