Core lightning get compromized

Services Support
1

I recently get my Core lightning node drained.
Still not sure how the hack happened since I’ve been accessing it only from home and from the office wifi over tor
I also have zeus wallet connected over tor
In the lnbits there are not transactions so I believe this was not the attack vector

Currently the service is off, I’ve changed all the password, but still not sure what i did wrong and how to avoid futures hacks

What can you advice me to do in order to increate the security I have another nots running with similar setup

These are some of the transaction if it useful

E2B6AA2E-FA5A-472C-BAE7-FCE2B2D8AA4B
E2B6AA2E-FA5A-472C-BAE7-FCE2B2D8AA4B1170×2532 277 KB

Appreciate your support

2

Please tell us about your full setup. What version of StartOS. Bitcoin, CLN, Zeus, and lnbits? Any other Bitcoin related services or software? What was the source of those applications, and services? The screenshot you sent, is that Zeus? What other applications or devices have access to your server? Has anything been sideloaded on your server? What app-stores do you used with your phone? Have you installed anything, anywhere recently? What about browser extensions, or other site and services – anything that might have a connection to your lightning node?

3

Hello I’m runny all the latest versions
start os 0.3.5~1
knows 29.2.0~1
CoreLightning 25.12.1~1
LNBits 1.3.1
RTL is version 0.15.4~3

Additionally on my start9 I have electris, mempool, datum, public pool, Vaultwarden - all latest version
All app downloaded form StartOS store, no side loaded packages

Yes the screen shot is from the zeus connected to my CLN over CLNRest Quick Connect
I have reverse proxy to the lnbits to access the api with some lightning devices
The LNBits account has some small balance and the history is clear so I believe it was not involved

I connect only with tor browse with not plugins, the zeus is no my iphone connecting only from thrusted networks
Didn’t install any new applications recently both on my phone and my node, not new apps connecting to the CLN

Thanks

1 Like
4

:warning: CLN REST + Zeus + external invoice = danger zone

  • Zeus connected via CLNRest Quick Connect
  • Transaction shows an Alby invoice
  • Node runs CLN + LNBITS
  • Reverse proxy exposes LNBits API

That combination narrows this a lot.

The most likely sequence

  1. CLN REST was reachable (directly or indirectly)
  2. An invoice was paid by the node (Alby invoice is just the destination)
  3. No LNBits wallet shows the spend because:
  • Payment was initiated outside LNBits
  • It came from CLN itself, not an LNBits sub-wallet

LNBits is a wallet layer, not the Lightning authority.

If CLN can pay → funds move
LNBits may never see it.

The real red flags :triangular_flag_on_post:

  1. Reverse proxy + Lightning API

If any of these were true:

  • REST exposed without strict auth
  • Macaroon reused
  • Token leaked once
  • Browser cached credentials
  • QR quick-connect scanned on compromised device

That’s enough.

Lightning doesn’t forgive one mistake.
One valid macaroon = full authority.

  1. Zeus + Quick Connect

Quick Connect is convenience — not isolation.

If:

  • That QR was ever:
    • screenshotted
    • logged
    • reused
    • backed up
  • Or the device running Zeus was compromised

Then the node didn’t get “hacked”.
It was asked politely to pay.

Lightning obeyed.

  1. Alby invoice ≠ Alby breach

Important distinction:

  • Alby didn’t drain the node
  • The invoice just identifies who got paid
  • Any Lightning node can pay an Alby invoice

People often misinterpret this.

Why LNBits looks clean

This is key and confuses almost everyone:

  • LNBits wallets ≠ node balance
  • LNBits only tracks its own custodial layer
  • CLN can spend directly:
    • via REST
    • via RPC
    • via plugins
    • via any valid macaroon

So “LNBits shows nothing wrong” actually supports the theory.

Most likely root cause (ranked)

  1. Exposed CLN REST endpoint
  2. Leaked macaroon / auth token
  3. Quick Connect QR reused or intercepted
  4. Reverse proxy misconfigured
  5. Compromised mobile device (Zeus)

Tor is a red herring here.

What you should do immediately

Containment

  • Shut down CLN (done)
  • Rotate all macaroons
  • Rebuild REST auth
  • Kill reverse proxy until audited

Audit

  • Check CLN logs for:
    • pay
    • sendpay
    • invoice
  • Compare timestamps with Zeus activity
  • Verify no plugins initiated spends

Rebuild correctly

  • New node identity
  • New channels
  • Separate:
    • LNBits (internal only)
    • CLN REST (no public ingress)
  • If remote access is needed:
    • WireGuard inside Tor
    • Never raw REST
2 Likes
5

I have reverse proxy to the lnbits to access the api with some lightning devices

:eyes:

6

I have an lightning atm that used lnbits wallet but it with limited amount
also there is no history in the this lnbts account.

How can I download the full log for the CLN - from the start9 interface i only have access to last 10k
I assume that the information