BitPay’s Copay Wallet Compromised by Malicious Code, Firm Issues Advice for Users

Published at: Nov. 27, 2018

Crypto payment processor BitPay issued advice on its official blog yesterday, Nov. 26, for users of its open-source Bitcoin (BTC) wallet Copay, which has reportedly been compromised by malicious code.

The vulnerability pertains to a third-party Node.js module, also known as an “event stream,” which is used in versions 5.0.2 through 5.1.0 of BitPay’s Copay and BitPay apps. According to a GitHub issue report, this module was modified to load malware that is capable of stealing users’ private keys.

BitPay’s post states that the BitPay app was not vulnerable to the malicious code, but that its team is investigating whether the vulnerability had been exploited against any CoPay users.

In the meantime, the company has outlined advice for its users, stating that anyone using Copay version from 5.0.2 to 5.1.0, “should not run or open the app.” The company has released a security update in version (5.2.0), which is due for imminent release on app stores.

The company also warns that users of affected versions “should assume” their private keys may have been compromised, and therefore move any holdings to new, secure v5.2.0 wallets “immediately”:

“Users should not attempt to move funds to new wallets by importing affected wallets' twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

According to the GitHub issue report, a little-known user called right9ctrl requested and was granted publishing rights to the event-stream library (which is used in the Node.js module on the Copay app) from its previous maintainer, Dominic Tarr, who conceded he was no longer maintaining the repository and did not suspect the new user of malintent.

In response to the news, Dogecoin creator Jackson Palmer yesterday tweeted his concern that “this is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM [Node.js package manager]. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet” – nor to “let [an] attacker in” inadvertently.

Earlier this fall, Bitcoin Core released an update following the detection of a vulnerability in its software, a bug which the co-owner of Bitcoin.org described as “very scary,” with the potential to have “crashed a huge chunk of the Bitcoin network if exploited by any rogue miners.”

Tags
Related Posts
Yellow Card CEO reminisces about losing his life savings on LocalBitcoins
In his college-aged days, Chris Maurice, the CEO of African crypto exchange Yellow Card, said he put his life savings into Bitcoin (BTC), finding it stolen shortly after. "Bitcoin was about $200 at the time, and I decided basically I was just going to dump my entire savings account into into it," Maurice told Cointelegraph in an interview. Maurice said he had approximately $5,000 in his savings back then, with which he bought roughly 21 BTC. "I was holding it all on LocalBitcoins, because that was the wallet that I used at the time and I didn't really know any …
Bitcoin / Sept. 4, 2020
Electrum Bitcoin wallet still plagued by known crypto phishing attack
Two Electrum software wallet users have recently reported the loss of large sums of Bitcoin (BTC). One victim described the disappearance of 1,400 BTC, totaling $14,595,000 at press time, while another claimed 36.5 BTC, worth $380,512, as stolen. The events appear connected to a long-standing phishing scam affecting Electrum users since 2018. “Users need to be careful when dealing with their own keys, particularly when they are holding the keys to a wallet with a large amount of cryptocurrency as it makes them attractive to hackers,” Jason Lau, the chief operating officer of crypto exchange OKCoin, told Cointelegraph in response …
Bitcoin / Sept. 6, 2020
Another Electrum user is claiming that their coins were stolen
Details of a previous Electrum wallet hack surfaced following the massive 1,400 Bitcoin (BTC) theft that hit headlines a few days ago. "I had a similar situation 2 months ago," a Github user named Cryptbtcaly posted on the social media platform on Aug. 31. The user claimed someone pilfered 36.5 BTC from one of their wallet addresses. The BTC reportedly ended up spread across five different addresses. "Some of the stolen Bitcoin went to Binance, but they ignore my appeals and do not return," cryptbtcaly added. Details of a larger hack surfaced on Aug. 30, when a different Githubber reported …
Bitcoin / Sept. 1, 2020
Over 10,000 blacklisted BTC from 2016 Bitfinex hack on the move
A tranche of long-dormant Bitcoin seized in the 2016 hack of the Bitfinex cryptocurrency exchange are on the move today, an over $620 million sum that has some market participants spooked and may be contributing to a downward slide for Bitcoin. Blockchain analytics bot Whale Alerts was the first to raise the alarm, calling attention to a series of over five dozen transactions from wallets that have largely been inactive since the 2016 hack: ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ 1,241.37 #BTC (78,246,494 USD) of stolen funds transferred from Bitfinex Hack 2016 to unknown wallethttps://t.co/yLsJDXUBvE — Whale Alert (@whale_alert) …
Bitcoin / April 14, 2021
BitPay Says It Has ‘Paused’ Processing Bitcoin Payments in Germany
Bitcoin (BTC) and Bitcoin Cash (BCH) payment processor BitPay confirmed that it suspended its operations in Germany in an email sent to Cointelegraph on Aug. 1. BitPay: “We have paused operations in Germany” In the aforementioned email, a BitPay PR rep. Jan Jahosky cited regulation coming into force next year in Germany as the reason why the company decided to suspend its services in the country. The firm added that it is currently evaluating adding support for Germany again in the future. A BitPay spokesperson told Cointelegraph: “Germany has publicly stated that they want crypto companies to apply for a …
Bitcoin / Aug. 1, 2019