That's very much possible! I wouldn't touch that site with a 10 inch pole! I did checkout the network requests but nothing unusual. Typical 200/400/401 errors depending on the data validation. However I don't know what
rec.php?hash=
request meant. It is a post request but no data in header or response.
It hashes the URL you put in the textbox and sends it to their server. Why? Don't know.
There is more at the code.js file, which is responsible for getting the address and amount of the Bitpay URL.