John McAfee’s Bitfi wallet hacked, again

Posted: 13 August 2018 4:05 pm
digital wallet hacked small

Will Bitfi cough up the cash and pay hackers their earned bounty or use an excuse to avoid remuneration?

Notorious cryptocurrency supporter and social media influencer John McAfee issued a US$100,000 bounty in late July for any person who could hack his Bitfi digital wallet. So, hackers went to work on cracking the device.

Soon after McAfee’s challenge was issued, the bounty was raised to US$250,000. However, a separate bounty was conceived to help Bitfi “identify potential security vulnerabilities” in the firmware encryption of the device.

This new bounty offers up a US$10,000 reward to those in the digital asset community.

Andrew Tierney, a security consultant for Pen Test Partners, took to Twitter this week to proclaim that he successfully made a transaction using the Bitfi digital wallet, supposedly fulfilling the US$10,000 bounty.

Bitfi’s bounty states that the firmware of the Bitfi device must be modified, the device must connect to the Bitfi Dashboard and should be able to transmit either private keys or the users secret phrase to a third party.

In a recent interview, Tierney told The Next Web that his hack meets all of Bitfi’s bounty requirements.

“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy,” Tierney revealed. “We believe all [conditions] have been met.”

A 15-year-old security researcher, Saleem Rashid, was credited with running old-school computer game DOOM on the Bitfi device but McAfee claimed that the teen didn’t remove any coins, so the hack was unsuccessful.

Below, you can see footage of the teenager playing the popular 90s first-person shooter on Bitfi’s digital wallet.

Earlier this month, hackers intent on claiming the US$250,000 prize identified security flaws on the device:

  • A lack of tamper protection, letting people install malware before sale and otherwise manipulate it freely without leaving tracks.
  • The ability to installing bugs that “listen” to the connection between the touchscreen and chip, to relay the password.
  • The ability to reprogram the device with root access.
  • The ability to access a user’s Bitfi dashboard account from a tampered-with device.

On top of that, the device was also found to have various tracking apps phoning-home to different web services, such as Baidu, so users would also need to trust in the security of a range of third party data-collectors and this means that the wallet is internet-connected, which is exactly what a hardware wallet should not do.

Standards are key to doing anything at scale. Standardisation allows for compatibility between different systems, quicker growth and an easier way of achieving higher standards in most things. Cybersecurity is one of those things. In mid-June South Korean cryptocurrency exchange Bithumb was hacked, revealing that even the best-known and most reputable centralised exchanges can lose customer funds to ingenious attackers.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Ask an Expert provides guides and information on a range of products and services. Because our content is not financial advice, we suggest talking with a professional before you make any decision.

By submitting your comment or question, you agree to our Privacy and Cookies Policy and Terms of Use.

Questions and responses on are not provided, paid for or otherwise endorsed by any bank or brand. These banks and brands are not responsible for ensuring that comments are answered or accurate.
Go to site