A bi-weekly news show informing you on the latest in Bitcoin, privacy and open source tech hosted by Ungovernables, Max and Q. AOBAll aboard the vibe trainFTF with Max TQ got some holidays coming upKeonne appealNEWSBisq v1 trade protocol exploit: 11.59 BTC drained, fully reimbursed, hardening shipped in 1.10.0 (bisq.community PSA, Bisq on X, reimbursement plan on GitHub)Disclosed: 2026-05-01Bisq's v1 trade protocol had a missing validation check on taker-side input. Because maker and taker were supposed to use the same miner fee, a malicious taker could push a bad fee value through the transaction math and shrink the multisig output to 0.001 BTC while sweeping the rest into the taker's change. Attacker drained 11.59 BTC from 10 users, all on altcoin trades. Maintainer Henrik Jannsen filed a reimbursement plan on GitHub on May 3, payouts in BTC (with BSQ as optional), DAO vote scheduled around May 25. The hotfix landed as Bisq 1.10.0 on 2026-05-16 with broader hardening: trade protocol checks, network message validation, release verification, supply-chain hardening. The Bisq team explicitly flagged the incident as a likely AI-assisted exploit, though they did not detail how AI was used.Sterlingov Appeal: The Criminalization of Privacy (therage.co)Published: 2026-05-12The appellate court reviewing Roman Sterlingov's Bitcoin Fog conviction openly suggested that mixers remain "legal in theory but not practice" once criminals use them. Judges questioned whether running an internationally accessible service forces compliance with every jurisdiction's licensing regime.Pro-law-enforcement CLARITY Act advances out of Senate Banking (therage.co)Published: 2026-05-15The Digital Asset Market Clarity Act passed committee with expanded surveillance provisions: Bank Secrecy Act integration sixteen times over, new PATRIOT Act special measures. Privacy advocates flagged the breadth of data collection on Americans who haven't done anything.CVE-2024-52911 disclosed in Bitcoin Optech #405, fix has been in Bitcoin Core 29.0+ since release (https://bitcoinops.org/en/newsletters/2026/05/15/)Published: 2026-05-05Use-after-free in parallel script validation between Bitcoin Core 0.14.0 and 28.x. Required attacker-supplied proof-of-work, so practical attack window was narrow, but the bug sat unannounced across many versions.Bitcoin Knots 29.3 enables BIP-110, fork-off countdown started (release notes) + Lopp's countdownPublished: 2026-05-09 (release)Knots 29.3 ships RDTS soft-fork enforcement on by default. Nodes running Knots with this flag set will fork off the network in August unless they change behaviour. Lopp set up a countdown.Bybit exploit post-mortem (Blockstream): enterprise multisig + hardware wallets did not save them (blog.blockstream.com)Published: 2026-05 (week of 5-12)$1.5B drained despite multisig and hardware. Failure was process, not key custody, a UI / signing-flow compromise.Poland passes EU MiCA-aligned crypto bill while Zondacrypto fraud probe deepens (bitcoinmagazine.com)Published: 2026-05-15Polish lawmakers ratified the MiCA framework ahead of the July EU deadline. The vote landed alongside an investigation into Zondacrypto's collapse, roughly $96M of user losses, with Prime Minister Tusk floating possible foreign-influence angles.Claude helps retrieve lost 5BTCX user 'CPRKRN' has Claude check over whole file system and match a wallet file to an old passwordSpiral and Block ship Loupe, an AI-powered vulnerability scanner for open-source Bitcoin (spiralbtc.substack.com)Published: 2026-05-12Uses LLMS to surface security weaknesses in code repositories and requires demonstrable test cases for any vulnerability report so false positives are minimised. Spiral and Block are funding scans themselves; reports go to maintainers confidentially before any public disclosure.RELEASESBitcoin Core 31.0 (release index entry) — 2026-05-12Operator review required before production rollout. Major version landing.Bitcoin Knots v29.3.knots20260508 — 2026-05-09RDTS soft-fork enforcement on by default, fork-off risk in August. New configuration changes, bug fixes.Core Lightning v26.06rc1 — 2026-05-12Adds graceful command for clean shutdown, new sendamount RPC, BOLT12 payer-proof support, plus 211 commits since v26.04.Bitkey App 2026.9.1 — 2026-05-15Security patch from Block.Trezor Suite v26.5.1 — 2026-05-15Legacy labeling migration, WalletConnect insufficient-balance warnings, side-by-side trade comparisons, new DeFi Tokens section.BitBoxApp v4.51.0 — 2026-05-12Bundles BitBox02 firmware v9.26.1, address formatting in 4-char groups, iOS haptic feedback on charts, account-summary perf.Ledger Live Desktop 4.4.0 — 2026-05-13Hardens Live App handling of external-protocol URLs (itms-apps:, ms-word:, file:, etc.) across Chromium navigation vectors.Ledger Live Mobile 4.4.0 — 2026-05-13Adds an addresses section to asset detail screens, device-card management menus with removal confirmations.Bull Bitcoin Mobile v6.10.1 — 2026-05-18Onboarding redirect fix on wallet creation failure.Bull Bitcoin Mobile v6.10.0 — 2026-05-11Major release: Ledger hardware-wallet integration, FSS hybrid storage strategy, real-time WebSocket notifications, new onboarding wizard, Payjoin privacy enhancements, 11 new translations.Bull Bitcoin Mobile v6.9.101-Internal-Release (display name v6.9.108-Internal) — 2026-05-09Pre-6.10.0 testing build, Android migration / startup wizard / secure storage fixes.Bitcoin Safe 2.0.0rc0 — 2026-05-17Comprehensive redesign of the wallet setup wizard, added support for Coldcard mk5 and Trezor 7, plugin architecture via external repos, fiat-balance category column.Sparrow Frigate 1.5.0 — 2026-05-14Low-latency mempool ingestion via Bitcoin Core's ZMQ sequence publisher, auto-discovers the bitcoind ZMQ endpoint when unconfigured. Useful for operators running Sparrow Frigate alongside Core.Blockstream Green iOS release_5.4.0 — 2026-05-11Aggregate fiat balance across all wallet assets, updated Send flow for Lightning, migrates Lightning backend from Breez to Greenlight (Blockstream's own LSP).Blockstream Green Android release_5.4.0 — 2026-05-08Same redesign as iOS: aggregate fiat balance, redesigned Send flow (recipient → asset → account), transaction pagination, also the Breez-to-Greenlight migration.Blockstream Green Desktop 3.3.0 — 2026-05-06Total fiat balance in wallet header, AMP ID exposed in settings, GDK 0.77.3, Qt 6.11.0, Wayland fixes.Peach Bitcoin 0.69.0 (build 346) — 2026-05-06Signature validation for backed-up payment details, encrypts custom refund addresses, removes invalid backed-up data.Peach Bitcoin 0.69.0 (build 345) — 2026-05-05Percentage filtering on offers, encrypted server backup syncing for payment methods, advanced offer-creation options, GrapheneOS camera-permission fix, Buy Offer creation restricted to experienced users.ZEUS v13.0.2-rc3 — 2026-05-18Third RC for 13.0.2. New RGS server at rgs.zeusln.com providing graph updates every 15 minutes instead of every three hours. Clipboard and NFC UX improvements.ZEUS v13.0.1 — 2026-05-07Stable release: fixes recovering Embedded LND wallets from seed (was stalling out), payment retry logic, false-positive offline detection. Cashu token sweeping to self-custody continues to land.Alby Hub v1.22.2 "Marc Horowitz" — 2026-05-11Adds Core Lightning support (their most-requested feature), new AI & Agents page, integrated on-chain wallet mode, custom transaction labels, redesigned settings, improved budget selection for app connections.Boltz Backend 3.13.0 — 2026-05-08Full Arkade swap support, EVM commitment-swap lockup flow, multi-LND support in backend and sidecar.Boltz Client 2.12.0 — 2026-05-12Final removal of the GDK wallet library.Arkade arkd v0.9.5 — 2026-05-11Client-lib wallet interface updates, breaking-changes documentation, single-key wallet signing fixes.Arkade TS SDK v0.4.25 — 2026-05-07Maintenance bump for the Arkade JavaScript SDK.NodeGuard 0.24.2 — 2026-05-14Fixes invoice-expiry calculation in rebalance flows. Check logs if rebalance operations have been timing out.ThunderHub v0.18.3 — 2026-05-15Bug-fix release in the 0.18.x line. (Subsequent 0.18.1-0.18.3 are CI/docker polish after the headline 0.18.0.)ThunderHub v0.18.0 — 2026-05-05Adds Taproot Assets support to the dashboard. The actual show story for ThunderHub this fortnight.Blink Mobile 2.4.44 — 2026-05-06Upgrades protobufjs (CVE-2026-41242 mitigation). Security patch.Fedimint SDK canary release — 2026-05-14React Native transport fix, persistent callback, RPC payload flattening. Canary channel.umbrelOS 1.7.3 — 2026-05-12DirtyFrag security patches: CVE-2026-43284 + CVE-2026-43500 in the Linux kernel. Mandatory.umbrelOS 1.7.2 — 2026-05-05CopyFail patch: CVE-2026-31431 in the Linux kernel. Mandatory.Tails 7.7.3 — 2026-05-12Emergency release: critical Linux kernel CVE fix (kernel 6.12.86 ships the Dirty Frag fix), plus Tor Browser and Tor client security fixes.Whirlpool Observer…