Silk Road 2 Loses Over 4400 Bitcoins in Alleged Hack
The darknet marketplace, Silk Road 2, told its users yesterday that someone had stolen all the Bitcoins being held online in escrow. Estimates of the amount vary, but 4,474 Bitcoins (worth $2.7 million) apparently have gone missing.
Silk Road 2’s operators have blamed a weakness in the Bitcoin transaction protocols, which allowed six hackers to steal the funds, but members of the Bitcoin community suspect the operators themselves made the heist.
What is still unclear is just how a transaction malleability attack could have resulted in the complete emptying of an escrow account. The attack involves changing the ID of a bitcoin transaction, to make the sender think that it hasn’t happened.
As we detailed earlier this week, simply changing the ID isn’t enough to cause a coin to be stolen. The individual or organisation sending the bitcoins (in this case, Silk Road) would presumably have to resend the coins immediately and automatically in the event of a fraudulent customer complaint, and would have to notice that almost 5000 bitcoins were disappearing from its escrow accounts without raising an eyebrow.
“Sorry defcon but if mt gox and bitstamp had the hindsight to cancel withdraws while they dealt with the bug. Why did you not take the same measures?” asked ‘Soloist’.
“Why did it take forever to move funds in and out of my wallet but every last bit of BTC disappears in the blink of an eye?” said ‘garconSR2′ in response to the Defcon post.
Technical experts were bemused, and sceptical. “Would criminals make dumb mistakes? Infinitely feasible. Most deep web sites like this are likely either honeypots or long-con scams,” said core bitcoin developer Jeff Garzik.
The protocol weakness led several Bitcoin exchanges, such as Mt Gox and Bitstamp, to temporarily lock down their Bitcoin holdings, until new code was disseminated to fix the security hole. The exchanges suspended Bitcoin withdrawals and some moved their coins offline, into “cold storage,” to keep them secure. Bitcoins are basically just software code.
Silk Road 2, however, kept its escrow account online while it fixed its systems. That enabled the hackers, working as a team, to drain the escrow funds, according to the website’s operators.