Global bitcoin payment service provider, BitPay announces that its open source bitcoin wallet Copay has been attacked and exposed to malicious code with the intent to steal Bitcoin (BTC) and Bitcoin Cash (BCH) funds.
Bitcoin Wallets “may have been Compromised,” Reports BitPay
According to the latest reports[ shared by BitPay, a US-headquartered global bitcoin payment service provider, Copay has been compromised. Copay is BitPay’s open source bitcoin wallet provider where one can secure their personal funds with one or multiple signatures. By eliminating the need to trust third parties with savings, it asks the general public to “Take security into your own hands.”
Brian Hoffman, an open source developer wrote on Twitter in response, “This is a much bigger issue than just BitPay.”
A Bitcoin enthusiast wrote,
PSA: Copay/Bitpay Wallet got hacked. You may have to MOVE your coins and abandon your mnemonic seed: https://t.co/AqPkKxYdh8
Note to BCH users, the Bitcoin[.]com Wallet is a fork of the CoPay Wallet and could also be affected: https://t.co/UI6uEZkBT2
— Ruben Somsen ⚡️🇳🅾️2️⃣❎ (@SomsenRuben) November 27, 2018
Last week, the presence of a malicious code has been identified but it’s clear intent and what it can do hasn’t been known, until now.
Used in millions of web applications, a Node.js module known as event-stream has been compromised. Reportedly, a user on GitHub asked for publishing rights to the library from Dominic Tarr, its previous maintainer who said, “He emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get anything from maintaining this module, and I don’t even use it anymore, and haven’t for years.”
The official announcement by BitPay says the BitPay app in itself “was not vulnerable to the malicious code” but are still investigating if Copay users are exploited.
“We have learned from a Copay GitHub issue report that a third-party NodeJS package used by the Copay and BitPay apps had been modified to load malicious code which could be used to capture users’ private keys. Currently, we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps.”
The team says the users of Copay version from 5.0.2 to 5.1.0 should not open or run the app. In the meantime, a security update version (5.2.0) is also released.
BitPay further cautions that,
“Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately,” before adding, “Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”