pull down to refresh

DO NOT OPEN YOUR SAMOURAI WALLET until you finish reading.

The Facts

Since the recent regrettable arrest of Samourai wallet founders and the seizure of the samouraiwallet.com domain earlier today, it is possible (but not confirmed) that the US government now controls any servers which were once controlled by Samourai, and could also control the signing key used to sign Samourai wallet app builds.
There are two important practical takeaways for Samourai users from these facts:

1. Launching your samourai wallet will cause it to connect to a US government-controlled server to fetch wallet balance information (Unless your samourai wallet uses a self-host Dojo server).

2. By updating your samourai wallet after today, you'll be installing code which was NOT written by the Samourai devs.

The first takeaway is an immediate privacy threat. To fetch wallet balance information, your samourai wallet will upload your bitcoin addresses to the seized server, thus associating doxxing your coins and their history to the US government, associating them with your IP address, with the fact that those coins were held in Samourai, and with any other client metadata which your samourai wallet client happens to leak (the extent of which is unclear). If you launched samourai any time in the last 24-48 hours or so, your coins may now be 'tainted' with that information, from the PoV of the US government. It's hard to know for sure exactly when the US government acquired control of Samourai's servers, so I am conjecturing here.
The second takeaway is a delayed security threat which can be easily avoided by simply not installing any updates (and disabling auto-update) for samourai. For best safety, you should uninstall samourai once you have safely extracted your coins.
Speaking of which, you should extract your coins from samourai.

Extracting Coins

To recover your bitcoins safely, take your Samourai wallet 12 word BIP39 seed phrase which you should have written down on paper, and import it into another BIP39-compatible wallet. I would suggest Electrum or Sparrow.
If for some reason you need to look up your BIP39 seed phrase inside samourai, DO NOT LAUNCH SAMOURAI without first placing your smartphone in airplane mode to prevent it from connecting to Uncle Sam's servers. Remember to reboot your phone or force-close Samourai before turning airplane mode off - We wouldn't want your samourai wallet to phone home while it is still running in the background.
Are you not seeing all your money after recovery? Keep in mind that Samourai Wallet supports multiple address formats (P2PKH, P2SH, P2WPKH). The wallet you imported into may not load all of these addresses at once. You may need to import your Samourai seed multiple times with different derivation paths in order to recover all your money.

Going Forward

Once you have recovered access to your samourai coins, you may - but don't necessarily need to - sweep them out onto a different seed. As long as you haven't updated Samourai with any potentially-malicious code released today or afterwards, your seed is just as likely to be safe now as it was before the Samourai devs were arrested.
If you launched samourai any time in the last 48 hours or so, your coins could be associated with your IP address (or other samourai-specific metadata). Bear this in mind as you spend those coins. Consider mixing them in JoinMarket or Sparrow, or spending them via multi-hop lightning network payments to regain forward-looking privacy.
I use Sentinel (by Samourai), I don't think this should be a problem, right? Anyway sad to read this news.
reply
63 sats \ 0 replies \ @anon 25 Apr
How are sparrow users affected?
reply
Thanks for letting know everyone and it's great to see how so many stackers are coming out with their versions of help
reply
1 sat \ 5 replies \ @OT 25 Apr
You recommend sweeping? Why not send individual UTXO'S out over a few weeks/months?
reply
Whether you want to sweep all your UTXOs at once or one at a time is up to you, and depends on your specific situation and how you manage your coins.
reply
11 sats \ 3 replies \ @kruw 25 Apr
It doesn't matter if the Feds got all the xpubs from Samourai, they can see every past and future transaction you made with that wallet.
reply
I don't believe the samourai devs would be stupid enough to write their wallet to upload xpubs to their servers. Most wallets just upload single addresses, and have a hard-coded lookahead for derived addresses (e.g 50) on which they detect activity.
So while your whole xpub is not at risk here, your next 25/50/100 derived receive/change addresses could be, and practically speaking that is pretty sketch. If you launched Samourai recently, I would just sweep money and ditch the whole seed, then clean any coins you had on samourai.
reply
1 sat \ 1 reply \ @OT 25 Apr
Sparrow?
reply
I had some BTC in Samourai, both pre-mixed and post-mixed. I was able to recover all of it by installing Sparrow and following #517530
reply
Great tips for those that are using Samourai. Thank you.
reply
0 sats \ 1 reply \ @Lumor 25 Apr
Thought Samurai was using Tor?
reply
They do, one of the first things that pops up when you create a wallet, but it's optional
reply
deleted by author