John McAfee Stakes Staggering $20 Million Bounty For Bitfi Wallet Hackers
Controversy on Twitter erupted last month when teenage hackers claimed to have successfully hacked into Bitfi’s ‘unhackable’ wallet merely hours after Bitfi had raised its hacking bounty program from $100,000 to $250,000. Bitfi’s executive chairman, John Mcafee, who had played an integral role in promoting the unhackable wallet campaign, went on an epic week-long rant on social media claiming the hackers were ‘trolls’. The bounty was never paid, and Bitfi has announced this week that it has terminated its bounty program and removed the ‘unhackable claims’ from its branding.
Earlier this week, there was a moment when John McAfee offered to fly one of the hackers in and allow them to hack his own personal device, letting them keep the $20 million in crypto he has on it if they succeed.
BitFi offered $100,000 to anyone who could take the coins from its factory wallet. Hackers complained it was too little, and why should they have to buy the wallet. It increased to $250,000. No takers. I'm now offering $20 mil to one fraudulent hacker – @cybergibbons He refused.
— John McAfee (@officialmcafee) September 1, 2018
On July 31st, teenage hackers @cybergibbons and @OverSoftNL were able to gain root access to the ‘unhackable’ Bitfi wallet. By achieving root access, Cybergibbons and Oversoft were both able to inject keyloggers onto the Bitfi wallets completely undetected. In the event that anyone ever used one of these compromised Bitfi wallets they would be, “completely pwned,” said Oversoft.
To those that say the people hating on Bitfi don't have one in their hands.
Look at this.
Guess what? The device has no idea it's been tampered with. pic.twitter.com/7pbEyhViFy
— Ask Cybergibbons! (@cybergibbons) July 31, 2018
Bitfi’s response to Cybergibbons claims was: “You will notice that, as always, [Cybergibbons] provides no evidence or reproducible method of different kinds of attacks other than simply claiming that they have been able to successfully achieve them. Since you spoke to us, we have made considerable effort to get these hackers to claim bounty [sic] and all requests were ignored. You will note that in one instance we offered to make payment if he would simply take a few minutes to speak to our engineers on the phone (because he did not want to send in the device.)”
Despite, gaining root access, Bitfi made it clear that no bounty reward would be paid out. Cryptocurrency advocate and Bitfi Executive Chairman John Mcafee proceeded to go on a Twitter tirade stating that the hacking claims were “bullshit”. According to Mcafee, although the wallet had been compromised, gaining root access did not technically meet the terms of the Bitfi bounty program.
Bitfi’s Retractions Of Statements
A short time after we had these conversations, Bitfi posted an announcement about some changes it was going to make to its company, including hiring a security manager: “As part of our ongoing efforts to protect our customers, we have hired an experienced Security Manager, who is confirming vulnerabilities that have been identified by researchers… Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among researchers. We acknowledge and greatly appreciate the work and effort by researchers.”
Despite Bitfi pulling the bounties, this didn’t stop John McAfee from coming up with a bounty of his own. He offered to fly Tierney over to his house and film him hacking his personal wallet, loaded with $20 million in coins, to which the reply was a video pointing out a cold boot attack (an attack on a Bitfi device after it had been restarted without powering off the RAM modules inside it) that dumped a device’s private key and secret phrase, making it visible.
here's a @Bitfi6 being cold boot attacked by an Android phone. the actual attack takes mere seconds. trivial to Evil Maid it while you're not looking.
the RAM analysis takes over 2 minutes on my phone (only 1GB RAM), but we can dump RAM in 40 seconds 😉
appropriate 🎶 as always pic.twitter.com/uNL5cLlSi6
— Saleem Rashid (@saleemrash1d) September 1, 2018
Both videos showing attacks that we have seen so far have come from Saleem Rashid, but McAfee singled Andrew Tierney out.
“More than 5 people have taken you up on it, but you ignored it. Why is that?” Tierney asked McAfee in a private message. “I challenged you. Not them. I singled you out for ridicule, not them,” he replied.
BitFi and McAfee are pushing themselves into a corner with this incident. They still have many unanswered questions which people around social media think they deserve an answer to.