Episode notes
A bi-weekly news show informing you on the latest in Bitcoin, privacy and open source tech hosted by Ungovernables, Max and Q.
AOB
AOB
- All aboard the vibe train
- FTF with Max T
- Q got some holidays coming up
- Keonne appeal
- Bisq v1 trade protocol exploit: 11.59 BTC drained, fully reimbursed, hardening shipped in 1.10.0 (bisq.community PSA, Bisq on X, reimbursement plan on GitHub)
- Disclosed: 2026-05-01
- Bisq's v1 trade protocol had a missing validation check on taker-side input. Because maker and taker were supposed to use the same miner fee, a malicious taker could push a bad fee value through the transaction math and shrink the multisig output to 0.001 BTC while sweeping the rest into the taker's change. Attacker drained 11.59 BTC from 10 users, all on altcoin trades. Maintainer Henrik Jannsen filed a reimbursement plan on GitHub on May 3, payouts in BTC (with BSQ as optional), DAO vote scheduled around May 25. The hotfix landed as Bisq 1.10.0 on 2026-05-16 with broader hardening: trade protocol checks, network message validation, release verification, supply-chain hardening. The Bisq team explicitly flagged the incident as a likely AI-assisted exploit, though they did not detail how AI was used.
- Sterlingov Appeal: The Criminalization of Privacy (therage.co)
- Published: 2026-05-12
- The appellate court reviewing Roman Sterlingov's Bitcoin Fog conviction openly suggested that mixers remain "legal in theory but not practice" once criminals use them. Judges questioned whether running an internationally accessible service forces compliance with every jurisdiction's licensing regime.
- Pro-law-enforcement CLARITY Act advances out of Senate Banking (therage.co)
- Published: 2026-05-15
- The Digital Asset Market Clarity Act passed committee with expanded surveillance provisions: Bank Secrecy Act integration sixteen times over, new PATRIOT Act special measures. Privacy advocates flagged the breadth of data collection on Americans who haven't done anything.
- CVE-2024-52911 disclosed in Bitcoin Optech #405, fix has been in Bitcoin Core 29.0+ since release (https://bitcoinops.org/en/newsletters/2026/05/15/)
- Published: 2026-05-05
- Use-after-free in parallel script validation between Bitcoin Core 0.14.0 and 28.x. Required attacker-supplied proof-of-work, so practical attack window was narrow, but the bug sat unannounced across many versions.
- Bitcoin Knots 29.3 enables BIP-110, fork-off countdown started (release notes) + Lopp's countdown
- Published: 2026-05-09 (release)
- Knots 29.3 ships RDTS soft-fork enforcement on by default. Nodes running Knots with this flag set will fork off the network in August unless they change behaviour. Lopp set up a countdown.
- Bybit exploit post-mortem (Blockstream): enterprise multisig + hardware wallets did not save them (blog.blockstream.com)
- Published: 2026-05 (week of 5-12)
- $1.5B drained despite multisig and hardware. Failure was process, not key custody, a UI / signing-flow compromise.
- Poland passes EU MiCA-aligned crypto bill while Zondacrypto fraud probe deepens (bitcoinmagazine.com)
- Published: 2026-05-15
- Polish lawmakers ratified the MiCA framework ahead of the July EU deadline. The vote landed alongside an investigation into Zondacrypto's collapse, roughly $96M of user losses, with Prime Minister Tusk floating possible foreign-influence angles.
- Claude helps retrieve lost 5BTC
- X user 'CPRKRN' has Claude check over whole file system and match a wallet file to an old password
- Spiral and Block ship Loupe, an AI-powered vulnerability scanner for open-source Bitcoin (spiralbtc.substack.com)
- Published: 2026-05-12
- Uses LLMS to surface security weaknesses in code repositories and requires demonstrable test cases for any vulnerability report so false positives are minimised. Spiral and Block are funding scans themselves; reports go to maintainers confidentially before any public disclosure.
- Bitcoin Core 31.0 (release index entry) — 2026-05-12
- Operator review required before production rollout. Major version landing.
- Bitcoin Knots v29.3.knots20260508 — 2026-05-09
- RDTS soft-fork enforcement on by default, fork-off risk in August. New configuration changes, bug fixes.
- Core Lightning v26.06rc1 — 2026-05-12
- Adds graceful command for clean shutdown, new sendamount RPC, BOLT12 payer-proof support, plus 211 commits since v26.04.
- Bitkey App 2026.9.1 — 2026-05-15
- Security patch from Block.
- Trezor Suite v26.5.1 — 2026-05-15
- Legacy labeling migration, WalletConnect insufficient-balance warnings, side-by-side trade comparisons, new DeFi Tokens section.
- BitBoxApp v4.51.0 — 2026-05-12
- Bundles BitBox02 firmware v9.26.1, address formatting in 4-char groups, iOS haptic feedback on charts, account-summary perf.
- Ledger Live Desktop 4.4.0 — 2026-05-13
- Hardens Live App handling of external-protocol URLs (itms-apps:, ms-word:, file:, etc.) across Chromium navigation vectors.
- Ledger Live Mobile 4.4.0 — 2026-05-13
- Adds an addresses section to asset detail screens, device-card management menus with removal confirmations.
- Bull Bitcoin Mobile v6.10.1 — 2026-05-18
- Onboarding redirect fix on wallet creation failure.
- Bull Bitcoin Mobile v6.10.0 — 2026-05-11
- Major release: Ledger hardware-wallet integration, FSS hybrid storage strategy, real-time WebSocket notifications, new onboarding wizard, Payjoin privacy enhancements, 11 new translations.
- Bull Bitcoin Mobile v6.9.101-Internal-Release (display name v6.9.108-Internal) — 2026-05-09
- Pre-6.10.0 testing build, Android migration / startup wizard / secure storage fixes.
- Bitcoin Safe 2.0.0rc0 — 2026-05-17
- Comprehensive redesign of the wallet setup wizard, added support for Coldcard mk5 and Trezor 7, plugin architecture via external repos, fiat-balance category column.
- Sparrow Frigate 1.5.0 — 2026-05-14
- Low-latency mempool ingestion via Bitcoin Core's ZMQ sequence publisher, auto-discovers the bitcoind ZMQ endpoint when unconfigured. Useful for operators running Sparrow Frigate alongside Core.
- Blockstream Green iOS release_5.4.0 — 2026-05-11
- Aggregate fiat balance across all wallet assets, updated Send flow for Lightning, migrates Lightning backend from Breez to Greenlight (Blockstream's own LSP).
- Blockstream Green Android release_5.4.0 — 2026-05-08
- Same redesign as iOS: aggregate fiat balance, redesigned Send flow (recipient → asset → account), transaction pagination, also the Breez-to-Greenlight migration.
- Blockstream Green Desktop 3.3.0 — 2026-05-06
- Total fiat balance in wallet header, AMP ID exposed in settings, GDK 0.77.3, Qt 6.11.0, Wayland fixes.
- Peach Bitcoin 0.69.0 (build 346) — 2026-05-06
- Signature validation for backed-up payment details, encrypts custom refund addresses, removes invalid backed-up data.
- Peach Bitcoin 0.69.0 (build 345) — 2026-05-05
- Percentage filtering on offers, encrypted server backup syncing for payment methods, advanced offer-creation options, GrapheneOS camera-permission fix, Buy Offer creation restricted to experienced users.
- ZEUS v13.0.2-rc3 — 2026-05-18
- Third RC for 13.0.2. New RGS server at rgs.zeusln.com providing graph updates every 15 minutes instead of every three hours. Clipboard and NFC UX improvements.
- ZEUS v13.0.1 — 2026-05-07
- Stable release: fixes recovering Embedded LND wallets from seed (was stalling out), payment retry logic, false-positive offline detection. Cashu token sweeping to self-custody continues to land.
- Alby Hub v1.22.2 "Marc Horowitz" — 2026-05-11
- Adds Core Lightning support (their most-requested feature), new AI & Agents page, integrated on-chain wallet mode, custom transaction labels, redesigned settings, improved budget selection for app connections.
- Boltz Backend 3.13.0 — 2026-05-08
- Full Arkade swap support, EVM commitment-swap lockup flow, multi-LND support in backend and sidecar.
- Boltz Client 2.12.0 — 2026-05-12
- Final removal of the GDK wallet library.
- Arkade arkd v0.9.5 — 2026-05-11
- Client-lib wallet interface updates, breaking-changes documentation, single-key wallet signing fixes.
- Arkade TS SDK v0.4.25 — 2026-05-07
- Maintenance bump for the Arkade JavaScript SDK.
- NodeGuard 0.24.2 — 2026-05-14
- Fixes invoice-expiry calculation in rebalance flows. Check logs if rebalance operations have been timing out.
- ThunderHub v0.18.3 — 2026-05-15
- Bug-fix release in the 0.18.x line. (Subsequent 0.18.1-0.18.3 are CI/docker polish after the headline 0.18.0.)
- ThunderHub v0.18.0 — 2026-05-05
- Adds Taproot Assets support to the dashboard. The actual show story for ThunderHub this fortnight.
- Blink Mobile 2.4.44 — 2026-05-06
- Upgrades protobufjs (CVE-2026-41242 mitigation). Security patch.
- Fedimint SDK canary release — 2026-05-14
- React Native transport fix, persistent callback, RPC payload flattening. Canary channel.
- umbrelOS 1.7.3 — 2026-05-12
- DirtyFrag security patches: CVE-2026-43284 + CVE-2026-43500 in the Linux kernel. Mandatory.
- umbrelOS 1.7.2 — 2026-05-05
- CopyFail patch: CVE-2026-31431 in the Linux kernel. Mandatory.
- Tails 7.7.3 — 2026-05-12
- Emergency release: critical Linux kernel CVE fix (kernel 6.12.86 ships the Dirty Frag fix), plus Tor Browser and Tor client security fixes.
- Whirlpool Observer…
