Lessons learned security tips for those of you who have existing Bitcoin related domains and are setting up a new BTCPay Server instance

Posted 4 months ago by CHILLYCALENDAR2

Hi Everyone,

Over the last few days I have been setting up a new BTCPay Server instance for use as a development test box.  It took a few days before my ISP had fully provisioned my new IP Address for this.  I spent the time setting up the new BTCPay Server instance from the command line, configuring my routers NAT settings etc but I couldn't access the https web interface until my new ip address went live.

I noticed when I woke up this morning that the new ip address went live overnight and the server was publicly accessible but I had not yet registered myself on it as an admin in the user interface (because I couldn't access the web interface for the registration process until such time as the new ip address went live and the server was accessible from the internet via the ANAME record I created on my webhost).

In the short time that the new BTCPay Server instance was publicly accessible somebody else registered the admin account on it

On the BTCPay website there is this (emphasis mine):


"After initial deployment, I can't register and I don't have a login yet?
When you deploy your BTCPay Server, you should first register a user (during server synchronization). This user is automatically the server admin. If your BTCPay only shows Login in the header menu, and you are unable to register the first user after initial deployment, someone else has registered on your server as the admin. Although this is unlikely to occur (the user would need to know and watch your BTCPay domain name), they had access to your ssh private keys, thus you should redeploy a new server for security reasons"

I have of course for security reasons deleted the new test box BTCPay instance and set BTCPay up again from scratch.  The Linux box itself was not compromised.

Lessons learned:

1. Don't set your newly provisioned IP address that points to your new BTCPay Server box in your routers NAT settings as live until such time as you're certain your ISP has provisioned the new address and it's ready to go at their end (and you're awake and working).

2. There are people out there on the internet who are watching BTCPay Server (and likely other's like Umbrel etc) related domains.  Likely they have scripts running checking for new BTCPay Server instances.  When they find one they pounce and register an admin account before you get the chance to register the account.

I hope these lessons learned may be beneficial for others setting up BTCPay Server instances in particular.

Best Regards,


Clarke Towson, BCMS (Bachelor of Computer & Mathematical Science)
INTJ Billing

m: +61 432 359 166
a: 7 Cullen Court Spotswood Victoria 3015 AUSTRALIA
Bitcoin Lightning Network Node Name: CHILLYCALENDAR 
Node Public Key: 025124c73ef7ecf527e0114ead02a0cc6e3ecbc0c99474ee3f5506c4503b089693 


Please login to post comments.

Lightning Network Node
Rank: 7 / Silver
Capacity: 83,868,451 SAT
Channels: 29