Bitpay Big Exploit? - 323 btcs sent to unknown address

[huguet2004]

I've experience what it seems a huge exploit in my copay wallet, with 336.2008 btcs beeing moved out. This is a new phone use only for btc, never in public wifi, never downloaded anything other than essencial apple apps, etc.

All of the sudden after 3 withdraws from otc dealers were confirmed my wallet sent 293.998 btcs to the address(below), i thought was a normal wallet re-sync(as it happens almost weekly in copay where u dont see your funds) and sent the previous balance to myself at: bd8b85b5fbec189c491b950e10d31c20678aeeac7e3b14fd9bbbb8e82afd0f0b
After receiving my balance, my wallet again sent it to the address.

Tried already restoring in other wallets and in others deviaton path, no success, looks like a hacking/exploit situation.

Help!!

Device: Recently(3 weeks ago) bought iphone 11 pro. IOS 13.1.2
App version: 7.1.6
Wallet funds went to: 1CYYS3R6CKD43nCxFbqvEvjr3VUScKswBw
Xpub: xpub6D9TkHyd2Zn5PgTSprttDdtn3oMEtTmasxLoy45SEEVzouWfzzDWwgGdThnhV9TGEBGGcdkMG7n z9t3JswoyKwn3Me9qVYCJTFP7LEuG2uP

[nc50lc]

I've experience what it seems a huge exploit in my copay wallet, with 336.2008 btcs beeing moved out. This is a new phone use only for btc, never in public wifi, never downloaded anything other than essencial apple apps, etc.

You're hodling hundreds of thousands worth of Bitcoins in a mobile device? You should be using a hardware wallet by now.
Anyways, how about your backup, is it safe from hackers or anyone close to you (physically)?
Copay is an HD wallet so one way to get hacked is through your SEED or backup.

Maybe not relevant, but someone just reported the same "hacking" issue to their github repo:Funds lost from wallet #10373
If it isn't your seed or device, they are the only one who can help you with this matter.

For your own protection, do not display your master public key (xpub) in the public
because all of your previous and future transactions/addresses will be visible once it was imported.

[bL4nkcode]

That's a huge amount to store in a merely mobile wallet even if I have only 1 BTC, I will not risk my funds on mobile wallet/device.

And you sure you never shared your recovery seed to others or saved it somewhere online? It's likely a compromised seed if you defend that your device isn't infected with malware.

[BitMaxz]

Maybe the balance from your copay wallet is sent to a change address connected to your copay wallet just like what they said from here "Where did my funds go in my BitPay wallet?"
Just keep your copay wallet connected and sync properly you will get your balance back from your copay wallet in the new wallet address.

Just in case the balance still doesn't show then try to extract all of your private keys from your copay wallet and import it to other wallets like Electrum wallet. You can follow the guide from here "How do I get the private key from my BitPay or Copay wallet?"

Let's hope that you can find your balance from exported private keys in your Copay wallet and import it to the Electrum wallet.
Make sure to download Electrum from real electrum.org and verify the signature to make sure your wallet is real and not a fake one.

[Chlotide]

Weird things happen
The ~294 BTC still in Bitpay address


Seems case is closed since github issue was also closed.

https://github.com/bitpay/copay/issues/10364

OP, how did this story end ? Got the $2.5M back ? (I get chills when just writing that amount...)

[Rafilsk]

The case was not resolved and they ended the topic on the very tin Github.

Very strange, I think it's a problem with Copay and they are trying to hide the case.

[coupable]

Very strange, I think it's a problem with Copay and they are trying to hide the case.

May be not! Op mentioned that he received this notification in github :

On 23 Nov 2019, at 19:59, micahriggan <notifications@github.com> wrote:



Hello, I think you may be okay, from looking at our database I think I see an issue that could be affecting your wallet.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#10364?

And he confirmed that he contacted them via this email :

Hello,

Could you please contact us at matias@bitpay.com so we can investigate the issue further.

thanks.

Even bitpay support confirmed the issue, Am really interested to know what should infect a wallet "called trusted" and who is the owner of the receiving address ?

[bL4nkcode]

Hope it's just a bug from bitpay's side and the funds are still on the wallet and can be recovered, coz if not, then that's really a huge loss to begin with.

[huguet2004]

Weird things happen
The ~294 BTC still in Bitpay address
https://i.imgur.com/5kFF3Vw.jpg

Seems case is closed since github issue was also closed.

https://github.com/bitpay/copay/issues/10364

OP, how did this story end ? Got the $2.5M back ? (I get chills when just writing that amount...)

Why in bitpay address? the addres 1CYYS3R6CKD43nCxFbqvEvjr3VUScKswBw is not in bitpay

[huguet2004]

Nop the issue was not recovered.
That was their last email

My specialist is thinking was a copay bug, my privates keys were impossible to be phiscally stolen and i never hold them online anywhere.


------------------------------------------------

Hello Hugo,

No, I have no news on that case, nor another related user report. We continue to check if we find any security issues on the current builds.

Did you created the wallet in 2017 using the Copay Wallet?
Are you aware of the issue  https://nvd.nist.gov/vuln/detail/CVE-2018-1000851  that affected wallets in Copay from version 5.0.1 to 5.1.0?

That one was only for Copay, If you used that 1-1 wallet during that time, using the Copay app (not the Bitpay app) and send money on using that version, the key could have been compromised. That was almost 1 year ago, so it seems improbable.

Other than that, at the moment we have no other idea of how the keys could have been compromised.

[Patatas]

-snip-

Seems like Copay is trying to hide something from the vague replies they have sent to you. Makes sense that your keys could have compromised or CoPay could have been hacked. The only hope you have is keeping track of how the coins are moved. Watching this thread and tracking the coins.

[huguet2004]

Hey guys, still nothing resolved.

Anyone heard or had any other copay exploits related issues?

[nc50lc]

Hey guys, still nothing resolved.

Unfortunately, there's a bad news: your funds in 1CYYS3R6CKD43nCxFbqvEvjr3VUScKswBw is now spent: aeb87b9dc18739dd178a8e9f138d31e614de537b925a8df33d310383b0d237c0
That alone should rule out that it's still in your wallet or caused by a bug that sent it a random address.

Since it's obviously spent, someone has access to that address's private keys.

[rat03gopoh]

Hey guys, still nothing resolved.

Anyone heard or had any other copay exploits related issues?

Your problem is at this address, 16Y4jj7LXLU8P7UrYP5VEfCdZ7W3w3xVNh^{(1st addy)} sending to an address not in your control 1CYYS3R6CKD43nCxFbqvEvjr3VUScKswBw^{(2nd addy)}. I thought your access key was leaking on your phone without you realizing it.

However I can't say that this is an exploit by hacker as long as the 2nd address still holds most of the bitcoins from your address. Came to the conclusion that this is a bitpay system bug (imo), not an exploit. If you wanna contact support, just ask who controls the 2nd address, this address has done a lot of tx output since you raised this case.

[JeromeTash]

Hey guys, still nothing resolved.

Unfortunately, there's a bad news: your funds in 1CYYS3R6CKD43nCxFbqvEvjr3VUScKswBw is now spent: aeb87b9dc18739dd178a8e9f138d31e614de537b925a8df33d310383b0d237c0
That alone should rule out that it's still in your wallet or caused by a bug that sent it a random address.

The address still has a balance of 277 BTC though (https://mempool.space/address/1CYYS3R6CKD43nCxFbqvEvjr3VUScKswBw). It wasn't all spent. The person just spends 5 or 6 BTC and the change goes back to the address. Maybe the person is doing this to slowly cash out the BTC without risking all of it and having it seized.

[huguet2004]

Yes guys im aware that he spent coins, i tracked some but he used many mixers.

For those who think this was a copay exploit, do you guys have any evidence of that? Any leaked private keys or known bugs?

Me too im thinking this was a copay exploit/bug since i never shared my PK with anyone, etc. Also since 2021 without moving, this was made by a professional hacker not someone who had access to my phone or anything.

[JeromeTash]

Yes guys im aware that he spent coins, i tracked some but he used many mixers.

For those who think this was a copay exploit, do you guys have any evidence of that? Any leaked private keys or known bugs?

Me too im thinking this was a copay exploit/bug since i never shared my PK with anyone, etc. Also since 2021 without moving, this was made by a professional hacker not someone who had access to my phone or anything.

If it was made by a professional scammer, then what's stopping from spending all the coins via a mixer. I mean, there are mixers that can volumes of even 300 BTC if moved in split transactions.

Also, how do you come to a conclusion that the few coins spent were moved to mixers? Please educate me.

[stompix]

Also, how do you come to a conclusion that the few coins spent were moved to mixers? Please educate me.

Breaking into smaller inputs, sending them to addresses that join them together and then splits again into tens of inputs, addresses getting hundred+ BTC in multiple transactions in the same block and then emptying all again in a matter of seconds, that's mixing behavior, no CEX does so.

Also since 2021 without moving, this was made by a professional hacker not someone who had access to my phone or anything.

Or by somebody that got scared at the amount involved and decided to play low and set up his next moves carefully waiting to see if somebody knocks at the door, but probably this bear market is testing his patience with 6 million just in reach so he wanted at least a few of that now! Usually, professional groups try to settle things as soon as possible to reduce the risks of a member jeopardizing everything, plus a volatile market would lead to a lot of infighting.

[rat03gopoh]

I find out more about bitpay as your PM.

For those who think this was a copay exploit, do you guys have any evidence of that? Any leaked private keys or known bugs?

Of course there is no proof, this is just more probable supposition. After all, bitpay has really experienced exploitation before your case. The email you quoted:

That one was only for Copay, If you used that 1-1 wallet during that time, using the Copay app (not the Bitpay app) and send money on using that version, the key could have been compromised. That was almost 1 year ago, so it seems improbable.

According to news, malware is also spread on bitpay^[1].

The malware was deployed on versions 5.0.2 through 5.1.0 of its Copay and BitPay wallet apps, and could potentially be used to capture private keys to steal bitcoin and bitcoin cash.

So I'm going to stick to the previous assumption that your access key was leaked.


1. https://www.coindesk.com/markets/2018/11/27/fake-developer-sneaks-malicious-code-into-bitpays-copay-wallet/

[huguet2004]

Thanks for the message guys im digging further into this.

I find out more about bitpay as your PM.

Thanks Rat03.

Is it possible for you to DM me your telegram?

Cheers!