AuthenticDoc, a decentralized digital signature platform developed in El Salvador, launched on November 13, 2025, at the Adopting Bitcoin conference in San Salvador. The tool uses the Nostr protocol for its open-source, decentralized architecture, incorporating Bitcoin-compatible cryptography to enable tamper-proof document verification and user-controlled private keys.
Co-founder Fabian, of the Salvadoran firm illuminodes, announced the release during the conference. “The digital signature landscape is ripe for innovation, and AuthenticDoc is leading the charge,” Fabian said. “We’ve harnessed the power of decentralized open protocol technology to deliver unparalleled security and control, effectively eliminating single points of failure that plague traditional solutions. Our platform provides a robust, tamper-proof cryptographic verification and authentication solution that businesses can trust, all while making it accessible and affordable.”
Built by Bitcoiners, the start-up addresses vulnerabilities in centralized platforms like DocuSign, which holds about 70% of the $10 billion digital signature market. According to their press release, the sector is projected to grow to $60 billion by 2030 at a 40% compound annual growth rate, fueled by regulations such as the EU’s eIDAS and the U.S. ESIGN Act, alongside remote work trends and AI-driven authenticity challenges.
The platform’s core features include trustless identity verification, private key management for users, and ISO-standard compliance for enterprise use. It eliminates reliance on centralized storage by using Nostr’s event-based system, where documents and signatures are cryptographically signed and distributed across a network of relays, ensuring robust data storage and distribution.
Diego, head of technology at illuminodes, emphasized the shift from legacy systems. “Our decentralized architecture empowers users with private key control and trustless identity verification, moving beyond the vulnerabilities of centralized systems,” Adding that, “this is not just an incremental improvement; it’s a paradigm shift in how digital signatures are secured and managed.”
AuthenticDoc is free for basic use, with paid tiers based on volume for enterprises, undercutting competitors’ license-based models. The platform supports global expansion from its El Salvador headquarters, leveraging local talent and regulatory support to target markets in Latin America, North America, and Europe.
Nunchuk Inc. is an open source, multi-signature mobile wallet for advanced bitcoin security, self-custody, and inheritance. Launched in 2020, the app offers users a feature-rich toolkit to set up high-security bitcoin wallets, with little competition on the mobile app market, as most other mobile wallets do not support multi-signature functionality at all.
Most wallets require a single private key to sign a valid Bitcoin transaction. Multi-signature Bitcoin wallets, in turn, require more than one private key to sign a valid Bitcoin transaction, often a threshold, such as two of three or three of five. This lock, so to speak, is enforced by the full power of the Bitcoin network, making it one of the most secure ways to store wealth today and probably in history.
Nunchuk told Bitcoin Magazine they help secure over a billion dollars worth of bitcoin today, “it is our (paid) assisted services that have helped users secure +$1B in BTC thus far.”, but that was not always the case. Born out of Bitcoin idealism in the thick of the COVID pandemic, Nunchuk was built to facilitate advanced security wallets that use multi-signature in the defense of self-custody. In 2022, as a young start-up, these ideals were put to the test, as activists of the Canadian Freedom Convoy Protests decided to use Nunchuk to secure bitcoins donated to the protest against COVID repression.
The turmoil saw over a million dollars worth of Bitcoin donated to Honk Honk Hodl, a group of reputable activists in the country, to help fund the costs of Truckers who were gathering in Ottawa. The truckers were putting their lives on the line to protest the extreme restrictions put in place by the Canadian government in response to the pandemic, and were facing massive pressure to leave the capital.
Over 20 bitcoins were received into a Nunchuk multi-signature wallet under the banner of Honk Honk Hodl. Nunchuk multi-sig was chosen to mitigate the risk of putting all that money in the hands of just one person.
Hugo Nguyen, founder of Nunchuk, told Bitcoin Magazine that the Honk Honk Hodl wallet received so many individual donations that it actually broke the wallet. The app was not designed to sign transactions with so many bitcoin inputs, and the start-up had to push an update to let the activists easily move their funds.
The protests were so effective and gained such a positive reception internationally that Trudeau’s government panicked and invoked the Emergencies Act, a rare use of federal powers, which he used to try to shut down all sources of funding coming to the protesters, in an effort to scare them off the capital. This included 10 million dollars in donations from Canadians to a GoFundMe campaign, which were ultimately returned to contributors after the payment processor faced legal action from the Canadian government.
When it came to the bitcoin donations, the digital currency’s alleged censorship resistance was put to the test. Canada sent a Mareva injunction to Nunchuk Inc., demanding the company freeze user funds and disclose user data to the government. Nunchuk, as a privacy-oriented, non-custodial wallet, had no power to comply. Nunchuk was just two months old at the time, a self-funded startup. This was their response:
“Dear Ontario Superior Court of Justice,
Nunchuk is a self-custodial, collaborative multisig Bitcoin wallet. We are a software provider, not a custodial financial intermediary.
Our software is free to use. It allows people to eliminate single points of failure and store Bitcoin in the safest way possible, while preserving privacy.
We do not collect any user identification information beyond email addresses. We also do not hold any keys. Therefore:
– We cannot “freeze” our users’ assets.
– We cannot “prevent” them from being moved.
– We do not have knowledge of “the existence, nature, value and location” of our users’ assets. This is by design.
Please look up how self-custody and private keys work. When the Canadian dollar becomes worthless, we will be here to serve you, too.
Sincerely,
The Nunchuk team”
In a matter of hours, over 14 bitcoins were delivered to over 90 truckers by hand in envelopes, roughly 8000 Canadian dollars at the time, each. By the time the Canadian police raided Nicholas St. Louis’s home — the main activist behind the Honk Honk Hodl campaign — most of the bitcoin had been distributed. Only 0.28 BTC were reportedly seized in the raid. Up to 6 BTC in total were frozen from other truckers and protesters in the turmoil, resulting in a rough 70% success rate for the censorship-resistant currency.
These events had a deep impact on the Nunchuk team, some of whom quit out of fear of legal prosecution. Others who stayed and Nunchuk Inc. survived, its future design forged in the fires of the late COVID political turmoil.
The Nunchuk That Survived
Fast forward two years or so, and Nunchuk has carved itself a solid niche within the Bitcoin industry. It is the only open source, fully featured multi-signature mobile wallet for mobile devices. Where alternatives exist, they are often either antiquated, nearly abandoned, or closed-source and not functional without being a paid user.
Nunchuk is also the first significant implementation of miniscript, a high-level programming language for Bitcoin script, which lets developers build Bitcoin “smart contracts” with elegance and power not easily achieved using Bitcoin’s native scripting language. Miniscript was invented by Pieter Wullie, a legendary Bitcoin core developer with 14 years of experience contributing to the digital currency.
The wallet lets users create software and hardware keys based on a wide range of hardware signing devices, supporting the most advanced Bitcoin address types, like Segwit and Taproot. Users can then create a fully customizable range of wallets, from single key to advanced, to any combination of multiple keys the user deems useful.
Nunchuk even supports decaying multi-sigs, which are useful for inheritance and complex setups. For example, you might want a 3 of 5 multi-sig where you control all the keys but they are geographically distributed, this is a common model for high value inheritance accounts. One of those keys can be shared with an heir. After five years, the multi-sig degrades to a single-key wallet, letting your heir move the money. To prevent your heir from getting access to your Bitcoin before your time, you would need to move the coins to a fresh multi-sig 3 of 5 and reset the clock.
It’s important to note that creating your own complex security setups has risks; sometimes, users who become so sophisticated that they decide to use fully featured tools like Nunchuk end up creating mazes for their Bitcoin that they end up getting locked out of. It’s important to be careful and generally use best practices when creating self-custody Bitcoin wallets to avoid common pitfalls.
Nunchuk has standard templates and a complete inheritance feature set designed to help non-technical Bitcoin users benefit from the full power of Bitcoin self-custody. They even announced the inheritance solution for Bitcoiners that does not require a third-party intermediary to co-sign a transfer. Popular alternatives like Casa wallet offer inheritance solutions, but as a co-signer, they also get a full view into user data, and if the company fails, users must take an alternative key-signing path to recover funds. Nunchuk’s on-chain inheritance wallet leverages time locks and pre-designed multi-sig setups like the example above to give users maximum control and sovereignty in their inheritance setup.
Nunchuk nevertheless supports aided (off-chain) inheritance solutions as well, which use the co-signer model of inheritance and can be easier to use, offering similar features as other popular Bitcoin inheritance solutions.
Phishing and scams are dynamic types of online fraud that primarily target individuals, with cybercriminals constantly adapting their tactics to deceive people. Scammers invent new methods and improve old ones, adjusting them to fit current news, trends, and major world events: anything to lure in their next victim.
Since our last publication on phishing tactics, there has been a significant leap in the evolution of these threats. While many of the tools we previously described are still relevant, new techniques have emerged, and the goals and methods of these attacks have shifted.
In this article, we will explore:
The impact of AI on phishing and scams
How the tools used by cybercriminals have changed
The role of messaging apps in spreading threats
Types of data that are now a priority for scammers
AI tools leveraged to create scam content
Text
Traditional phishing emails, instant messages, and fake websites often contain grammatical and factual errors, incorrect names and addresses, and formatting issues. Now, however, cybercriminals are increasingly turning to neural networks for help.
They use these tools to create highly convincing messages that closely resemble legitimate ones. Victims are more likely to trust these messages, and therefore, more inclined to click a phishing link, open a malicious attachment, or download an infected file.
Example of a phishing email created with DeepSeek
The same is true for personal messages. Social networks are full of AI bots that can maintain conversations just like real people. While these bots can be created for legitimate purposes, they are often used by scammers who impersonate human users. In particular, phishing and scam bots are common in the online dating world. Scammers can run many conversations at once, maintaining the illusion of sincere interest and emotional connection. Their primary goal is to extract money from victims by persuading them to pursue “viable investment opportunities” that often involve cryptocurrency. This scam is known as pig butchering. AI bots are not limited to text communication, either; to be more convincing, they also generate plausible audio messages and visual imagery during video calls.
Deepfakes and AI-generated voices
As mentioned above, attackers are actively using AI capabilities like voice cloning and realistic video generation to create convincing audiovisual content that can deceive victims.
Beyond targeted attacks that mimic the voices and images of friends or colleagues, deepfake technology is now being used in more classic, large-scale scams, such as fake giveaways from celebrities. For example, YouTube users have encountered Shorts where famous actors, influencers, or public figures seemingly promise expensive prizes like MacBooks, iPhones, or large sums of money.
Deepfake YouTube Short
The advancement of AI technology for creating deepfakes is blurring the lines between reality and deception. Voice and visual forgeries can be nearly indistinguishable from authentic messages, as traditional cues used to spot fraud disappear.
Recently, automated calls have become widespread. Scammers use AI-generated voices and number spoofing to impersonate bank security services. During these calls, they claim there has been an unauthorized attempt to access the victim’s bank account. Under the guise of “protecting funds”, they demand a one-time SMS code. This is actually a 2FA code for logging into the victim’s account or authorizing a fraudulent transaction.
Example of an OTP (one-time password) bot call
Data harvesting and analysis
Large language models like ChatGPT are well-known for their ability to not only write grammatically correct text in various languages but also to quickly analyze open-source data from media outlets, corporate websites, and social media. Threat actors are actively using specialized AI-powered OSINT tools to collect and process this information.
The data so harvested enables them to launch phishing attacks that are highly tailored to a specific victim or a group of victims – for example, members of a particular social media community. Common scenarios include:
Personalized emails or instant messages from what appear to be HR staff or company leadership. These communications contain specific details about internal organizational processes.
Spoofed calls, including video chats, from close contacts. The calls leverage personal information that the victim would assume could not be known to an outsider.
This level of personalization dramatically increases the effectiveness of social engineering, making it difficult for even tech-savvy users to spot these targeted scams.
Phishing websites
Phishers are now using AI to generate fake websites too. Cybercriminals have weaponized AI-powered website builders that can automatically copy the design of legitimate websites, generate responsive interfaces, and create sign-in forms.
Some of these sites are well-made clones nearly indistinguishable from the real ones. Others are generic templates used in large-scale campaigns, without much effort to mimic the original.
Phishing pages mimicking travel and tourism websites
Often, these generic sites collect any data a user enters and are not even checked by a human before being used in an attack. The following are examples of sites with sign-in forms that do not match the original interfaces at all. These are not even “clones” in the traditional sense, as some of the brands being targeted do not offer sign-in pages.
These types of attacks lower the barrier to entry for cybercriminals and make large-scale phishing campaigns even more widespread.
Login forms on fraudulent websites
Telegram scams
With its massive popularity, open API, and support for crypto payments, Telegram has become a go-to platform for cybercriminals. This messaging app is now both a breeding ground for spreading threats and a target in itself. Once they get their hands on a Telegram account, scammers can either leverage it to launch attacks on other users or sell it on the dark web.
Malicious bots
Scammers are increasingly using Telegram bots, not just for creating phishing websites but also as an alternative or complement to these. For example, a website might be used to redirect a victim to a bot, which then collects the data the scammers need. Here are some common schemes that use bots:
Crypto investment scams: fake token airdrops that require a mandatory deposit for KYC verification
Phishing and data collection: scammers impersonate official postal service to get a user’s details under the pretense of arranging delivery for a business package.
Phishing site redirects the user to an “official” bot.
Easy money scams: users are offered money to watch short videos.
Phishing site promises easy earnings through a Telegram bot.
Unlike a phishing website that the user can simply close and forget about when faced with a request for too much data or a commission payment, a malicious bot can be much more persistent. If the victim has interacted with a bot and has not blocked it, the bot can continue to send various messages. These might include suspicious links leading to fraudulent or advertising pages, or requests to be granted admin access to groups or channels. The latter is often framed as being necessary to “activate advanced features”. If the user gives the bot these permissions, it can then spam all the members of these groups or channels.
Account theft
When it comes to stealing Telegram user accounts, social engineering is the most common tactic. Attackers use various tricks and ploys, often tailored to the current season, events, trends, or the age of their target demographic. The goal is always the same: to trick victims into clicking a link and entering the verification code.
Links to phishing pages can be sent in private messages or posted to group chats or compromised channels. Given the scale of these attacks and users’ growing awareness of scams within the messaging app, attackers now often disguise these phishing links using Telegram’s message-editing tools.
This link in this phishing message does not lead to the URL shown
New ways to evade detection
Integrating with legitimate services
Scammers are actively abusing trusted platforms to keep their phishing resources under the radar for as long as possible.
Telegraph is a Telegram-operated service that lets anyone publish long-form content without prior registration. Cybercriminals take advantage of this feature to redirect users to phishing pages.
Phishing page on the telegra.ph domain
Google Translate is a machine translation tool from Google that can translate entire web pages and generate links like https://site-to-translate-com.translate.goog/… Attackers exploit it to hide their assets from security vendors. They create phishing pages, translate them, and then send out the links to the localized pages. This allows them to both avoid blocking and use a subdomain at the beginning of the link that mimics a legitimate organization’s domain name, which can trick users.
Localized phishing page
CAPTCHA protects websites from bots. Lately, attackers have been increasingly adding CAPTCHAs to their fraudulent sites to avoid being flagged by anti-phishing solutions and evade blocking. Since many legitimate websites also use various types of CAPTCHAs, phishing sites cannot be identified by their use of CAPTCHA technology alone.
CAPTCHA on a phishing site
Blob URL
Blob URLs (blob:https://example.com/…) are temporary links generated by browsers to access binary data, such as images and HTML code, locally. They are limited to the current session. While this technology was originally created for legitimate purposes, such as previewing files a user is uploading to a site, cybercriminals are actively using it to hide phishing attacks.
Blob URLs are created with JavaScript. The links start with “blob:” and contain the domain of the website that hosts the script. The data is stored locally in the victim’s browser, not on the attacker’s server.
Blob URL generation script inside a phishing kit
Hunting for new data
Cybercriminals are shifting their focus from stealing usernames and passwords to obtaining irrevocable or immutable identity data, such as biometrics, digital signatures, handwritten signatures, and voiceprints.
For example, a phishing site that asks for camera access supposedly to verify an account on an online classifieds service allows scammers to collect your biometric data.
Phishing for biometrics
For corporate targets, e-signatures are a major focus for attackers. Losing control of these can cause significant reputational and financial damage to a company. This is why services like DocuSign have become a prime target for spear-phishing attacks.
Phishers targeting DocuSign accounts
Even old-school handwritten signatures are still a hot commodity for modern cybercriminals, as they remain critical for legal and financial transactions.
Phishing for handwritten signatures
These types of attacks often go hand-in-hand with attempts to gain access to e-government, banking and corporate accounts that use this data for authentication.
These accounts are typically protected by two-factor authentication, with a one-time password (OTP) sent in a text message or a push notification. The most common way to get an OTP is by tricking users into entering it on a fake sign-in page or by asking for it over the phone.
Attackers know users are now more aware of phishing threats, so they have started to offer “protection” or “help for victims” as a new social engineering technique. For example, a scammer might send a victim a fake text message with a meaningless code. Then, using a believable pretext – like a delivery person dropping off flowers or a package – they trick the victim into sharing that code. Since the message sender indeed looks like a delivery service or a florist, the story may sound convincing. Then a second attacker, posing as a government official, calls the victim with an urgent message, telling them they have just been targeted by a tricky phishing attack. They use threats and intimidation to coerce the victim into revealing a real, legitimate OTP from the service the cybercriminals are actually after.
Fake delivery codes
Takeaways
Phishing and scams are evolving at a rapid pace, fueled by AI and other new technology. As users grow increasingly aware of traditional scams, cybercriminals change their tactics and develop more sophisticated schemes. Whereas they once relied on fake emails and websites, today, scammers use deepfakes, voice cloning and multi-stage tactics to steal biometric data and personal information.
Here are the key trends we are seeing:
Personalized attacks: AI analyzes social media and corporate data to stage highly convincing phishing attempts.
Usage of legitimate services: scammers are misusing trusted platforms like Google Translate and Telegraph to bypass security filters.
Theft of immutable data: biometrics, signatures, and voiceprints are becoming highly sought-after targets.
More sophisticated methods of circumventing 2FA: cybercriminals are using complex, multi-stage social engineering attacks.
How do you protect yourself?
Critically evaluate any unexpected calls, emails, or messages. Avoid clicking links in these communications, even if they appear legitimate. If you do plan to open a link, verify its destination by hovering over it on a desktop or long-pressing on a mobile device.
Verify sources of data requests. Never share OTPs with anyone, regardless of who they claim to be, even if they say they are a bank employee.
Analyze content for fakery. To spot deepfakes, look for unnatural lip movements or shadows in videos. You should also be suspicious of any videos featuring celebrities who are offering overly generous giveaways.
Limit your digital footprint. Do not post photos of documents or sensitive work-related information, such as department names or your boss’s name, on social media.
Login
