John Mcafee's "Unhackable" Crypto Wallet, Hacked

What do you mean there's no such thing as an unhackable computer system? John Mcafee won't pay the bounty either? Hmm...

Three days ago, John Mcafee’s “Unhackable” cryptocurrency wallet, well, got hacked by an IT geek in the Netherlands that goes by the alias @OverSoftNL on Twitter. Last Wednesday, OverSoftNL tweeted about how he managed to get root access to John Mcafee’s crypto-wallet, which Mcafee stated the wallet had “absolute” security and was “unhackable.” The bounty, in partnership with Bitfi, started at $100,000. A week later, the aforementioned bounty was raised to $250,000. Now obviously this grabbed the attention of some IT experts and hackers alike, who inevitably hacked the wallet.

“Short update without going into too much detail about BitFi: We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard,” @OverSoftNL tweeted. “There are NO checks in place to prevent that like claimed by BitFi.”

Root access to the wallet gave the IT expert full access to the backend of the wallet. Though, Mcafee later disagreed that the wallet was actually “hacked” since the funds could not be retrieved from it. [John] Mcafee later tweeted,

“Root acces (sic) to a device with no write or modify capability. That’s as useless as a dentist license un (sic) a nuclear power plant,” McAfee tweeted Thursday. “Can you get the money on the wallet? No. That’s what matters.”

Well, he’s not wrong. Without access to the actual funds, the device is a virtual paperweight to the hacker. What are your thoughts on this? Should John Mcafee cough up the $250,000, or was he right to deny the funds to the intruder? Let us know what you think in the comments!

UPDATE 8/9/18

15-year-old Saleem Rashid, has demonstrated that despite claims of being unhackable, Doom runs perfectly fine on the device.

You can read the tweet and watch the video here.

UPDATE 8/15/18

We intercepted the communications between the wallet and [Bitfi],

Security researcher Andrew Tierney (more commonly known as Cybergibbons) told Hard Fork. Tierney went on to say,

This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”

Tierney also confirmed that they have met the third condition – they sent the device’s private keys and its passphrase to a remote server, meeting the three requirements to claim the $10,000.

“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.” Tierney said. “We believe all [conditions] have been met.”

Though, Mcafee paying up seems unlikely. The rules state that the hack must be from a Bitfi unit preloaded with $10 in Bitcoin at purchase and that emptying the wallet is part of the goal. Their explanation ends by adding,

“Nothing else will qualify. Please also note that this is not a bug bounty program. This is strictly a bounty to hack into the Bitfi wallet to allow those who claim they can hack it to attempt to do so.”

Until that wallet is empty, it seems like nobody will be getting that juicy USD$10,000 bug bounty reward, which is rather unfortunate, especially for the security researchers.

comments powered by Disqus