Silk Road 2.0 Has Been Hacked And At Least 4,673 BTC Stolen; Operator Says Centralized Escrow Service Can’t Ever Work

Journalist:
February 13, 2014

Editor’s Note: The transactions revealed by Defcon only show a total of 4474.26 BTC stolen from presumably only escrow accounts.  This sum comes from transactions by attacker 1 only, and do not include the “contributions” of attackers 2 and 3.  The previous incorrect estimate of “over 88,000 BTC” came from user estimates of all funds previously on Silk Road 2.0’s wallets, or all funds in the wallets of the suspected attackers.  Varying reports of the total amount stolen from Silk Road 2.0 stem from inherent vagueness in Defcon’s words.  The only concrete estimate, taken from Blockchain data graciously presented by @NCWeaver and extrapolated to include the thefts from attackers 2 and 3, is ~4,673 BTC.

The total amount of BTC stolen from Silk Road 2.0 is as of yet not known.

We at CCN will continue to update this story as it unfolds. Hat’s off to DeepDotWeb for bringing this to everyone’s attention.

As of now, it seems that at least 4,474.26 BTC was stolen from Silk Road 2.0 via the Transaction Malleability bug being exploited by malicious users within Silk Road 2.0’s  system.  Essentially, several users made large buys and sells through multiple accounts and utilized transaction malleability to gradually withdraw all the BTC available on Silk Road 2.0.

Unlike many Bitcoin exchanges, Silk Road did not halt withdrawals to ensure that their internal Bitcoin client (custom or not) was up to date with Bitcoin 0.80 and the transaction malleability issues.  This was a clear mistake on the part of Silk Road 2.0 admins and operator.  There is currently a worldwide manhunt for the perpetrators of the heist, while Silk Road 2.0’s market closes and unshipped orders have been canceled.

Bitcoin not at fault

Again, I must reiterate that there is nothing wrong with the Bitcoin Protocol, just certain big-name services that have not heeded updates in the Bitcoin sphere and have now paid the price.

Additionally, Silk Road 2.0 should have been using cold storage for such a large amount of coins.  Just that common precaution would have secured their users funds and prevented a large portion of the heist.

Alternatively, some redditors claim that Silk Road 2.0 operators, and even other Bitcoin services at this time, are simply using this transaction malleability bug as a cloud of smoke to run off with 4,474.26  BTC.

Please use your common sense when setting up a Bitcoin service and when validating claims and news on the internet.

Silk Road 2.0 has lost all of its users’ money to a tune of at least 4,474.26 BTC; image from BuckTees

The Libertarian, tree-loving, Bitcoiners and Redditors are devastated by this turn of events; however, all in all, Bitcoiners are staying resolute because honestly this was expected as all centralized systems eventually fail.  Large Bitcoin businesses, particularly Silk Road, have huge targets on their backs calling hackers and government agencies alike.

Even Silk Road 2.0’s operator now promulgates that a centralized solution “can’t ever work.”  DPR has always stated that Silk Road should be advancing towards an ever more decentralized model.  Given this new development; Kyle Torpey’s prediction that the Open Transactions Bazaar would be the true Silk Road 2.0 has gained enormous traction.

Here are excerpts from the message on Silk Road 2.0’s forums that tells the tale.

Original link (Warning: onion link) which I highly recommend you view in its entirety.

I am sweating as I write this.

Christmas brought grave news. I cannot adequately express how deeply honored I was by your unconditional support of my staff.

I do not expect the same reaction to today’s revelations. This movement is built on integrity, and I feel obligated to be forthright with you.

I held myself to a high standard as your leader, yet now I must utter words all too familiar to this scarred community:

We have been hacked.

Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.

Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.

Defcon goes on to say:

No marketplace is perfect. Expect any centralized market to fail at some point. This is precisely why we must unite in the decision to decentralize.

Silk Road 2.0 will undergo restructuring to move toward multi-signature escrow without any future wallet hosting on their end.  Whether or not the community will ever return remains to be seen.

Last modified (UTC): April 20, 2014 18:31

Caleb Chen @bitxbitxbitcoin

Caleb is a graduate of the University of Virginia where he studied Economics, East Asian Studies, and Mathematics. He is currently pursuing his MSc in Digital Currency at the University of Nicosia.