The BitPay Copay bitcoin wallet has been compromised

A single email can do a lot of damage.

BitPay announced today that its Copay wallet was compromised. Specifically, someone managed to inject malicious code into versions 5.0.2 through 5.1.0. The BitPay app itself was not affected.

Do not open the program if you are using those versions of the wallet.

Instead, update to the new 5.2.0 version first, then use that version to remove all funds and send them to a new wallet. You can either generate a brand new wallet with the 5.2.0 version, or send funds to a different wallet. Do not use the recovery phrases or anything else from the compromised versions. BitPay is still investigating whether any users were affected.

How it happened

It all began with a single email.

Open source heists

This attack took advantage of workflow quirks in open source development. Specifically, someone going by right9ctrl managed to gain ownership and control of a package of code owned by someone going by dominictarr.

They simply asked to take over, and because Tarr wasn't doing anything with it, wasn't getting anything from it and didn't really care for it anymore, he handed it over no questions asked.

Unfortunately, that package of code was feeding into a bigger code library called EventStream, downloaded about two million times per week and used by institutions around the world, including Fortune 500 companies, small businesses and BitPay.

In the interests of fairness, it's worth emphasising that most EventStream users might have been similarly vulnerable to this kind of attack. However, this attack seems to have been specifically intended to single out Copay wallets as a rich target due to their relative popularity.

Once they had access to this river of open source development, the attacker proceeded carefully.

The first step, on 8 September, was to introduce a benign module known as flatmap-stream. The second step, implemented on 5 October, was to update flatmap-stream with a backdoor that attempts to steal bitcoin wallets when executed – such as when someone runs their bitcoin wallet program – and move the funds to a server in Malaysia.

Basically, the entire river that millions of users and countless applications drink from was contaminated. However, the contaminant was specifically engineered to only affect a very specific and lucrative subset of those drinking from it.

The wider problem

This type of "supply chain attack", which is basically when a hacker manages to pee in the river upstream of thirsty developers, is part of a much wider problem.

Open source development is regarded as a cornerstone of cybersecurity, necessary to prevent people from putting blind trust in programming they can't see and allowing the entire world to pick it apart for vulnerabilities. The idea is that it can encourage proactive security, rather than the more traditional method of waiting for something bad to happen then mending it later and chalking it up to a learning experience.

But it also raises new questions around the risks of people putting blind trust in programming they can see, and (reasonably) assuming that a code library being downloaded two million times a week is safe.

Constantly eyeballing your way through millions of lines of code isn't really feasible, so depending on the situation, you might run various tests before implementing something. But if those tests are transparent, attackers can more easily defeat them; if they're secret, then they might also be more reactive than proactive.

The solution is still elusive, and on a certain level, the Internet is just a very scary place with countless avenues of robbery. But until quite recently, the only thing that thieves could really steal was data, which could easily go unnoticed or be written off as the cost of surfing the web, while attempts to steal actual money would often run into the more tangible walls put up by the banks which guard people's funds.

Cryptocurrency is a different beast though. It's money in the form of data, which comes with a lot of downsides and presents a lot of opportunities for clever hackers. There's a reason people use hardware wallets. They bring back the additional security of adding physical real-world elements to data handling, and likely would have protected Copay users who may have been affected by this incident.

Copay, unfortunately, no longer has hardware wallet integration. It was removed by necessity at the start of 2018 when Google retired support for Chrome apps on all platforms except Chrome OS. It's another very apt and very related example of how upstream changes can affect developers and users downstream, and how a lack of standardisation is impacting the Internet.

Picture: Shutterstock