Silk Road 2 Hacked, Over 4,000 Bitcoin Allegedly Stolen
Silk Road 2 moderator Defcon reported in a forum post that hackers have
used a transaction malleability exploit to hack the marketplace. The
hackers stole over 88,000 4474.26 bitcoins worth $2,747,000, emptying the site’s escrow account.
UPDATE – Fixed estimate.
The site used a central escrow service to send bitcoins from buyers to
sellers. The hackers exploited the transaction malleability bug –
essentially a way users can mask transfers and ask for the same amount
of BTC multiple times – to clean out this wallet. This is the same bug
that forced Mt. Gox to halt all withdrawals and recent updates have made
average bitcoin wallets secure against this sort of attack. According
to the site, hackers used the Silk Road’s automatic transaction
verification system to order from each other and then request refunds
for unshipped goods. Hackers were able to use the transaction
malleability bug because the Silk Road used only transaction ID to
confirm the transfer of bitcoins. You can read more about the problem
here.
They supposedly run an automated refund system for their vendors that
relies on the TXID to verify transactions. Their claim is that six
vendors colluded to exploit that system by ordering from one another and
then submitting circular refund requests.
Defcon is calling on the hackers to return the bitcoin. “Given the right
flavor of influence from our community, we can only hope that he will
decide to return the coins with integrity as opposed to hiding like a
coward,” the moderator wrote.
The site’s users are currently attempting to track down the thief. Writes Defcon:
# Attacker 1: (Responsible for 95% of theft)
Suspected French, responsible for vast majority of the thefts. Used the following six vendor accounts to order from each other, to find and exploit the vulnerability aggressively.
## Usernames used:
narco93
ketama
riccola
germancoke
napolicoke
smokinglife
News of the theft has driven the price of BTC down by about 50 points and it’s currently hovering at 600. We’ll post more information on the hack and the exploit as we get it. Defcon, for his part, is calling for further decentralization of online markets and currency.
“No marketplace is perfect. Expect any centralized market to fail at some point. This is precisely why we must unite in the decision to decentralize,” he wrote.