A company that launched a cryptocurrency wallet promising it to be unhackable soon found their wallet getting hacked. And instead of providing hackers with the bounty they promised, the company sent a sneaky warning about facing consequences.
The BitFi wallet
The cryptocurrency wallet named BitFi was launched in early August. Antivirus pioneer John McAfee called the wallet “the world’s first un-hackable storage for cryptocurrency & digital assets.” The device was branded unhackable, since it contained no storage or software.
The fanfare for the product was huge. To generate public interest in the wallet, BitFi went ahead and set up a bug bounty, guaranteeing hackers who could meet targets an award of US$250,000.
The challenge was pretty straightforward — participants had to buy a BitFi wallet that came preloaded with coins. The hackers were supposed to empty out all the coins from the wallet. If they succeeded in doing so, BitFi promised a reward of US$250,000. The hackers were allowed to use all possible attacks to break the wallet, including attacks on the company nodes, servers, infrastructure, and so on. And despite the huge show of confidence by BitFi, the company was to soon face the embarrassing reality that their wallet was not as secure as they thought.
Breaking the wallet
Once word got out that there was an unhackable crypto wallet, a team of researchers quickly started working on cracking it. And soon enough, they achieved success. First, they embarrassed the company by hacking into the wallet and playing DOOM on it.
And later, they exposed the security vulnerability of the BitFi wallet by sending signed transactions using the device. The researchers initially gained root access to the device and then went about modifying and tracking everything about it.
“We intercepted the communications between the wallet and [Bitfi]… This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification,” The Next Web quotes security researcher Andrew Tierney.
BitFi had set up three conditions to win the bounty – the hackers had to prove they can modify the device, connect to a server owned by BitFi, and send data from the device. According to Tierney, they had met all three conditions and are eligible for the reward.
But a big surprise came later on when BitFi started sending veiled threats to the researchers. “This is my last tweet as my shift is ending, but did you guys ever bother to look into who you picked fight with & the resources these people have. Not wise. Remember that the lies & deception that you deliberately spread about Bitfi can have consequences,” the company apparently said in a deleted tweet.
After the threats, the researchers released a statement saying that they will stop their engagement with BitFi. Tierney also said that they never expected the company to pay up on the bounty and that they had just participated in the challenge out of pure interest.
While Tierney’s statements can be appreciated given that he was threatened by a big company, BitFi’s response to the researchers has been deplorable. And the whole incident just proves what all security experts in the industry have always believed — that nothing ever is truly unhackable.