Share this article
Fake Developer Sneaks Malicious Code into BitPay's Copay Wallet
The Copay wallet from crypto payments processor BitPay has been compromised by a hacker, the firm warns. An updated version has been released.
Updated Dec 10, 2022, 9:29 p.m. Published Nov 27, 2018, 10:15 a.m.
The Copay wallet from U.S.-based bitcoin payments processor BitPay has been compromised by a hacker, the firm says.
Bitpay announced Monday that it learned about the issue from a Copay GitHub reporthttps://github.com/bitpay/copay/issues/9346 indicating that a third-party JavaScript library used by the apps had been modified to load malicious code.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
The malware was deployed on versions 5.0.2 through 5.1.0 of its Copay and BitPay wallet apps, and could potentially be used to capture private keys to steal bitcoin and bitcoin cash.
BitPay said:
“However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users,”
The firm is asking users to not run or open the Copay wallet if they are using versions from 5.0.2 to 5.1.0. It has now released an updated version (5.2.0) without the malicious code for all Copay and BitPay wallet users that will be available in app stores "momentarily."
BitPay stressed: “Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately.”
Bitpay has also advised users to not move any funds to new wallets by importing their 12-word backup phrases, since they correspond to "potentially compromised private keys.”
“Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds,” it explained.
The attack appears to have been carried out by a supposed developer called Right9ctrl who took over maintenance of the NodeJS library from its author who no longer had time for the work, ZDNet reports. The social engineering attack occurred about three months ago when Right9ctrl was granted access to the repository, at which point they injected the malware.
Jackson Palmer, the creator of the dogecoin cryptocurrency, tweeted in response to the news: "This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet. "
Code image via Shutterstock
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
How Much Longer Until We Consider the Bitcoin Power Law Model Invalid?
As the gap between spot bitcoin price and the power law widens, investors are left questioning whether mean reversion is coming or if another cornerstone model is approaching its end.
What to know:
- Bitcoin has largely tracked its long standing power law trend this cycle, though it now trades about 32% below the model.
- Earlier models like stock to flow have already failed, with its current implied valuation near $1.3 million per bitcoin
Top Stories
