BitPay Narrowly Avoids Mass Javascript Related Theft of User Funds

BitPay Narrowly Avoids Mass Javascript Related Theft of User Funds

Hacks and Cybersecurity, News

BitPay Narrowly Avoids Mass Javascript Related Theft of User Funds

BitPay, one of the worlds most popular bitcoin payment processors, has issued a warning to users with regard to a Javascript related security vulnerability. The Node.js library potentially steals users private keys on certain versions of the Copay and BitPay applications. BitPay has advised customers using certain versions of Copay to move funds to different wallets as soon as possible.

BitPay safe for now

The BitPay application itself is not vulnerable to the package, though the security breach may have affected Copay users, the wallet BitPay uses to store customer funds. Users were also informed not to import backup phrases as they could be compromised. The BitPay statement reads as follows –

“Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily.”

The malware was reported to be clever in its design by the initial Copay Github warning, infiltrating users who had more than 100 BTC stored. BitPay narrowly avoided a mass liquidation according to one user – “[BitPay] Narrowly escaped a mass theft/liquidation event. Network egress monitoring would be good to add to automated tests if not already part of the build validation process.” It is unknown at the current time if any users were affected, though it appears that all funds are safe.

All advantages toward cybercriminals

This is not the first time that this Javascript package has been exposed. The Event Stream package is downloaded over Two Million times a week. The exploit was found earlier this November, and the malicious code has been around for over three months at least. The hackers have been silently siphoning private keys for weeks, according to The Telegraph. The keys have been sent to a server in Malaysia and the creator of the library has been harassed on social media for his actions. The developer, Dominic Tarr, indicated that he was no longer maintaining the library.

In this latest library edition came some obfuscated code containing the private key stealing malware. While this breach has been contained, BitPay remains a high-return investment for hackers, as government departments and large businesses are using its services. Such a popular BTC payment processor with a high trade volume may eventually be compromised by hackers in an era where the advantages are tilting in favor of cybercriminals as opposed to network defenders.

Digital Nomad with an interest in Zen and Blockchain technology.

Law graduate with 3 years experience as a consultant in the capital markets industry and 4 years experience freelancing on UpWork as a Creative Writer.