EXCLUSIVE: Hackers Who Attacked Bitfi Wallet Claim They “Backdoored” the Device

Andrew Tierney, one of the key individuals that shed light on the engineers challenging Bitfi's hardware wallet, provided a statement to Cryptovest clarifying the situation on behalf of the group.

The Bitfi Wallet, advertised as “the world’s first unhackable wallet” by notorious John MacAfee, has recently raised quite some attention, especially after a group of hackers claimed it hacked it, but that claim was rejected by the developer company. The dispute seems to be evolving around the exact meaning of the word “unhackable”, according to Cryptovest’s recent interview with Bill Powell, VP of operations at Bitfi and the subsequent answer by the group of hackers, calling itself THCMKACGASSCO.

In a media statement, sent to Cryptovest by Andrew Tierney, a.k.a. Cybergibbons, the group claims it had been able to “backdoor” the Bitfi wallet.

Before we move on to the detailed statement, we must clarify that the people working on the Bitfi wallet attack were not employees of Pen Test Partners. Our perception that PTP was doing the brunt of the work on the wallet came mostly from the fact that most of the tweets we saw came from Tierney, who works for PTP as a security consultant, and the fact that there were published articles in the company’s blog that referred to these efforts.

However, Tierney was part of a larger group of individuals who worked on challenging Bitfi’s claims of making an unhackable wallet, including:

Group of Researchers and Security Experts

• Professor Alan Woodward: from the University of Surrey (@profwoodward)
• Security researcher Saleem Rashid: (@spudowiar)
• Security researcher and software engineer Ryan Castellucci: (@ryancdotorg)
• An unidentified security researcher: from The Netherlands that goes by the Twitter handle @OverSoftNL
• Security consultant Andrew Tierney: a spokesperson for the group (@cybergibbons)

Its name THCMKACGASSCO is an abbreviation for “The Hacker Collective Mistakenly Known As Cyber Gibbons, Also Sometimes Somehow Called OverSoft”.

Statement Summary

The statement starts with a summary:

“We have developed a practical attack against the Bitfi wallet, allowing us to ‘backdoor’ the device to send the phrase and seed to a remote server. Someone with access to the device - either in the supply chain, or once possessed by the user - can carry out this attack. The bounty set by Bitfi is a marketing ploy which we are not taking part in.”

This is followed by a response to Bitfi’s definition of “unhackable”.

“The only definition of ‘unhackable’ we accept is that the device cannot be hacked and will not ever be hacked by any means. ‘Hacked’ means that the user’s seed and phrase (or equivalent private keys) are exposed, placing stored funds at risk.

Bitfi keep on trying to redefine this as ‘not having claimed the first bounty.’ The bounty covers attacking the device under a specific set of conditions: setting a strong passphrase, turning off the device, and sending it via courier.

This is not a realistic threat model and ignores malware, compromised networks, evil maid, and supply chain tampering. For this reason, we are not participating in the bounty: It is a marketing ploy.”

Not only did THCMKACGASSCO refuse to further participate in the bounty but also cut off communicating with Bitfi after what has been perceived by the community at large as threatening language from the company in some of its tweets, including one in which an employee of the company said that “deception that [they] deliberately spread about Bitfi can have consequences”.

https://twitter.com/matthew_d_green/status/1026432597856006145

“We are not collaborating or communicating with Bitfi due to their communications on Twitter and via other media.

They have sent Twitter threats to researchers warning of ‘consequences’. Several sock-puppet Twitter accounts have been set up, all linked back to the email address [email protected], making ad-hominem attacks against researchers. This suggests it is the CEO of Bitfi, Daniel Khesin.”

When we asked Tierney for clarification regarding what he called “deceptive behavior” from Bitfi, he pointed out that at least three Twitter accounts posing as customers sent the group angry messages. One of these accounts appeared associated with the CEO of Bitfi.

https://twitter.com/ryancdotorg/status/1031263339916156930

Although the “da****@b****.***” email suggestion in the password reset page doesn’t definitively prove that this could be an account associated with Daniel Khesin, an analysis of the mannerisms provided by Ryan Castellucci seems to suggest that the account might belong to him.

Another account we saw used to be a totally different person, but suddenly became a crypto-related account that vigorously defended Bitfi’s wallet.

https://twitter.com/its_lovedose/status/1032195788833730562

Deeper in the thread we can see a Twitter user posting a screenshot from Google’s cache of what the account used to look like. It used to belong to someone who posted messages about romance.

Evil Maid Attack Evidence

Returning to the statement, it concludes with evidence of an evil maid attack executed on the Bitfi device and evidence of the transaction on the public blockchain:

“We have been able to ‘backdoor’ the Bitfi wallet. When the phrase and seed are entered into the device, they will be sent to a remote server. With the phrase and seed, we have access to the user’s funds. The wallet continues to operate as normal, and there are no mechanisms for the user to detect this tampering. This is demonstrated in this video:”