Multibit Classic is a Bitcoin wallet that was popular during the 2010s. It was eventually superseded by Multibit HD before both of them were abandoned on July 26, 2017. As of today, many people still have Multibit wallets as they have not yet migrated to a more modern software.
Such was the case of a friend that needed my help. They had bought Bitcoins in 2014 and now wanted to transfer them out of their wallet. The thing is, they didn’t have Multibit on their new computer and the official copies of the software are not available anymore. Indeed, if you try to access multibit.org, you will be redirected to a GitHub repository where you are expected to compile the source code of the software by yourself and verify that it is free of malware designed to steal your Bitcoins. This is not achievable to most people. At the same time, it is a bad idea to download a copy of Multibit from an untrusted source as they easily could have tampered with it.
While there’s no easy way to solve this conundrum, I believe I have devised an acceptable solution. By using the Wayback Machine, I was able to access the website multibit.org as it existed on March 27, 2015. From this snapshot, you can download official copies of Multibit Classic that have been archived by the Wayback Machine.
Download Multibit Classic
Without further ado, here are the links to download Multibit Classic 0.5.18:
- On Windows (SHA-256 hash: dc0c2ef689507c57347c0cbed58ea90fe12617a6fb026b308e81ec2127531b7e)
- On Mac OS X (SHA-256 hash: 0d2fe6fa68385c1ca964d9588272787dabffbc2061f29ebaab422317d0972257)
- On Linux (SHA-256 hash: a067c9638edfdf39f3e9fa154b0c6d8cfb7c58c0edd95a02c0ca903160ca3aad)
Can you trust these copies of Multibit Classic?
If you haven’t heard of the Wayback Machine, they are a nonprofit organization created in 1996 whose goal is to “archive the web” so sites can be browsed as they were in the past. Because of their track record, they can be more trusted than your average source. Nonetheless, a bad actor within the Wayback Machine’s staff could still tamper with their copies of Multibit if they thought the financial reward was worth the risk. As such, we should go the extra mile to confirm that your copy of Multibit is legitimate.
We will rely on VirusTotal, a website that was launched in June 2004 and that is now owned by a subsidiary of Google – meaning, they too can be more trusted than your average website. We are going to use VirusTotal to check a few properties regarding your copy of Multibit. Most notably, we will look at its SHA-256 hash, which is used as a sort of signature meant for integrity checks. If the hash isn’t what we expect it to be, then the file was altered.
Go to VirusTotal and run a scan on the file you have downloaded from the Wayback Machine. Install Multibit only if you can verify the following:
- Was the file flagged as malicious by any of the 60+ antiviruses? The answer should be no.
- In the “Details” tab, when was the file first sent to VirusTotal? It should be in 2014.
- In the “Details” tab, does the SHA-256 hash of your file match the one in this article? The answer should be yes.
- Can the SHA-256 hash of your file be found in this snapshot of multibit.org from April 18, 2015? The answer should be yes.