Bitfi, a cryptocurrency wallet backed by anti-virus software entrepreneur and POTUS candidate John McAfee, has issued a statement saying it will no longer describe its service as “unhackable”.
The announcement followed the release of evidence by a group of security researchers showing the wallet being compromised.
While this was not even the first time the $120 hardware wallet was hacked, it was enough for Bitfi to strike the “unhackable” claim from its website.
At the end of July, McAfee had announced a bounty programme: following certain rules, a hacker had to get access to Bitfi’s wallet and in return receive a bounty, which was raised by McAfee from $100 000 to $250 000. Eventually, a few hackers, including a fifteen-year-old, rooted the device which is apparently a cheap Android phone. That bounty, which many in the security community deemed a sham, specified that a mod counted only if someone got the coins off the “cut-down Android phone” wallet. Bitfi and John Mcafee, in particular, have continuously denied that the mod occurred with McAfee openly challenging the word’s definition and refused to pay researchers who did mod the device, claiming the attacks didn’t meet the bounty conditions. It wasn’t horribly surprising that Bitfi won the PwnieAward for “Lamest Vendor Response.”
Bitfi stated that the Bitcoin inside must be removed from the wallet – which was controversial among the cybersecurity community as often weaknesses are identified but not acted upon. Security researchers had argued that the terms of the bug bounty programme were too specific.
The newest mod of Bitfi, a cold boot attack, was pulled off by 15-year-old Saleem Rashid, who previously turn Bitfi into a Doom gaming console. Rashid is part of a team of security researchers going by “THCMKACGASSCO.”
Despite Bitfi having been hammered and exploited many times, Bitfi finally backed off its “unhackable” claim shortly after Rashid posted video proof of the mod on Twitter.
Now the company is even labelling their actions as “counterproductive” and has allegedly hired an experienced Security Manager to fix multiple “vulnerabilities.”