toad
14th February 2014, 03:36
http://www.forbes.com/sites/andygreenberg/2014/02/13/silk-road-2-0-hacked-using-bitcoin-bug-all-its-funds-stolen/
Silk Road 2.0 'Hack' Blamed On Bitcoin Bug, All Funds Stolen
The same bug that has plagued several of the biggest players in the Bitcoin economy may have just bitten the Silk Road.
On Thursday, one of the recently-reincarnated drug-selling black market site’s administrators posted a long announcement to the Silk Road 2.0 forums admitting that the site had been hacked by one of its sellers, and its reserve of Bitcoins belonging to both the users and the site itself stolen. The admin, who goes by the name “Defcon,” blamed the same “transaction malleability” bug in the Bitcoin protocol that led to several of the cryptocurrency’s exchanges halting withdrawals in the previous week.
“I am sweating as I write this… I must utter words all too familiar to this scarred community: We have been hacked,” Defcon wrote. “Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.”
Screen Shot 2014-02-13 at 2.56.45 PM
A message on the Silk Road homepage linking to Defcon’s “hacking” announcement.
Just how many bitcoins were stolen wasn’t said in the post, although it listed a series of Bitcoin addresses that the Silk Road administrators believe to have been involved in the heist. Those transactions seem to point to a single Bitcoin address that contains 58,800 coins, worth more than $36.1 million at current exchange rates. But tracing Bitcoin’s pseudonymous transactions is always tricky–other estimates range from 41,200 by a Silk Road user and 88,000 by the Bitcoin news site.
Update: Nicholas Weaver, a researcher at the International Computer Science Institute, estimates the total theft of Silk Road’s bitcoins at a much lower number: just 4,400 or so coins, worth around $2.6 million.
Based on the Silk Road’s data about the attack, the site’s staff point to three possible attackers, two in Australia and one in France. “Stop at nothing to bring this person to your own definition of justice,” Defcon writes.
Silk Road’s users, predictably, didn’t take the announcement at face value, and many instead suspect that the site’s staff have used the “transaction malleability” bug as a scapegoat to cover their own incompetence–the site has been plagued with more pedestrian bugs since launching in November–or even that they’ve run off with the users’ bitcoins themselves. “Transaction malleability,” after all, has been a known issue with Bitcoin for two years, and is described by most Bitcoin security experts as more of a major nuisance than a real threat that would allow funds to be stolen.
“Something’s not correct: The bug…can’t be made responsable if bitcoins are missing now!” writes a user named pathfinder.
“Oh, this is rich. How many users called for the shutdown of SR2 to fix the problems? They were ignored,” writes a user named aqualung on the site’s forums. “Admins did this. Not some vendor.”
Defcon denied those accusations, but took full responsibility for allowing the theft. “I didn’t run with the gold,” he writes. “I have failed you as a leader, and am completely devastated by today’s discoveries…It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.”
The hack is just latest in a series of mishaps, crackdowns and scams that have roiled the “dark web” drug market since the shutdown of the original Silk Road anonymous drug site in October by the FBI. Among the more than half dozen sites that have sprouted to pick up Silk Road’s lucrative stream of Bitcoin-based drug transactions, at least three have run off with the users’ funds and two have shut down after being hacked. Several drug site administrators have also been arrested, including three former Silk Road staffers and five men in the Netherlands and Germany who launched their Silk Road copycat, Utopia, earlier this month.
Amidst that chaos, the relaunched Silk Road has been perhaps the most stable and popular marketplace for drugs and other contraband, with over 13,000 product listings at last count. And its hacking and sudden bankruptcy shakes the anonymous ecommerce community more than any of those other dark web eruptions.
While some Silk Road users wrote on the site’s forums that they planned to take their business to other marketplaces like Pandora and Agora, others declared the Silk Road model altogether dead. All the sites currently keep users’ bitcoins in “escrow” before a transaction is complete to prevent fraud, a model that often allows the funds to be stolen, seized.
Defcon ended his message to the site’s users by announcing that the Silk Road will no longer use an escrow, and will instead ask users to send money directly between buyers and sellers, a model that will no doubt lead to many more scams on the site. But he said that the site will move to so-called “multi-signature” transactions, a largely experimental use of Bitcoin that would require multiple users to “sign off” on a transaction before it’s made. That means a third party could serve as a trusted escrow with no way to steal a user’s funds. He promised a “generous bounty” to anyone who could help Silk Road to implement the change.
“Silk Road will never again be a centralized escrow storage,” Defcon writes. “Hindsight is already suggesting dozens of ways this could have been prevented, but we must march onward.”
Silk Road 2.0 'Hack' Blamed On Bitcoin Bug, All Funds Stolen
The same bug that has plagued several of the biggest players in the Bitcoin economy may have just bitten the Silk Road.
On Thursday, one of the recently-reincarnated drug-selling black market site’s administrators posted a long announcement to the Silk Road 2.0 forums admitting that the site had been hacked by one of its sellers, and its reserve of Bitcoins belonging to both the users and the site itself stolen. The admin, who goes by the name “Defcon,” blamed the same “transaction malleability” bug in the Bitcoin protocol that led to several of the cryptocurrency’s exchanges halting withdrawals in the previous week.
“I am sweating as I write this… I must utter words all too familiar to this scarred community: We have been hacked,” Defcon wrote. “Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.”
Screen Shot 2014-02-13 at 2.56.45 PM
A message on the Silk Road homepage linking to Defcon’s “hacking” announcement.
Just how many bitcoins were stolen wasn’t said in the post, although it listed a series of Bitcoin addresses that the Silk Road administrators believe to have been involved in the heist. Those transactions seem to point to a single Bitcoin address that contains 58,800 coins, worth more than $36.1 million at current exchange rates. But tracing Bitcoin’s pseudonymous transactions is always tricky–other estimates range from 41,200 by a Silk Road user and 88,000 by the Bitcoin news site.
Update: Nicholas Weaver, a researcher at the International Computer Science Institute, estimates the total theft of Silk Road’s bitcoins at a much lower number: just 4,400 or so coins, worth around $2.6 million.
Based on the Silk Road’s data about the attack, the site’s staff point to three possible attackers, two in Australia and one in France. “Stop at nothing to bring this person to your own definition of justice,” Defcon writes.
Silk Road’s users, predictably, didn’t take the announcement at face value, and many instead suspect that the site’s staff have used the “transaction malleability” bug as a scapegoat to cover their own incompetence–the site has been plagued with more pedestrian bugs since launching in November–or even that they’ve run off with the users’ bitcoins themselves. “Transaction malleability,” after all, has been a known issue with Bitcoin for two years, and is described by most Bitcoin security experts as more of a major nuisance than a real threat that would allow funds to be stolen.
“Something’s not correct: The bug…can’t be made responsable if bitcoins are missing now!” writes a user named pathfinder.
“Oh, this is rich. How many users called for the shutdown of SR2 to fix the problems? They were ignored,” writes a user named aqualung on the site’s forums. “Admins did this. Not some vendor.”
Defcon denied those accusations, but took full responsibility for allowing the theft. “I didn’t run with the gold,” he writes. “I have failed you as a leader, and am completely devastated by today’s discoveries…It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.”
The hack is just latest in a series of mishaps, crackdowns and scams that have roiled the “dark web” drug market since the shutdown of the original Silk Road anonymous drug site in October by the FBI. Among the more than half dozen sites that have sprouted to pick up Silk Road’s lucrative stream of Bitcoin-based drug transactions, at least three have run off with the users’ funds and two have shut down after being hacked. Several drug site administrators have also been arrested, including three former Silk Road staffers and five men in the Netherlands and Germany who launched their Silk Road copycat, Utopia, earlier this month.
Amidst that chaos, the relaunched Silk Road has been perhaps the most stable and popular marketplace for drugs and other contraband, with over 13,000 product listings at last count. And its hacking and sudden bankruptcy shakes the anonymous ecommerce community more than any of those other dark web eruptions.
While some Silk Road users wrote on the site’s forums that they planned to take their business to other marketplaces like Pandora and Agora, others declared the Silk Road model altogether dead. All the sites currently keep users’ bitcoins in “escrow” before a transaction is complete to prevent fraud, a model that often allows the funds to be stolen, seized.
Defcon ended his message to the site’s users by announcing that the Silk Road will no longer use an escrow, and will instead ask users to send money directly between buyers and sellers, a model that will no doubt lead to many more scams on the site. But he said that the site will move to so-called “multi-signature” transactions, a largely experimental use of Bitcoin that would require multiple users to “sign off” on a transaction before it’s made. That means a third party could serve as a trusted escrow with no way to steal a user’s funds. He promised a “generous bounty” to anyone who could help Silk Road to implement the change.
“Silk Road will never again be a centralized escrow storage,” Defcon writes. “Hindsight is already suggesting dozens of ways this could have been prevented, but we must march onward.”