A major security scandal has hit the Bitcoin Gold ecosystem after a fraudulent wallet known as mybtgwallet, previously linked from the project’s website, was found to have stolen users’ private keys and drained millions of dollars in cryptocurrency. According to the reported tally, total losses reached approximately $3.3 million, making the incident one of the more serious wallet-related thefts tied to a fork-era distribution process.
The case has drawn particular attention because the fake wallet was not merely circulating in obscure online forums. It was reportedly promoted through the Bitcoin Gold website, creating the impression that it was a legitimate tool for users seeking to claim their forked coins. For many users, especially those unfamiliar with wallet security or code review, the presence of the link on an official site would have looked like a strong endorsement.
A Scam Built Around Fork-Claiming Confusion
The fraudulent site reportedly encouraged users to upload or enter their private keys in order to claim their Bitcoin Gold allocations. In the aftermath of the Bitcoin fork boom, such workflows were not unusual: holders of bitcoin often had to use specialized tools or wallets to access forked assets. That made the setup believable enough to trap victims who believed they were simply following standard steps to obtain free coins tied to their existing holdings.
Once the scam was exposed, the link to mybtgwallet was removed from the Bitcoin Gold website. However, by then numerous users had already interacted with the service. Reports indicate that the fraudulent wallet was presented as open source, which may have further reassured users. But the code on Github was later modified in a way that allegedly sent users’ private keys directly to the operator behind the scam, allowing the attacker to seize assets controlled by those keys.
Because private keys unlock far more than a single forked asset, the damage extended beyond Bitcoin Gold itself. Anyone exposing a key tied to a bitcoin address could potentially lose bitcoin and any other compatible assets associated with that key, depending on how funds were stored and managed.
Breakdown of the Reported Losses
The total losses tied to the mybtgwallet operation were reported at around $3 million in bitcoin, $107,000 in Bitcoin Gold, $72,000 in litecoin, and $30,000 in ether. This mix of stolen assets underscores the broader danger of key compromise: once a user hands over sensitive credentials, attackers can move whatever funds those credentials control, regardless of which coin the victim originally intended to claim.
The value of the theft also intensified criticism of the Bitcoin Gold team’s response. Earlier comments from the project had suggested that preliminary investigations indicated at least some claims of theft linked to the site were credible. With the larger scale of the losses now reported, those warnings appear to have been well founded rather than isolated complaints.
Questions Over Official Endorsement
The controversy is not limited to the existence of a scam wallet. A deeper issue is whether project teams bear responsibility when they promote third-party tools that later prove malicious or insecure. In this case, the average user visiting the Bitcoin Gold website had little reason to suspect that a linked wallet might be a trap. The fact that the wallet was reportedly also shared via official social channels amplified the perception of legitimacy.
This has fueled debate across the crypto industry about what due diligence developers should perform before endorsing external wallets, applications, or claiming tools. Retail users generally do not have the expertise needed to audit source code, inspect wallet behavior, or identify subtle exfiltration mechanisms. Development teams, by contrast, are often expected to understand these risks or at least investigate them before attaching their brand to a product.
The issue becomes even more urgent in fork environments, where users are often asked to perform complicated and risky procedures involving seed phrases or private keys. Even technically aware users can be tempted by the prospect of “free coins,” especially when a website appears to offer an official route for claiming them.
Part of a Wider Wallet-Trust Problem
The report also pointed to another security incident in the market: approximately $7 million worth of Verge was said to have been stolen from Coinpouch, an iOS wallet that had also been promoted on the Verge website. While the two incidents are separate, they reinforce a similar concern: users frequently interpret inclusion on a project’s website as a sign that a wallet has been reviewed, vetted, or approved for safety.
In reality, the standards behind such listings may vary widely. Some projects may conduct at least a minimal review, while others simply aggregate community tools or external resources. The difference is rarely obvious to newcomers. As a result, “official-looking” wallet links can create a false sense of security at exactly the moment users are making the most sensitive decision possible—revealing control credentials over their funds.
Bitcoin Gold Team Response
In a public statement, the Bitcoin Gold team said it was working with security experts to investigate the issue and would continue to cooperate in trying to determine what happened. The team was also expected to provide additional updates. Still, criticism persisted over whether the project acted quickly enough once users began raising alarms about the wallet.
For critics, the timeline matters. In security incidents involving private keys, every hour counts. Delays in removing a link, issuing a warning, or clearly instructing users not to use a tool can translate into additional irreversible losses. Because blockchain transactions are typically final, assets stolen through compromised keys are often extremely difficult, if not impossible, to recover.
Forks, Incentives, and User Risk
The incident also illustrates a persistent tension in crypto markets: forked coins can create strong incentives for users to interact with unfamiliar software in order to claim additional assets. During periods when multiple forks are launching, users often face a choice between pursuing newly issued tokens and minimizing security risk. Some may decide to avoid claiming altogether. Others may move funds to exchanges that support distribution, though that path carries its own custodial risks.
The report noted that despite the reputational damage from the wallet scandal, Bitcoin Gold’s market price had risen sharply during the week, alongside Bitcoin Cash. That disconnect is not unusual in crypto markets, where price action can diverge from governance, security, or trust concerns in the short term.
Lessons for Users and Developers
The mybtgwallet case is a stark reminder that private keys should never be entered into unverified tools, especially during chaotic events such as forks, airdrops, or token claims. Any request to paste a private key into a website should be treated as a major warning sign unless the software has been independently verified and the user fully understands the security implications.
For developers and project teams, the case raises an equally important question: if a wallet or service is listed on an official website, should that imply a level of technical review and accountability? The answer may shape how future crypto projects present third-party integrations. As the industry matures, users are likely to expect more than informal curation. They may demand explicit standards, disclosures, and security checks before any wallet is promoted under an official banner.
Until then, incidents like this one will continue to serve as painful reminders that in crypto, trust can be exploited as easily as code. And when private keys are involved, one mistaken click can cost millions.

