Bitcoin Core’s privacy feature leaked IPs: blockchain technology update

June has been a dense month for blockchain technology updates, with developers patching privacy holes, rescheduling major upgrades, pushing quantum-resistance proposals, and racing to shore up security against a growing wave of supply chain attacks. From Bitcoin Core to Ethereum, Zcash to Polygon, the pace of protocol-level change is accelerating — and some of the decisions made now will define how these networks hold up over the next decade.

Key takeaways

• Bitcoin Core 31.1 fixes a privacy vulnerability in the -privatebroadcast feature of version 31.0 that could expose a transaction initiator’s IP address.
• Ethereum’s Glamsterdam upgrade has been postponed to the second half of the year; the Hegotá hard fork is targeting late 2026/early 2027.
• EIP-8182, a native private transfer proposal, has been officially proposed for inclusion in the Hegotá hard fork.
• Consensys CEO Joseph Lubin expects Ethereum to become a fully zero-knowledge-proof protocol within 3 to 5 years.
• Polygon zkEVM Mainnet Beta will cease operations on July 1, 2026 — users must withdraw assets before the deadline.
• The SlowMist Security Team confirmed malware variants active across 23 npm packages, with 408 GitHub repositories containing stolen credentials.
• Microsoft’s Majorana 2 quantum chip is reportedly 1,000 times more reliable than its predecessor, with average qubit lifetimes of 20 seconds.

Bitcoin Core Fixes Privacy Vulnerability in v31.1

A flaw hiding inside Bitcoin Core’s newly introduced -privatebroadcast feature went public this month — and the implications for privacy-conscious users are more subtle than most bug disclosures. Version 31.0 contained a vulnerability that, under specific network conditions, could expose the IP address of a transaction initiator to the receiving node.

How the IP Leakage Actually Happens

The vulnerability surfaces when private broadcast selects an IPv4 or IPv6 node that supports BIP324 v2 transport. If the v2 handshake fails, Bitcoin Core falls back to a v1 retry — but that reconnection bypasses the Tor proxy entirely, making a direct IPv4 or IPv6 connection to the peer. The result: a feature designed to enhance privacy ends up doing the opposite under certain fallback conditions.

The affected scope is specific. Nodes running Bitcoin Core 31.0 with -privatebroadcast enabled, broadcasting transactions via the sendrawtransaction RPC, and capable of establishing direct IPv4/IPv6 outbound connections are at risk. Wallet RPC, onion, and I2P connections are not affected.

Before upgrading to version 31.1, Bitcoin Core advises relevant users to either disable -privatebroadcast, disable v2 transport, or route IPv4/IPv6 outbound traffic through Tor. The release candidate 31.1rc1 is already available for testing on the official Bitcoin Core website and includes fixes across validation, P2P networking, wallet migration, MuSig, build system, testing, and CI modules.

Separately, developer rkrux has opened discussion around removing explicit Replace-by-Fee (RBF) signaling from the Bitcoin Core wallet, arguing that BIP 125 signals have become redundant now that full-RBF is standard policy and may leave unnecessary on-chain fingerprints. Community member Murch pushed back, noting that stopping replaceability signals is not a simple removal of fingerprints — each sender still needs to choose a sequence number for every input, with roughly 75% of transactions already using specific sequence numbers, primarily MAX-2.

Ethereum Delays Glamsterdam and Advances Privacy Proposals

Ethereum’s development pipeline is moving on multiple fronts, but the most immediate news is a scheduling change: the Glamsterdam upgrade — which targets ultimate L1 scaling and MEV fairness — has been pushed to the second half of the year. Devnet-5 and Devnet-6 iterations are still in progress, with countermeasures against new EIPs under active development. Core developer Terence confirmed that Glamsterdam devnet-6 has been released, marking significant progress toward testnet deployment.

Post-Quantum Public Key Registry Proposal

Ethereum researchers Thomas Coratger and Tom Wambsgans published a framework for establishing a post-quantum public key registry for validators — a phased migration path away from BLS signatures toward post-quantum secure signature schemes. The approach envisions a registry fork first, allowing validators to pre-register post-quantum public keys, followed by several subsequent forks before the signature mechanism officially switches.

The leading candidate is the hash-based XMSS signature scheme, which offers a compact 52-byte public key — though individual signatures weigh in at approximately 3,112 bytes. Addressing that overhead will require leanVM and post-quantum SNARK aggregation. This is not a near-term upgrade, but the fact that Ethereum researchers are already scoping the migration architecture signals how seriously the network is treating the quantum threat.

EIP-8182 Native Private Transfer Proposal for Hegotá

EIP-8182, developed by Tom Lehman, has been officially Proposed for Inclusion in the Hegotá hard fork — the upgrade targeting censorship resistance, privacy enhancement, and node slimming, currently on track for the late 2026/early 2027 window.

The proposal aims to bring privacy natively to Ethereum’s base layer without additional fees, token governance, or multi-sig coordination. It uses fixed-address system contracts and ZK verification precompiles to create a shared, protocol-level anonymity pool accessible to all wallets and applications. That shared pool matters: fragmented privacy apps currently split liquidity and anonymity sets across separate implementations, weakening the practical privacy guarantees for everyone. By embedding privacy at L1, EIP-8182 would break that fragmentation without requiring application-level changes.

The proposal has entered competition for a slot on the Core Developers’ hard fork schedule — a process that involves significant technical and community debate before anything gets finalized.

Consensys CEO on Ethereum’s Zero-Knowledge Future

Consensys CEO Joseph Lubin offered a longer-range view, stating that Ethereum could become a fully zero-knowledge-proof-based protocol within 3 to 5 years. Lubin pointed to Layer 2 networks already achieving real-time ZK proof generation as evidence that the technology is maturing fast enough to reach L1. He envisions a future where multiple formally verified provers support Ethereum at the base layer, eventually enabling a bridge-free, single atomic execution environment that unifies fragmented liquidity.

Lubin also addressed the Ethereum Foundation’s future structure, stating there will not be a “second foundation” — instead, at least three groups will spin off from the existing foundation, focusing respectively on core protocol work, usability and scalability, and institutional outreach.

Ethereum Layer 2 Advances and Polygon zkEVM Shutdown

Ethereum’s Layer 2 ecosystem saw both new launches and hard deadlines this month. The most urgent development for existing users is Polygon zkEVM Mainnet Beta ceasing operations on July 1, 2026 — leaving roughly two weeks for users to act.

Starknet’s STRK20 Privacy Framework

Starknet launched STRK20, a zero-knowledge proof privacy framework that enables any ERC20 asset within the network to support private balances and confidential transfers. Unlike traditional coin mixers, STRK20 embeds privacy functions directly into the asset flow rather than routing transactions through a separate mixing layer. The framework includes a Viewing Keys mechanism, allowing users to selectively disclose transaction data for compliance purposes. The first asset to adopt it is strkBTC.

The framework can be applied across transfers, trading, lending, staking, and payments — a broad scope that suggests Starknet is positioning STRK20 as infrastructure rather than a feature.

Polygon zkEVM Mainnet Beta Ceasing Operations

Polygon’s zkEVM Mainnet Beta will officially shut down on July 1, 2026. Assets held in wallets that have not completed cross-chain transfers will automatically migrate to Ethereum mainnet and can be claimed through a dedicated interface. However, assets locked in DeFi protocols cannot be automatically migrated — those users must manually withdraw LP positions and assets before the deadline or risk permanent loss of access.

The Base L2 network meanwhile deployed its Beryl upgrade to the Base Sepolia testnet, with mainnet activation planned for June 25. Beryl introduces the B20 token standard for issuing stablecoins and other assets natively within Base’s node software, shortens the withdrawal window from Base to Ethereum from 7 days to 5 days, and brings Reth V2 to reduce node disk footprint.

Zcash Ironwood Upgrade and Network Security Improvements

Zcash is preparing a significant network upgrade aimed at resolving one of the more serious vulnerabilities to surface on a privacy-first blockchain this year.

Ironwood Targets the Orchard Privacy Pool

The Zcash Ironwood upgrade is planned for activation in July, designed to fix vulnerabilities in the Orchard privacy pool that previously threatened the network’s fixed supply guarantees. The Zcash Foundation had already released Zebra 4.5.3 and 5.0.0 as emergency responses — Zebra 4.5.3 temporarily disabled Orchard actions on mainnet via an emergency soft fork at block height 3,363,426, while Zebra 5.0.0 activated the NU6.2 hard fork at block height 3,364,600, re-enabling Orchard with a corrected circuit. The foundation confirmed the vulnerability was discovered before any known exploitation and that no unauthorized value creation occurred.

Ironwood takes this further. It will introduce a newly fixed privacy pool and gradually retire the old one. Once complete, users and nodes will be able to aggregate balances from both pools to independently verify that total ZEC in circulation does not exceed the hard cap of 21 million coins — restoring decentralized confidence in Zcash’s supply mechanism.

Zcash core developer Sean Bowe confirmed that at least three major auditing firms are reviewing the Orchard circuit, multiple AI auditing tools are scanning the codebase, and formal verification work is progressing. The Valar Group has launched a testnet and begun implementing wallet-side changes. Progress, according to Bowe, is currently going smoothly.

Security Alerts and Quantum Computing Advances

Two developments this month sit at opposite ends of the threat timeline: one is an active attack happening now in the npm ecosystem, the other is a quantum hardware milestone that remains theoretical for blockchain security — but is moving faster than many expected.

SlowMist Warns of npm Malware Exploiting Stolen Developer Credentials

The SlowMist Security Team issued an alert about new malware variants — identified as Shai-Hulud, Miasma, and Hades — linked to the stolen developer account “czirker” and active in the npm ecosystem. The attack vector is precise: malicious code triggers during npm install via a pre-configured binding.gyp file, making it easy to miss in standard dependency audits.

The confirmed numbers are notable. 23 affected packages have been identified, with one — leo-logger — reaching 3,140 weekly downloads. Additionally, 408 GitHub repositories containing stolen credentials have been discovered. The malicious activity spans theft of GitHub and npm tokens, cloud credentials across AWS, GCP, and Azure, local environment data, and abuse of GitHub Actions pipelines.

SlowMist recommends that security teams immediately inspect lockfiles and package records, remove affected packages, rotate all critical keys, and enforce two-factor authentication. The attack pattern underscores a persistent risk in open-source ecosystems: credential theft at the developer account level can contaminate hundreds of downstream repositories before detection.

Microsoft’s Majorana 2 Quantum Chip Unveiled

At its annual Build conference, Microsoft unveiled Majorana 2, its second-generation topological quantum chip. The company claims the chip is 1,000 times more reliable than its predecessor, with an average qubit lifetime of 20 seconds — and some qubits lasting up to 1 minute. Microsoft anticipates moving closer to scalable quantum computing by 2029, with AI Agent tools reportedly helping accelerate material screening, measurement automation, and manufacturing optimization.

The announcement renewed external discussion about quantum computing’s long-term implications for Bitcoin’s digital signature security. That conversation is worth having seriously, but context matters: the gap between current quantum hardware and the computational threshold required to threaten Bitcoin’s elliptic curve cryptography remains very large. Majorana 2 is a meaningful step in qubit reliability, not an imminent threat to live blockchain networks.

What it does represent is a credible reason for Ethereum’s post-quantum migration research to accelerate — and for projects like the Algorand Foundation, which has published a post-quantum security roadmap targeting broader quantum resistance by the end of 2027, to stay ahead of the curve. The practical question for every major blockchain network is no longer whether quantum-resistant cryptography is needed, but when the migration needs to be complete.

FAQ

What privacy issue was fixed in Bitcoin Core version 31.1?

Bitcoin Core 31.1 fixed a privacy vulnerability in version 31.0’s -privatebroadcast feature. Under certain conditions involving a failed BIP324 v2 handshake, the software would fall back to a v1 connection that bypassed the Tor proxy, potentially exposing the transaction initiator’s IP address to the receiving node.

When is Ethereum’s Glamsterdam upgrade expected now?

Ethereum’s Glamsterdam upgrade has been postponed to the second half of the year. Development continues through Devnet-5 and Devnet-6 iterations, with the separate Hegotá hard fork targeting a late 2026/early 2027 window.

What is EIP-8182 and its significance?

EIP-8182 is a native private transfer proposal for Ethereum developed by Tom Lehman. It would introduce a non-mandatory, protocol-fee-free private transfer mechanism directly at Ethereum’s L1 layer using fixed-address system contracts and ZK verification precompiles. It has been officially Proposed for Inclusion in the Hegotá hard fork and is significant because it targets protocol-level privacy rather than relying on fragmented application-layer privacy tools.

What threats does the SlowMist malware alert highlight?

SlowMist identified malware variants (Shai-Hulud, Miasma, Hades) exploiting the stolen npm developer account “czirker” to infect packages during installation. The attack steals GitHub and npm tokens, cloud credentials from AWS, GCP, and Azure, and local environment data, while also abusing GitHub Actions. 23 packages and 408 GitHub repositories have been confirmed affected.

Article produced with the assistance of artificial intelligence and reviewed by the editorial team.