Major Silk Road 2.0 hack costs bitcoin users millions of dollars
The original Silk Road, which was by all accounts a marketplace where users could solicit any number of criminal services anonymously, was first launched in 2011. Founded and operated by a user known only as Dread Pirate Roberts, the site helped popularize the bitcoin crypto-currency and reportedly had trade revenue of $1.2 million USD every month. The site was shut down by the FBI in October 2013, with police alleging that Dread Pirate Roberts is in fact the alias of one Ross William Ulbricht.
While Ulbricht awaited trial on charges including murder-for-hire and narcotics trafficking the Silk Road was relaunched. Yet the site's future was put into doubt again on Thursday when an administrator who identified himself as “Defcon” explained on the site's forums what had happened.
“I am sweating as I write this...I must utter words all too familiar to this scarred community: We have been hacked,” he wrote. “Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the bitcoin protocol known as 'transaction malleability' to repeatedly withdraw coins from our system until it was completely empty.”
Defcon did not disclose the exact number of bitcoin that was stolen yet Nicholas Weaver, a researcher at the International Computer Science Institute, told Forbes that approximately 4,400 coins were taken, equaling about $2.6 million.
“Stop at nothing to bring this person to your own definition of justice,” he wrote.
The sudden loss of online cryptocurrency was blamed on a bitcoin protocol bug that also led to several exchanges halting withdrawals last week, including Mt Gox.
But users were not convinced. Many pointed to the long-held claim of security experts who assert that transaction malleability, while a problem, is not an issue deep enough to permit such a vast theft.
“Oh this is rich. How many users called for the shutdown of SR2 to fix the problems? They were ignored,” wrote one skeptic. “Admins did this. Not some vendor.”
Defcon denied that he was involved in the site's compromise.
“I didn't run with the gold,” he said. “I have failed you as a leader, and am completely devastated by today's discoveries...It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.”
Since the initial Silk Road was shut down in October, a number of former competitors rushed in fill the void. Administrators for at least three of those sites disappeared after stealing users' bitcoin and another two voluntarily closed down after they were hacked.
One site, known as Sheep Marketplace, was victimized to the tune of $6 million in bitcoin by one administrator who said he found a weakness in the site's security. Similarly, Black Market Reloaded announced that it was unable to accommodate the massive influx of ex-Silk Road users.
“Without competition the wisest thing to do is to shut down the market, doing it in a timely and orderly manner,” wrote one administrator without mentioning an expected return date. “We will be back up. But to speed up we need to close shop. Don't worry, we don't rip [off] anyone and will be back stronger than ever.”