Inside money, markets, and big tech

PSA: Vulnerability in popular Bitcoin wallet exposes your private keys

Cryptocurrency thieves are getting more vicious by the day

copay, bitpay, bitcoin, cryptocurrency, wallet

BitPay’s popular Bitcoin BTC wallet, Copay, has been compromised – and your cryptocurrency might be at risk.

Developer BitPay has warned users that its open-source wallet Copay has been infected with malware designed to steal users’ private keys. This means anyone running the malicious versions of its app “should assume that private keys on affected wallets may have been compromised.”

BitPay says the malicious code was deployed on versions 5.0.2 and 5.1.0, but it remains unclear whether – or how widely – the flaw has been exploited. For the record, Copay boasts over 100,000 installs on Android. The developer says that its BitPay wallets weren’t affected by the attack.

We are still investigating whether this code vulnerability was ever exploited against Copay users,” the company further said. “Our team is continuing to investigate this issue and the extent of the vulnerability.”

It seems the attackers snuck the vulnerability in through a popular JavaScript library, more commonly known as EventStream.

In the meantime, BitPay has released a new version of Copay. The company advises users to update the app and move their funds to a new wallet.

“Users should not attempt to move funds to new wallets by importing affected wallets’ [12]-word backup phrases (which correspond to potentially compromised private keys),” the company wrote. “Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

Further instructions can be found on BitPay’s blog.

BitPay, Copay, and previous struggles

This isn’t the first time BitPay and Copay have had issues with their apps recently.

Not so long ago, Google mysteriously removed the wallets from the Play Store. The apps were reinstated shortly after, but it never became clear what triggered the removal in the first place.

Published November 27, 2018 — 10:45 UTC