Silk Road 2 Hacked, All Bitcoins Stolen – $2.7 Miliion

9 minute read

Posted by: DeepDotWeb

February 13, 2014

Update 5: Alleged Silk Road 2.0 Hacker Doxxed!?

Update 4: Defcon’s Latest post: We Will Repay The Stolen Funds

Update 3: Silk Road 2 Admin – Silk Road is not dead!

Update 2: As the time passes there are more and more suspicions that this was in fact a SCAM by the Silk Road staff – and not a hack, we will post more details about it once, and if we get the full picture.

Looking for new marketplace? Try this List of hidden markets
Must Read: Leave the Scammer-Op Behind!

Update: The amount of BTC that was stolen was calculated by Nicholas Weaver @NCWeaver – Computer Security Researcher, to be around:  4474.266369160003BTC that are with the value of about $2.7 Million.

It was just announced in a post by Defcon the Silk Road administrator (this post will be updated as soon as we get more info) –
Yes, what seemed to be an imaginary situation until not long ago, just became true, the silk road2  – the site who counted to be the security fortress of the deep web just has been hacked with its bitcoin stolen.  as he announced on the sites forums,  we pasted his post here:

Link to the original thread on Silk Road 2 Forums:  http://silkroad5v7dywlc.onion/index.php?topic=25091.msg491029#msg491029

=====Start Quote====

I am sweating as I write this.

Christmas brought grave news. I cannot adequately express how deeply honored I was by your unconditional support of my staff.

I do not expect the same reaction to today’s revelations. This movement is built on integrity, and I feel obligated to be forthright with you.

I held myself to a high standard as your leader, yet now I must utter words all too familiar to this scarred community:

We have been hacked.

Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.

Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.

Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.

This attack hit us at the worst possible time. We were planning on re-launching the new auto-finalize and Dispute Center this past weekend, and our projections of order finalization volume indicated that we would need the community’s full balance in hot storage.

In retrospect this was incredibly foolish, and I take full responsibility for this decision.

I have failed you as a leader, and am completely devastated by today’s discoveries. I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand. It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.

I’ve included transaction logs at the bottom of this message. Review the vendor’s dishonest actions and use whatever means you deem necessary to bring this person to justice. More details will emerge as we continue to investigate.

Given the right flavor of influence from our community, we can only hope that he will decide to return the coins with integrity as opposed to hiding like a coward.

It takes the integrity of all of us to push this movement forward. Whoever you are, you still have a chance to act in the interest of helping this community. Keep a percentage, return the rest. Don’t walk away with your fellow freedom fighters’ coins. DPR2 returned the cold storage. I didn’t run with the gold. But two people alone cannot move us forward. It takes an entire community committing to integrity – and though this crushing blow will not stop us, it sure is a testament to how greedy some bastards truly are.

Being a part of this movement might be the most defining thing you do with your entire life.

Don’t trade that for greed, comrades.

I will fight here by your side, even the greedy bastards amongst us.

This community has suffered great financial loss over and over again, and I am devastated that it has happened again under my watch.

Hindsight is already suggesting dozens of ways this could have been prevented, but we must march onward.

The only way to reverse a community’s greed is through generosity. Our true character is revealed during trying times.

If this financial hardship places you at risk of physical harm, contact me directly and I will do my best to help you with my remaining personal funds.

Now what.

Never again store your escrow bitcoins on a server.

Silk Road will never again be a centralized escrow storage.

This week has shown the collateral damage we can cause by being a huge target and failing in just one unforeseen area.

I am now fully convinced that no hosted escrow service is safe.

If I cannot trust myself to keep a hosted escrow solution safe, I cannot trust anyone.

Multi-signature transactions are the only way this community will be protected long-term.

I am aggressively tasking our devs on building out multi-sig support for commonly-used bitcoin clients. Expect a generous bounty if you have the skill to implement this.

Until then.

1. We will never again allow ourselves to be a single point of failure. We will never again host your Escrow wallets.

2. Vendor registration is closed while we regroup.

3. All listings on Silk Road are now No-Escrow (Finalize-Early) for 1-2 months while we implement multi-signature transactions and lobby for mainstream Bitcoin client multi-sig support.

4. All unshipped orders have been cancelled.

5. Vendors may link to other marketplaces on a trail basis until we launch multi-sig, then we will re-evaluate based on community input. We do not want to be a centralized point of failure, but we also do not want to lead our buyers into dangerous waters.

6. From this point forward DO NOT trust markets with centralized escrow. Use multi-signature transactions whenever possible, with trusted third parties as escrow providers.

Everything will be offline for 24-48 hours to minimize variables as we continue to investigate. The evidence we have below will be expanded based on our findings.

– ——————

No marketplace is perfect. Expect any centralized market to fail at some point. This is precisely why we must unite in the decision to decentralize.

We are relieved that our security procedures protected user identities, and that no servers were compromised. This was not a worst-case scenario: nobody will be getting arrested from this. Financial loss is terrible, but will not put all of us behind bars.

The details we have on the hacker are below. Stop at nothing to bring this person to your own definition of justice.

Humbled and furious,

Defcon

– ——————

# Attacker Intel as of 2014-02-13 18:00:00 UTC

We normally do not doxx anyone, and hold user information sacred. But this is an extreme situation affecting our entire community, and all three users who have exploited this vulnerability are very much at risk until they approach us directly to assist with any information.

Do not reveal any details of the attack. This will jeopardize your reward. Contact us directly.

If anyone has purchased or sold to these usernames, expect generous bounties for any information you can contribute which leads to identification.

# Attacker 1: (Responsible for 95% of theft)
Suspected French, responsible for vast majority of the thefts. Used the following six vendor accounts to order from each other, to find and exploit the vulnerability aggressively.

## Usernames used:
narco93
ketama
riccola
germancoke
napolicoke
smokinglife

Transactions listed at bottom of this file. Finding Attacker 1 is top priority.

# Attacker 2: (Responsible for ~2.5% of theft, using same methods towards end of attack lifecycle, likely knows Attacker 1)
LethalWeapon – Australia – “stumbled upon” large amount of BTC

# Attacker 3: (Responsible for ~2.5% of theft, using same methods towards end of attack lifecycle, likely knows Attacker 1)
mrkermit – Australia

# Theft Withdrawal Transactions and historical withdrawals by Attacker 1
address,txid_cleaned
{Here some big list of withdrawal addresses with the stolen bitcoins}

=====End Quote====

Aside from the endless marketplaces being hacked every day now, this is the most shocking event we have encountered – as Silk Road being the largest DarkNet market nowadays was probably holding the largest sum of money of them all – it is not yet clear how many Bitcoins were stolen exactly, but its almost certain that this is about to become the largest theft in the Deep Web history – bigger than the Sheep Marketplace Scam that had amount equal at the time to $40 million in bitcoins stolen by its admins.

This case only serves as ANOTHER, Very Painful lesson about – why on-site escrows are bad, and should not be used! only direct transaction or mulsig escrow like the one offered at themarketplace.i2p are the safe way to conduct business on these sites.

Is this the end of the centralized marketplaces?

We sure hope so!  as we posted here again and again, they are not safe, and will always end up being hacked or having the money stolen by their admins.

So who were the hackers?

Few hours before the announcement we at DeepDotWeb received a mail saying: “SilkRoad hacked, 150 BTC stolen, you heard it first from me” this was sent to us by a reddit user who claimed since yesterday he was going to hack SR and steal the sites money – we are trying to verify if this amount matches the amounts that were stolen by the “smaller” hackers that Defcon reported in his post, the others remain unknown.

The Silk Road moderators ranged from pleading or threatening the hackers:

To a complete shock:

The users reaction was not much different obviously and ranged between shocked / angry / desperate or accusing the sites admins to the thief’s themselves:

IS ANYONE ELSE BUYINGGGG THIS? !!! WE ARE FIXING ESCROW  WE ARE FIXING VENDOR REFUNDS? WE ARE DOING ALL WE CAN
THIS SHEEP !!!! STYLE FUCKING BY OUR TRUSTED SR GUYS ,

ITS FUCKING PLAIN AND SIMPLE ESCROW SYSTEM WAS A SCAM SO EVERY COCKSUCKER WHO DIDNT FINALZE THE COINS STAYED IN THE BANK AND OPPS WE HAVE BEEN HACKED

!!! WE ARE FIXING THE VENNDOR REFUND ? YEAH RIGHT RIGHT ANOTHER PERFECT SCAM, MORE COIN IN THE BANK AND AT THE RIGHT TIME
AGAIN OOPSS WE HAVE BEEN HACKED \

DEFCON GO FUCK YOUR SELF , U GUYS HAVE NOT DOMNE NOTHING ABOUT THE ESCROW SYSTEM , U HAVE DONE NOTHIGN ABOUT VENDOR REFUND , ALL U GUYS DID IS LET THE FUCKING BANK  BUILD UP AND SORRY GUYS WE HAVE BEEN HACKED

EVERY DOG GETS THERE DAY AND I CANT WAIT TILL I SEE ONE OF U FALL

Some even tried to help in some way.

For us – the big question is “how much”? , we will keep following up on this and updating this post as we get new information – for now, you can check out other site on this list.

Updated: 2014-02-13

Updated: