Bitcoin Core developers have disclosed a privacy bug that can expose the very detail it was designed to hide, a user’s IP address. A fix will arrive in version 31.1.
The flaw sits in private broadcast, an optional feature added in version 31.0 this April. Developers published the warning on June 6.
We have become aware of a privacy bug in the -privatebroadcast feature, newly introduced in Bitcoin Core 31.0, that may cause the originator’s IP address to be revealed to the receiving peer under certain network conditions. A fix is forthcoming and will be released with 31.1.
— Bitcoin Core Project (@bitcoincoreorg) June 11, 2026
How the Privacy Bug Backfires
Private broadcast sends transactions through Tor, an anonymity network famous for accessing the dark web, so recipients never learn where they originated.
However, the official advisory admits this promise can break.
The trouble begins when the software attempts an encrypted connection to another computer on the network. If that attempt fails, it quietly retries over a normal connection and skips Tor entirely. The recipient then sees the sender’s real IP address, and with it their approximate location.
Worse, attackers do not need luck. A hostile node can deliberately reject the encrypted handshake and force the revealing retry.
The risk is critical because Bitcoin’s ledger is public. Linking a transaction to an IP address can tie payments to a real person.
Who is Affected and What to Do
The bug only touches people who run version 31.0 and switched the feature on. Everyday wallet transactions remain unaffected. Developers credit researcher Eugene Siegel with the discovery.
Until version 31.1 ships, affected users should disable the feature or route all their traffic through Tor. The episode follows a recent transaction relay dispute and revives questions about who maintains Bitcoin Core.
