Bottom line: Judging from his colorful past, John McAfee has probably done a few things in his life that he regrets, and it’s starting to look like calling his Bitfi cryptocurrency wallet “unhackable” is turning into one of them.
After the device was broken into by a 15-year-old and made to run Doom last week, more security researchers have hacked the wallet, leading to veiled threats from the Bitfi team.
Bitfi offered a $250,000 bug bounty to anyone who could compromise the device and steal its crypto coins, which hasn’t been achieved. But researchers have been able to send signed transactions using the wallet, which should qualify them for a second, $10,000 bounty.
Three criteria were needed to claim the ten-grand prize: modify the device, connect to the Bitfi server, and send sensitive data using the wallet.
Security researcher Andrew Tierney (better known as Cybergibbons) said “We intercepted the communications between the wallet and [Bitfi]. This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
As per The Next Web, Tierney and his team also sent the device’s private keys and its passphrase to a remote server, which he believes qualifies him for the $10,000 bounty. “We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.” he said. “We believe all [conditions] have been met.”
In response, Bitfi said in a now-deleted tweet that the researchers' work might have “consequences,” which led to them posting a statement on Pastebin. “We aren’t engaging with Bitfi after they made several threats on Twitter,” it reads. “Bitfi keep on trying to redefine what "unhackable" means.
John McAfee, meanwhile, is trying to laugh the whole thing off.
Laughing so hard I can barely catch my breath. "Hackers" play Doom, play videos, root the device, play music on the BitFi wallet. We dont charge extra for those facilities. No-one has taken the coins from our pre-loaded wallet. No one will. Isn't this what matters?— John McAfee (@officialmcafee) 14 August 2018