On Thursday, one of the recently-reincarnated drug-selling black market site’s administrators posted a long announcement to the Silk Road 2.0 forums admitting that the site had been hacked by one of its sellers, and its reserve of Bitcoins belonging to both the users and the site itself stolen. The admin, who goes by the name “Defcon,” blamed the same “transaction malleability” bug in the Bitcoin protocol that led to several of the cryptocurrency’s exchanges halting withdrawals in the previous week.
“I am sweating as I write this… I must utter words all too familiar to this scarred community: We have been hacked,” Defcon wrote. “Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.”
Just how many bitcoins were stolen wasn’t said in the post, although it listed a series of Bitcoin addresses that the Silk Road administrators believe to have been involved in the heist. Those transactions seem to point to a single Bitcoin address that contains 58,800 coins, worth more than $36.1 million at current exchange rates. But tracing Bitcoin’s pseudonymous transactions is always tricky–other estimates range from 41,200 by a Silk Road user and 88,000 by the Bitcoin news site.
Update: Nicholas Weaver, a researcher at the International Computer Science Institute, estimates the total theft of Silk Road’s bitcoins at a much lower number: just 4,400 or so coins, worth around $2.6 million.
In a public announcement perhaps less than circumspect given that Ross Ulbricht, in jail for allegedly being the original manager of Silk Road, is facing charges of arranging murders (that never happened):
Based on the Silk Road’s data about the attack, the site’s staff point to three possible attackers, two in Australia and one in France. “Stop at nothing to bring this person to your own definition of justice,” Defcon writes.
Some wonder if the new Silk Road people aren't covering for their own problems:
Silk Road’s users, predictably, didn’t take the announcement at face value, and many instead suspect that the site’s staff have used the “transaction malleability” bug as a scapegoat to cover their own incompetence–the site has been plagued with more pedestrian bugs since launching in November–or even that they’ve run off with the users’ bitcoins themselves. “Transaction malleability,” after all, has been a known issue with Bitcoin for two years, and is described by most Bitcoin security experts as more of a major nuisance than a real threat that would allow funds to be stolen.
The cryptocurrency has been so shaken by this news and other recent problems that it has only more than tripled in value in the past five months, for some perspective on the past week's USD price dive.