Bounty Hunt Gone Wrong: 'Unhackable' Wallet Bitfi Denies It Has Been Hacked

In July, cryptocurrency hardware wallet manufacturer Bitfi's executive chairman, John McAfee, claimed that Bitfi was "The world's first unhackable device," urging security experts to breach its security for a $100,000 bounty.

A number of reports emerged that suggested Bitfi is not "Unhackable," only to be dismissed by the wallet service as well as McAfee himself, steadily making the bounty hunt seem like a tasteless PR stunt.

What is Bitfi? Essentially, Bitfi is a physical device - or a 'hardware' wallet - supporting "An unlimited amount of cryptocurrencies" that costs $120, as per its website.

He called Bitfi "a Colt 45 of the crypto world" and "The world's first unhackable device." To prove his point, McAfee announced a bounty hunt: $100,000 would go to the first person to hack the new device.

"The Bitfi hardware wallet solves this security problem once and for all in the most elegant way possible - the private keys are simply not stored anywhere, ever. This is another layer of security that goes beyond keeping the private key outside the computer environment or from devices with internet access. So even if your Bitfi hardware wallet is seized or stolen, there is nothing that anyone can do to extract the private keys because they are not on the device in the first place."

Bounty hunt quickly went wrong Bitfi's website elaborates on the bounty program, listing a number of "Rules": Essentially, those who wish to participate have to purchase a Bitfi wallet that is preloaded with coins for an additional $10. The ultimate goal for the participant is to successfully extract the coins and empty the wallet, while the company allegedly grants "Anyone who participates in this bounty permission to use all possible attack vectors, including our servers, nodes and our infrastructure."

On Aug. 1, crypto personality from the Netherlands OverSoft tweeted: "We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard." OverSoft later posted BitFi ROM directory listings.

The wallet soon announced a second bounty hunt - this time with a much more modest $10,000 reward - altering the rules and proceeding to claim that all reported security breaches did not meet the bounty's conditions and the device has not been hacked: "Rooting the device does not mean it has been hacked," the Bitfi team argued.

"Cheap, stripped down Android phone" Pen Test Partners, which posted a blog series regarding the hacking of Bitfi, claimed that, hardware-wise, "The Bitfi is a stripped down Mediatek MT6580 It's an Android phone, minus some components." "Someone will probably have Doom running on it by Friday," commented Ryan Castellucci, a self-proclaimed "Software engineer and hardware hacker," calling the device "a cheap, stripped down Android phone." Consequently, in a subsequent episode of their "Hacking Bitfi" series, Pen Test Partners posted a video allegedly proving that Bitfi device does have storage: In it, the wallet displays an uploaded video of John Mcafee.

"Army of trolls": Bitfi's response to the criticism Nevertheless, despite reportedly firing their social media employee, Bitfi continues to disown - and even threaten - their critics via social media: For instance, the wallet team asked Woodward if they could "Alter [a] photograph of [his] face with something humiliating added," in response to his concern about Bitfi's affiliate allegedly spreading hate speech while defending the wallet.