This is getting ugly. It appears the creators of the purportedly (but not really) “unhackable” cryptocurrency wallet Bitfi, endorsed by John McAfee, have sent veiled threats to the security researchers that hacked the device.
In a now-deleted tweet, Bitfi warned the researchers (one of whom is only 15 years old) that there might be certain negative “consequences” for doing proper security work.
“This is my last tweet as my shift is ending, but did you guys ever bother to look into who you picked fight with [sic] [and] the resources these people have,” the company wrote. “Not wise. Remember that the lies [and] deception that you deliberately spread about Bitfi can have consequences.”
As is often the case, the suggestive tweet was swiftly screenshot by a number of users before Bitfi could take it down. Here is a copy for posterity:
I haven’t really been following this Bitfi nonsense, but I do so love when companies threaten security researchers. pic.twitter.com/McyBGqM3bt
— Matthew Green (@matthew_d_green) August 6, 2018
Following the threats, the researchers released a statement in a public Pastebin, saying they will no longer engage with Bitfi. “We aren’t engaging with Bitfi after they made several threats on Twitter,” the hacking collective said.
For the record, Bitfi first made headlines with bombastic claims it had developed the very first truly “unhackable” cryptocurrency storage solution. As the researchers proved shortly after, this wasn’t quite the case.
After security experts were able to pinpoint a bunch of red flags in the wallet’s design and also crack the device to play DOOM on it, Bitfi attempted to redefine what “unhackable” means. The researchers have since argued that Bitfi’s narrow definition is intended to prevent anyone from claiming their bug bounty (and thus proving the device is “hackable”).
“We recognized the bounty was a sham immediately,” researcher Andrew Tierney (more commonly known as Cybergibbons) told Hard Fork. “I like open bug bounties, but ones to prove you are unhackable are just silly.”
It seems Bitfi didn’t get the memo: threatening researchers for doing their job is the easiest way to burn bridges.