Controversy is swirling around hardware wallet company Bitfi after it rejected claims by a fifteen-year-old that he had hacked its product.
Cryptocurrency hardware wallet manufacturer Bitfi called claims their wallet had in fact been hacked a “disgrace” in comments to Cointelegraph August 2, as controversy around the company’s security prowess builds.
In a statement to Cointelegraph, Bitfi CEO Daniel Khesin said that it had “absolutely no evidence” the wallet was insecure:
“As of now, we have no evidence that our device can be hacked and if someone succeeds in doing so then we will immediately put out a fix to all devices to address the vulnerability that was discovered and it will be unhackable once again.”
Bitfi and official partner John McAfee had offered a bounty worth $100,000 in July for anyone able to compromise their so-called “unhackable” hardware wallet.
Photos of the wallet’s components drew controversy when they surfaced online last week, commentators voicing concerns Bitfi’s claims it had built the “most sophisticated instrument in the world” had little basis.
On Thursday, those concerns increased after Saleem Rashid, the fifteen-year-old who unearthed a security vulnerability in fellow hardware wallet Ledger in 2017, announced on Twitter he had succeeded in hacking Bitfi’s product.
The company appeared not to believe Rashid, arguing his decision not to claim the bounty meant the situation was not all it seemed.
Responding, Rashid retweeted cryptocurrency researcher Alan Woodward, who had also discussed the hack with Bitfi in the same Twitter thread.
“It’s not speculation based on what I’m looking at,” Woodward had written, continuing:
“And we don’t want your money. Give it to charity. We are concerned that others will entrust their money to something that is not secure in the way appear to suggest.”
An official Bitfi spokesperson told Hard Fork August 1 that the recent criticism of the wallet’s security on Twitter was the product of an “army of trolls” hired by hard wallet competitors Trezor and Ledger, stating:
“Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete […] So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails).”
Trezor’s founder and CEO has since denied the accusation in a tweet.
Bitfi’s CEO Khesin meanwhile continued the skeptical position towards Rashid, challenging him to accept the money if he had in fact compromised the device.
“…The person claiming to have cracked the bounty has not come forward to prove it and has tweeted 5 min ago that he will not be pursuing the bounty because it’s not worth his time […],” he told Cointelegraph.
“Yet he tweeted to the whole world this morning that he hacked into our wallet. I think it’s a disgrace for any human being to do such a thing but I will leave to you to judge.”
After Rashid created code to ‘backdoor’ Ledger’s wallets back in November 2017, the company released posts describing the events as “NOT critical” and said possible attacks “cannot extract the private keys or the seed.”
Rashid then refuted the claims on social media and a post on his personal blog in March of this year, stating he could still “autonomously extract the root private key once the user unlocks the device” and use to it instigate manipulation of destination addresses for transactions.