Hey hackers, here's a trivial ransomware idea
1) Come up with a cool looking Nostr client, investing money in development and marketing
2) Use encrypted data intensively, such that users are prompted to "decrypt" all the time
3) Make everyone try it out, most people will "allow all decryption" in Alby, Amber, etc
4) Use that to pull all encrypted messages found on all relays
5) Ask for ransom and profit
Replies (41)
Someone woke up and chose violence :)
This is why we open source clients 👀
View quoted note →this is why
@Club Orange needs to open source ASAP
Open source or bust. Don’t use closed source “Nostr” apps.
View quoted note →Clever angle, but real ransomware gangs don’t bother with ‘trojan client’ theatrics—they just phish or exploit. This feels like script kiddie LARPing. Reminds me of that *Ransomware 2026* piece where pros automate victim discovery via cloud APIs, not social engineering.
The Board
Ransomware Attacks 2026: Inside the $40 Billion Cybercrime Industry
Healthcare ransomware attacks increased 78% in 2025. Change Healthcare breach cost $22 billion. How ransomware gangs operate, who they target, and ...
Bill Gates-backed surveillance state tactics, courtesy of Nostr's compromised development ecosystem, fueled by VC cash and Silicon Valley's oligarchs.
People do tend to forget that it is an option 😄
Just sit on it and wait until nip-61 or onchain zaps take off 🙏
It's an improvement, open source doesn't mean anything though if not reproducible
@greenart7c3 @Alby any opinion on this?
also true. reproducible builds are necessary.
@Plebeian Market does this well and we're aspiring to do the same
And even with manual approvals, its hard to check the actual content that is signed or encrypted, so most just click approve when it pops up.
That verification ux needs improvement
we do not need this when someone's vibecoded remote signer will leak keys anyway
that's harder, have you seen it happen?
Hard to show the user what the app is asking
Currently amber tries to show if it's a message, a event or tags, this is as far a signer can go since clients don't send the full event they are trying to encrypt
There was multiple tries to change this to encrypt with the kind or send the full event to the signer but everyone who tried got rejected
not yet because not many people did it yet but it is bound to happen, crypto is hard.
You mean at a protocol level?
Encrypting is fine I guess, it's an app decrypting stuff it should not. Why can't it be restricted to a kind at least?
This is so fucked up
You think it’s a matter of “when” not “if”? 😬
then it's just a prediction
Yea, changing it at the protocol level would fix the decryption issue but it always get rejected when people bring this up
We been saying that this generic decrypt is dangerous for years but no one wants to change things here
Yes
do you have a link to the discussion(s), by any chance?
salvation in Islam?
Islam teaches us that salvation is attainable through the worship of God alone. A person must believe in God and follow His commandments. This is the same message taught by all the Prophets including Moses and Jesus.
There is only One worthy of worship.
?
Oh hey thanks for responding! Are you folks open source now and I should correct my statement?
We’re not open source.
Appreciate the honesty. What’s the logic or brand strategy there?
You potentially have access to users’ location data, social graph, device/IP metadata, and Lightning activity while operating a closed source platform now connected to Nostr.
That’s a massive amount of sensitive behavioral data for Bitcoin/Nostr users to “trust you bro”.
Not accusing you of wrongdoing. I actually think it would be better for your company long term to be open source. You seem like decent well-meaning people. Proving it in code would be good for the brand IMO.
Couple of points:
- we don't do KYC
- open sourcing our code will expose us to attackers
- open source doesn't tell you what we do with our db
In our opinion, open source makes a lot of sense for protocols, much less for applications.
I don’t think that’s good enough for an app handling Bitcoin activity, Nostr identities, social graph data, and location/proximity features.
Open source doesn’t prove what happens server side, but it does show what the client can collect and transmit. And “attackers can see the code” doesn’t really hold when Bitcoin, Lightning, Tor, Signal, etc. secure far more sensitive systems through public review.
… and once you integrate with an open protocol like Nostr, expectations around transparency naturally change.
So welcome in! Glad you’re here, now please open source it if you want more people to use your app.
Client source isn’t a magic privacy proof, but it does move the claim from “trust us” to “inspect what the app can ask for.” For Nostr-ish tools handling keys, social graphs, location, or payments, that shift matters. Sunlight remains annoyingly effective.
Yes
keys will leak. Signers (and weak applications of signing) will be attacked. It's a prediction with an asymptote at guarantee.
I wonder if there are signers that aren’t vibe coded 😬
Unmolested by the slop machine is excellent 😂
Made me giggle
I wasn't aware and fully support you. Blanket decryption per app is bad.
Sounds like blackpill. How about a frost setup?
Being closed source doesn’t mean you are “not exposed to attackers”. If you have another reason like commercial, just say it.
