Business & Finance

Hackers Denied Bounty, Bad Taste for John McAfee’s Bitfi Liking

Previously known as the unhackable wallet

Bitfi’s functionality and promises have gone down the drain with the recent PR fiasco and mishandling of information that has occurred in the passed one week. The news has swarmed all crypto channels, we took it a notch up and tried to dig deeper into the complicated world of ethical hacking and raunchy business standards. Our findings suggest that it is a rocky road ahead for the ones rooting for Bitfi no puns intended.

via bitfi.com/benefits

According to the website, Bitfi claims to be easy to use and highly protected. The company out rightly claimed that it was unhackable. Perhaps out of sheer narcissism, the company introduced a bounty program for any researcher or hacker who may get into the system, with any methods or apparatus applied. Such reward systems allow companies to find out vulnerabilities and flaws in the system to make them even better and stronger. But, Bitfi’s program claimed that it is doing this because it really is unhackable and not because it wants to test itself. The company said that the system was too good to be cracked in and the firmware super strong. However, the researcher/hacker says otherwise.

The researcher claimed that not only the system was easy to get into, the remedy for faulty or shady action is bogus too. Bitfi takes a very long period of time to resolve any issues on the hardware.

The researcher/hacker continuously insisted that it qualifies as supply chain tampering, people continued to make naive remarks on the job done. To crystallize the air, the hacker shared the story in a pastebin file.

We aren't engaging with Bitfi after they made several threats on Twitter. I will quote one here:

'This is my last tweet as my shift is ending, but did you guys ever bother to look into who you picked fight with & the resources these people have? Not wise. Remember that the lies & deception that you deliberately spread about Bitfi can have consequences'

The bounty is a strawman, designed to allow Bitfi to claim they haven't been hacked because the bounty hasn't been claimed. In reality, the bounty only covers a single attack: sending your wallet (which has a strong seed and phrase) via UPS (taking several days) to an attacker. This doesn't emulate the real world, not even close. 

Bitfi keep on trying to redefine what "unhackable" means. Again, I will quote Bitfi themselves:

'This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks.'

“Unhackable” means cannot be hacked and will not ever be hacked by any means. This is the only definition we accept. 

We are more than happy to demonstrate the attacks to a journalist. 

We are not really interested in attempting to prove any of these to Bitfi: they know these are vulnerabilities. They can see the traffic from the wallet and check the transaction shown. So far we have been able to:
•	Root a wallet
•	Intercept all SSL communications between the wallet and servers
•	Sign a Bitcoin transaction under these conditions
•	Sniff the user's phrase and seed and send it to another machine under these conditions

Please ask Bitfi to explicitly confirm or deny these are possible.

The Threat – Out of context or crystal clear?

The hacker has been posting memes and system snippets starting the morning after Bitfi chose to remain silent on the subject. On the other end of the debate, Bitfi tried to intimidate the researcher:

Threat Threat Threat
Threat Threat Threat- via twitter

After realizing that the very publicly given threat may cause bad publicity, Bitfi issued this statement:

Tierney is cleverly twisting things that were said out of context

Ask Cyber Gibbons vs. John McAfee

John McAfee, the CEO of Bitfi has passed off this hype as an insufficient hacking attempt. He left remarks jokingly. It was clearly a public relations or marketing tactic to pay no heed to the news. Showing persistence in not giving up the bounty anytime soon, helps the hack look illegitimate or failed. Mocking the whole episode helped Bitfi look clean. So, he said:

When asked if the hacking was easy and whether the hacking could be ignored? McAfee said;

A hardware wallet cannot ignore physical threats. And a hardware wallet must be secure on a compromised laptop on a compromised network.

This meant that the only job of Bitfi was really just to ensure that it was as tamper proof as they claimed. To backup a claim with a fake bounty program is only a horrible marketing strategy than an effective measure for security.

The hacker remained quite on whether alternative or competitors physical wallets are better equipped safety wise. He conceded to the fact that all hardware wallets are prone to hacking risk and there is no purely and truly safe way to secure electronic funds.

When we asked him if this means that all physical devices must be unsafe? And that if it is actually possible to make an unhackable wallet? He responded:

More and more people are claiming to have done the cracking. A fifteen year old has also been partially successful in a hacking attempt earlier this week. Another hacker propped up and said:

In response to this the hacker replied:

Before signing off in the evening, the hacker finally left his remarks on Bitfi’s current standpoint:


Earlier the same day he explained that Bitfi currently claims that they have security measures that help keep that hardware item safe, this is problematic. If the wallet cannot connect to a server because the server may be compromised or because the network may be under threat, it might as well always remain locked up and set aside in a dark closet. This removes the very purpose behind keeping a wallet whose creation was based on raising portability and access.

John McAfee has remained focused all evening onto pivoting attention, from the hot topic to other things; in an attempt to make this look like an unimportant and insignificant affair. Whereas, in reality the breach means that the wallet was NOT unhackable at all.

Show More

Khunsha Javed

A Filmmaker, PR enthusiast & Editor of BlockPublisher-Unfiltered. I like things that make my brain tingle. Email: khunsha@blockpublisher.com or editor.unfiltered@blockpublisher.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.