A large scale cyber-theft has drained the relaunched ‘online drug bazaar’ Silk Road 2.0 of nearly all of its Bitcoin reserves – estimated to be worth $2 million or even more. The uknown attackers used a recently discovered flaw to withdraw money repeatedly while the site was vulnerable due to maintenance work.
Site administrators believe that the attackers exploited the same ‘transaction malleability’ flaw that hit the MtGox Bitcoin exchange this week, according to The Register’s report.
Site administrator DefCon posted details of a number of accounts believed to have been used by individuals involved in the attack, The Register reported. Defcon believes that the majority of the funds went to an individual in Australia, but two other accounts in France were involved.
Defcon released online identities of the three attackers, as well as details of transactions, and urged the public to “bring this person to your own definition of justice.” Bitcoin transactions are irreversible, hard to trace, and not insured by governments, so reclaiming losses from large thefts can be impossible, CNN writes.
Site administrator DefCon said in a blog post that the attackers struck at a moment where the community’s entire balance was in hot storage – ie on computers connected to the internet. Large sums of Bitcoin are usually placed in “cold storage” – ie on disks disconnected from the internet – for security reasons, and having such a huge sum accessible online while upgrades were applied, led rapidly to disaster, according to Defcon.
Silk Road can only be accessed via the Tor network, using a browser which masks its users locations. The site acts as a middleman for these transactions – often selling illegal drugs – between a vendor and a buyer, trade is strictly in bitcoin. Defcon claims that the attackers struck when funds held for vendors and buyers while transactions cleared were temporarily moved to ‘hot storage’ – ie computers that could be accessed via the internet. The attackers used the ‘transaction malleability’ flaw which afflicted exchanges such as Mt Gox this week to repeatedly withdraw bitcoins until none were left.
“I am sweating as I write this…,” said Defcon, expressing regret that he had not followed the example of exchanges such as Mt Gox, which blocked withdrawals rapidly after the ‘transaction mallleability’ vulnerability came to light. ” I must utter words all too familiar to this scarred community: We have been hacked.”
“This attack hit us at the worst possible time. We were planning on re-launching the new auto-finalize and Dispute Center this past weekend, and our projections of order finalization volume indicated that we would need the community’s full balance in hot storage.”
The South China Morning Post reports that the thieves stole 4,476 bitcoins, worth US$2.5 million at current market rates – which tallies roughly with estimates from other major outlets such as CNN, which placed the figure at $2.7 million. Silk Road 2 is blaming “transaction malleability” – a vulnerability which afflicted several large Bitcoin markets this week, and contributed to a sharp, but brief, decline in the currency’s value.
Estimates of the scale of the theft vary widely – with some, from less well-known sites, pointing to a much higher figure. Defcoin listed a series of Bitcoin addresses that admins believe were involved, which point to a single address containing 58,000 coins worth more than $36.1 million. Other estimates range from 41,200 bitcoins (from a Silk Road user) and 88,000 by Bitcoin News.
Forbes Magazine said that it was the latest in a series of hacks targeting ‘black market’ sites – and that of the half-dozen sites which sprung up in the wake of the closure of the original Silk Road, three shut down after insiders ran off with funds, and two after being hacked.
Earlier this week week, Dutch ‘drug market’ site Utopia was shut down by police. Like Silk Road, Utopia was a ‘hidden site’ only accessible via the Tor browser, which allows web users to remain anonymous. Dutch authorities have not disclosed how they located and shut down the servers.
The Register’s report said that the “transaction malleability” flaw which led to Mt Gox’s closure, and the theft from Silk Road redux, had been known for several years, saying, “Experts say that sites and exchanges using best practices could eliminate the vulnerability from their bitcoin services.” In the case of Silk Road 2’s bitcoin reserves, attackers repeatedly used the vulnerability until the entire reserve was drained.
The theft has already had an impact on the price of bitcoins – already wobbling after the shutdown of MtGox. According to the STCMP, the Coindesk price index (a benchmark combining prices of Bitstamp and BTC-e) has fallen $70 in 24 hours, and customers fear that the 4,500 stolen bitcoins will flood the market.
Silk Road, a “drug market” which authorities claim shipped $45 million per year of drugs including heroin around the world was shut by authorities last year – but weeks later, a site styling itself Silk Road 2.0 appeared. Like the original, it is only accessible via the “anonymous” browser Tor, reported by We Live Security here.
Alleged founder Ross Ulbricht, 29, is now in custody awaiting trail on charges relating to alleged global sales of $1.2 billion in illegal drugs, but the new site’s owner has adopted his alleged pseudonym, Dread Pirate Roberts. Under the Twitter handle @DreadPirateSR, the new founder announced the launch in a Tweet, “20 minutes to go. You can never kill the idea of Silk Road”.
A site administrator said, “”It took the FBI two-and-a-half years to do what they did…but four weeks of temporary silence is all they got,” according to a report by Yahoo News.
The site was only accessible via the anonymized Tor network, and dealers sent packages via mail. Payment was made via the cryptocurrency Bitcoin. Due to the difficulty of tracing or identifying Tor users, the service is used widely by cybercriminals, and even to host botnets, as reported by We Live Security here.
The charges against the orginal Silk Road’s Ulbricht – who styled himself the Dread Pirate Roberts online – allege that the site generated sales totalling more than 9.5 million Bitcoins – a sum roughly equivalent to $1.2 billion.
The new site offered improved security, including the option to use PGP encryption keys as an added authentication measure, according to Tweets by the new ‘leader’ of the site, Dread Pirate Roberts. While various high-profile ‘drug markets’ – and markets selling weaponry, marriages and hackers for hire – have been busted in past months, they are also springing up rapidly. Dealers simply move stock between the sites, and point to customer ratings from other sites as they relaunch.
One Dutch drug company said on its site, “After the shocking events on Silk Road yesterday we have accessed our Black Market Reloaded account (which we had made a few months ago for events like these). We are now adding a serious amount of listings and will go online ASAP.”
Author Rob Waugh, We Live Security