Update 10:44 (UTC-06:00): BTCJam releases statement as promised.
The Bitcoins have moved to 1687v9NexfUC6U6G1xBrEkLWYi3WSDn4qL and are being sent through Shared Coin into cold storage.
BTCJam has gone offline for security updates with our servers.
Email from BTCJam’s Alexis Ajono:
“If you guys believe your accounts were hacked, please send me an email at [email protected]. We are currently looking into this, and I am comprising a list of claims. Thank you, and please stand by for an official statement later on today.”
Check out this Bitcoin Address: 1JBBbQkwR6qVmxyPq22VsfygeLdFYgqhmP.
Over the last hour, Bitcoin has been pouring into that address. The address first came to the public’s attention in a private BTCJam group on Facebook that confirmed the ongoing heist. It seems that individual BTCJam accounts are being emptied into that Bitcoin address. News of the heist started spreading while it was still in progress; redditors have gathered to discuss this matter. What is clear in this incident is this: 2fa prevents your account from being hacked. The hacker is moving through accounts one at a time, highly suggesting that he only has access to login information and passwords directly from BTCJam’s servers. This theory is further corroborated by the fact that some of the exploited accounts temporarily created new loan requests in an attempt to steal even more Bitcoins. There are even reports from the Facebook BTCJam group of a gentleman that noticed his withdraw address being changed, and was able to enable 2FA before the withdrawal request was made.
Who Is This Hacker?
It isn’t often that a simple Google search yields so much… But today it has. A simple Google search of the address that all the stolen Bitcoins are being sent to reveals that the same address is used as the donation address for this page: ppp.cryptoanarchic.me. The site was created by qwertyoruiop, and the donation address is under his control.
There also exists a Twitter account under the handle qwertyoruoip.
4 hours ago, he posted this:
1 hour ago, when the balance at 1JBBbQkwR6qVmxyPq22VsfygeLdFYgqhmP was around 26 BTC, he posted this:
The first tweet is what makes people suspicious that the Heartbleed exploit was used. The second tweet made some suspicious that qwertyoruiop was the hacker himself.
In response qwertoruiop had this to say:
What Happened, According To Qwertyoruiop.
Qwertyoruiop was contacted by the hacker; the hacker told qwertyoruiop that he wanted to sell some Bitcoin.
This is why all the stolen BTC was sent to 1JBBbQkwR6qVmxyPq22VsfygeLdFYgqhmP, an address under Qwertyoruiop’s control. He has since moved them into cold storage via Blockchain.info’s Shared Coin.
Qwertyoruiop has promised to return the Bitcoins once BTCJam has sorted everything out.
What If This Is A Heartbleed?
The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.
During the heist, according to this Heartbleed vulnerability test website, BTCJam was still vulnerable. BTCJam has since shut down their website. As of 11AM San Francisco time, BTCJam has yet to release any public statement regarding the heist or the heartbleed vulnerability. After successfully using the Heartbleed exploit on XMPP services, it seems that qwertyoruiop went on to try Bitcoin services. Some find it doubtful that the first Heartbleed vulnerability online would be found at a Bitcoin website, and not a more valuable financial website. However, given the amount of security and the inherent reversibility of transactions made through regular financial channels, I don’t find it surprising that the hacker went after BTCJam.
We won’t know for sure if Heartbleed was involved until BTCJam releases information on the heist.