Confirmed: “Malicious Code Deployed on Versions 5.0.2 through 5.1.0 of Copay & BitPay apps”

By Anjali Tyagi
Published November 27, 2018 Updated November 27, 2018
Best Buy In





Confirmed: “Malicious Code Deployed on Versions 5.0.2 through 5.1.0 of Copay & BitPay apps”

By Anjali Tyagi
Published November 27, 2018 Updated November 27, 2018

Global bitcoin payment service provider, BitPay announces that its open source bitcoin wallet Copay has been attacked and exposed to malicious code with the intent to steal Bitcoin (BTC) and Bitcoin Cash (BCH) funds.

Bitcoin Wallets “may have been Compromised,” Reports BitPay


According to the latest reports[ shared by BitPay, a US-headquartered global bitcoin payment service provider, Copay has been compromised. Copay is BitPay’s open source bitcoin wallet provider where one can secure their personal funds with one or multiple signatures. By eliminating the need to trust third parties with savings, it asks the general public to “Take security into your own hands.”

However, a hacker has been able to get access to a JavaScript library and further infecting the Copay wallet apps with malicious code with an intent to steal Bitcoin (BTC) and Bitcoin Cash (BCH) funds.

Brian Hoffman, an open source developer wrote on Twitter in response, “This is a much bigger issue than just BitPay.”

A Bitcoin enthusiast wrote,

Last week, the presence of a malicious code has been identified but it’s clear intent and what it can do hasn’t been known, until now.

Used in millions of web applications, a Node.js module known as event-stream has been compromised. Reportedly, a user on GitHub asked for publishing rights to the library from Dominic Tarr, its previous maintainer who said, “He emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get anything from maintaining this module, and I don’t even use it anymore, and haven’t for years.”

The official announcement by BitPay says the BitPay app in itself “was not vulnerable to the malicious code” but are still investigating if Copay users are exploited.

“We have learned from a Copay GitHub issue report that a third-party NodeJS package used by the Copay and BitPay apps had been modified to load malicious code which could be used to capture users’ private keys. Currently, we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps.”

The team says the users of Copay version from 5.0.2 to 5.1.0 should not open or run the app. In the meantime, a security update version (5.2.0) is also released.

BitPay further cautions that,

“Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately,” before adding, “Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”


The presented content may include the personal opinion of the author and is subject to market condition. Do your market research before investing in cryptocurrencies. The author or the publication does not hold any responsibility for your personal financial loss.
About Author
Anjali Tyagi
440 Articles
Having a background in writing, I worked on a wide array of industry topics and have recently entered the world of Blockchain and Cryptocurrency.

Loading Next Story