Bitcoin Hack Leaves Silk Road 2 Drained of All Funds

Photo credit: Rolf_52/
Photo credit: Rolf_52/

According to TechCruch, Silk Road 2 moderator Defcon said in a forum post that the perpetrators made use of the known transaction malleability exploit within the Bitcoin protocol to hack the marketplace. The exploit essentially lets a user request the same transaction over and over again, but it will only look like one has occurred – or none at all. So, it’s the perfect siphon. In this case, the hacker(s) made use of six vendor accounts to order from each other, and to find and exploit the vulnerability aggressively. The user names were narco93, ketama, riccola, germancoke, napolicoke and smokinglife.

Silk Road 2, created after the original Silk Road was shuttered by authorities last fall, is meant to be an open-source, anonymous Bitcoin-only marketplace specifically built for use in conjunction with Tor or I2P via the hidden services. The idea is to provide a “secure” transaction site for those who may not wish to have their identities known. Hidden in the so-called “darkweb,” law enforcement sees Silk Road as a clearing house for illegal drugs, fake passports, hit men, forgers and computer hackers. There are surely some political dissidents and other more noble users involved as well, but the authorities characterize it mainly as a place for drug dealing.

Defcon indicated he hoped that thieves could hang together on this, so to speak. “Given the right flavor of influence from our community, we can only hope that he will decide to return the coins with integrity as opposed to hiding like a coward,” Defcon wrote.

While it can hardly turn to legal help on this, Silk Road itself is making its way along the forensics road to track down the people responsible. The attacker suspected of being responsible for 95% of the heist is likely French, the marketplace said. Defcon also posted transaction logs that show pertinent user information associated with the stolen booty, encouraging the Silk Road community to “use whatever means you deem necessary to bring this person to justice.”

Unsurprisingly, the Bitcoin market has gotten a bit volatile, amid word of the theft and news that several Bitcoin exchanges including Mt. Gox have suffered from the same exploit, forcing several to temporarily cease trading. After falling all the way to $102 earlier in the week, BTCs are worth $669 as of publication time.

Defcon indicated that decentralization should be the way forward, to prevent a wholesale, Oceans 11-style vault breach from happening again: “No marketplace is perfect. Expect any centralized market to fail at some point. This is precisely why we must unite in the decision to decentralize.”

What’s Hot on Infosecurity Magazine?