david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Heartbleed already being used to cash bitcoins

posted April 2014

A message some users of Virwox received:

Hello,
here is what has happened:
Similar to other exchanges, our servers are protected from DDOS-attacks by an external service provider. While our own servers themselves were not vulnerable to the "Heartbleed" attack, the proxy servers of the DDOS provider were. They have fixed the problem already and we have turned on the service again.
The good news is that our own server was NOT hacked, and none of our secrets or bitcoins were stolen. However, the attacker was able to get to the session cookies of in total 20 users who were logged in yesterday (between about 8am and 11am), and used this to try to withdraw the money they had in their account in the form of bitcoins.

They don't say how much loss they have suffered, but they have reimbursed the victims.

Well done! You've reached the end of my post. Now you can leave me a comment :)