Exclusive: McAfee Offers $20M to Hack Bitfi Wallet; Hackers Accept

The drama with the Bitfi wallet continues to evolve as the company removes its “unhackable” claim and both its bounties from its website, which prompted outrage from hackers who managed to execute an evil maid attack on the device. This escalated into a moment where John McAfee offered to fly one of the hackers in and allow them to hack his own personal device, letting them keep the $20 million in crypto he has on it if they succeed.

https://twitter.com/officialmcafee/status/1035980830957613057?s=21

Bitfi directed Cryptovest towards these tweets, adding that the offer “came straight from Mr. McAfee” and that the company “had nothing to do with this $20m offer.”

“No evidence”

During our interview with Bill Powell, VP of operations at Bitfi, he said that the hackers did not provide any evidence for their claims of hacking the device.

Shortly after we spoke to Powell, we established communication with the hackers through Andrew Tierney—a.k.a. Cybergibbons, a security consultant who speaks for the collective called THCMKACGASSCO. He told us the other side of the story, pointing us to a video of an evil maid attack performed on a Bitfi wallet.

https://twitter.com/spudowiar/status/1031301920303063045

On August 27, we received an email from Bitfi in response to the story we published.

“You will notice that, as always, [Cybergibbons] provides no evidence or reproducible method of different kinds of attacks other than simply claiming that they have been able to successfully achieve them. Since you spoke to us, we have made considerable effort to get these hackers to claim bounty [sic] and all requests were ignored. You will note that in one instance we offered to make payment if he would simply take a few minutes to speak to our engineers on the phone (because he did not want to send in the device),” a spokesperson for the company told us.

We saw the tweets and pushed a little further, asking whether the lack of cooperation may have come from a possible breakdown in communication following a tweet from the company that has been interpreted as a threat by the community at large.

https://twitter.com/matthew_d_green/status/1026432597856006145

To this, the spokesperson responded by saying that the hackers were taking everything out of context. The “threatening” tweet, according to the person we spoke to, was sent in response to a parody logo that the hackers created and that Tierney used as his profile picture on Twitter at one point.

“While we think that the message from our social media manager was not appropriate it was likely posted in desperation as our logo was defaced and smeared on the internet,” the spokesperson said.

We also asked Bitfi about the evil maid attack posted on August 19, but have received no response with regard to that situation. After this, we contacted Tierney to find out what he had to say about the “no evidence” allegations and the fact that the hackers did not send a device over to Bitfi to be examined.

“The bounty doesn’t say anything about providing method or sending the device. We are confused to why they need or want it. Above all, though, it doesn’t matter if we don’t claim the bounty. The issues exist regardless. If they want to fix the issues, they can approach any [penetration testing] firm that has worked with Android. There are so many issues on the device. It’s just a car crash from start to finish.

Regarding the threat, they keep on trying to frame this as about the parody logo I was using. It just makes no sense. The threat said ‘lies & deception,’ not ‘logo.’ I don’t know how much more evidence they need. The attack is just rooting the phone and using common tools to read the phrase. There is nothing to it,” he said.

The phone call

There was still the issue of the phone call, however. Bitfi did indeed make an offer to Saleem Rashid—the hacker who posted the video of the evil maid attack—over Twitter to call the company and speak to its engineers.

After exchanging a few words with Tierney, we found out that a colleague of his actually called Bifti’s CEO, Daniel Khesin. He claimed that the CEO lied to his colleague, but failed to provide any further details due to the sensitivity of the subject and the fact that no recording of the call exists.

We then proceeded to ask Bitfi about this situation and have received no answer so far.

Bitfi’s retractions and McAfee’s offer

A short time after we had these conversations, Bitfi posted an announcement about some changes it was going to make to its company, including hiring a security manager:

“As part of our ongoing efforts to protect our customers, we have hired an experienced Security Manager, who is confirming vulnerabilities that have been identified by researchers… Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among researchers. We acknowledge and greatly appreciate the work and effort by researchers.

[...]

Effective immediately, we will be removing the ‘Unhackable’ claim from our branding which has caused a significant amount of controversy. While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal.”

In later tweets, Bitfi claims that the word “Unhackable” was removed from marketing material because of the harassment of hackers. However, that wouldn’t explain why the company hired a security manager to confirm vulnerabilities.

Despite Bitfi pulling the bounties, this didn’t stop John McAfee from coming up with a bounty of his own.

https://twitter.com/officialmcafee/status/1035980830957613057?s=21

He offered to fly Tierney over to his house and film him hacking his personal wallet, loaded with $20 million in coins, to which the reply was a video pointing out a cold boot attack (an attack on a Bitfi device after it had been restarted without powering off the RAM modules inside it) that dumped a device’s private key and secret phrase, making it visible.

https://twitter.com/spudowiar/status/1035937027697635333

Both videos showing attacks that we have seen so far have come from Saleem Rashid, but McAfee singled Andrew Tierney out. Another Twitter user called Eku (@stay__salty) took the challenge on behalf of Tierney, but McAfee was having none of it.

It appears that his challenge was meant for one specific person only, and it so happens to be the person who speaks for the collective.

“More than 5 people have taken you up on it, but you ignored it. Why is that?” Tierney asked McAfee in a private message.

“I challenged you. Not them. I singled you out for ridicule, not them,” he replied.

The events described here are still ongoing as the last update was only a few hours ago, but it’s reasonable to believe that McAfee will not allow someone else to go on Tierney’s behalf to hack the wallet.

As for Bitfi, it still has some questions left unanswered and we’d be delighted to update this story with the company’s answers if it would like to provide them.