More Bad News for Bitcoin: Silk Road II Hacked, Bitcoin Stolen


So reports Andy Greenberg of Forbes, the reporter so tied in that original Silk Road operator Dread Pirate Roberts or someone pretending to be him actually talked to him:

On Thursday, one of the recently-reincarnated drug-selling black market site's administrators posted a long announcement to the Silk Road 2.0 forums admitting that the site had been hacked by one of its sellers, and its reserve of Bitcoins belonging to both the users and the site itself stolen. The admin, who goes by the name "Defcon," blamed the same "transaction malleability" bug in the Bitcoin protocol that led to several of the cryptocurrency's exchanges halting withdrawals in the previous week.

"I am sweating as I write this… I must utter words all too familiar to this scarred community: We have been hacked," Defcon wrote. "Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as "transaction malleability" to repeatedly withdraw coins from our system until it was completely empty."

Just how many bitcoins were stolen wasn't said in the post, although it listed a series of Bitcoin addresses that the Silk Road administrators believe to have been involved in the heist. Those transactions seem to point to a single Bitcoin address that contains 58,800 coins, worth more than $36.1 million at current exchange rates. But tracing Bitcoin's pseudonymous transactions is always tricky–other estimates range from 41,200 by a Silk Road user and 88,000 by the Bitcoin news site.

Update: Nicholas Weaver, a researcher at the International Computer Science Institute, estimates the total theft of Silk Road's bitcoins at a much lower number: just 4,400 or so coins, worth around $2.6 million.

In a public announcement perhaps less than circumspect given that Ross Ulbricht, in jail for allegedly being the original manager of Silk Road, is facing charges of arranging murders (that never happened):

Based on the Silk Road's data about the attack, the site's staff point to three possible attackers, two in Australia and one in France. "Stop at nothing to bring this person to your own definition of justice," Defcon writes.

Some wonder if the new Silk Road people aren't covering for their own problems:

Silk Road's users, predictably, didn't take the announcement at face value, and many instead suspect that the site's staff have used the "transaction malleability" bug as a scapegoat to cover their own incompetence–the site has been plagued with more pedestrian bugs since launching in November–or even that they've run off with the users' bitcoins themselves. "Transaction malleability," after all, has been a known issue with Bitcoin for two years, and is described by most Bitcoin security experts as more of a major nuisance than a real threat that would allow funds to be stolen.

Reason on Silk Road, and on Bitcoin.

The cryptocurrency has been so shaken by this news and other recent problems that it has only more than tripled in value in the past five months, for some perspective on the past week's USD price dive.

NEXT: 20 Percent of Obamacare Sign-ups Didn't Pay Premiums in Time

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Why do I have a feeling the government is behind this?

    1. Probably for the same reason that I do. That is the first thing that popped in my head.

    2. Untreated paranoia?

  2. I tried to buy a Bitcoin with Paypal – not possible. They wanted my bank account info so I passed. No way am I giving two-way on a demand account.

    1. Wow. actual signs of intelligence!

      Call SETI, we found a live one here!

    2. It is surprisingly hard to turn US money into bitcoins.

  3. Eventually just like the stock scams of the 20s when it was discovered that rich people colluded to drive up the price by trading among themselves and dumping the shares when they got high enough – Bit Coin is too a massive fraud.

  4. I’ll stick with good, old fashioned sawbucks, thank you very much. No one ever steals those.

  5. More Bad News for Bitcoin: Silk Road II Hacked, Bitcoin Stolen

    The price of Bitcoin breaks below the $500 US mark

    Those were the days my friend
    We thought they’d never end ?
    We’d sing and dance forever and a day ?
    We’d live the life we choose ?
    We’d fight and never lose ?
    For we were young and sure to have our way.
    Those were the days, oh yes those were the days ?


    2. Don’t take the Gox price seriously for the moment. You can’t get BTC out of there, and there’s a chance they’re just plain insolvent. They’re lower than the functioning exchanges now.

      More on transaction mutability after I put kids to bed.

    3. I never knew that $680 was below $500…

  6. Is there anybody out there insuring Bitcoin? There should be a big opportunity for some entrepreneur to setup something like that. You wouldn’t be able to sue insurers very easily (or privately), but Swiss and other offshore banks operated that way for decades.

    1. Didn’t Fitch give Bitcoin a AAA?

      “Insure” my ass!

      1. I mean like insuring your car against theft. I should be able to insure my Bitcoin anonymously–buy myself a policy. It wouldn’t be the first time entrepreneurial insurers solved the problem of easily lost or stolen goods. There’s a whole centuries old, international industry devoted to solving this problem.

        1. For you to sell insurance you have to sell it at a price lower than the potential loss. Knowing that Bit Coin is a likely fraud waiting to collapse, why would you take that risk? Imagine all those people owning Bit Coins and then insuring them for 500 dollars each by paying 50 dollars each. Then when the collapse comes and there is no money to pay off the insured, where do they get the money? In addition, now that there is a real player backing each Bit Coin with real cash, you have even more incentive for it to collapse than wait for it to spread.

          1. Reason for thinking it is a fraud? If so, who is perpetrating it? Is there a flaw in the math( could be, but there’s 10 billion incentives to find it)

          2. If Bitcoin’s problems are solvable, an insurer might start offering something like their own wallet.

            They might say…we’ll give you an anonymous account number like Swiss banks do. And, if you want to insure however many Bitcoins, we’ll be happy to sell you insurance, but the insurance will only be valid so long as you keep the Bitcoins on our server.

            You take ’em to the bad side of town and get robbed in the process of a drug deal, sorry, we can’t help you. But your bit coins are insured so long as they’re on our server.

            Meanwhile, maybe they’re using their own methods to ensure the security of their servers and your Bitcoins. With a Swiss bank kind of anonymous account, they probably wouldn’t compromise Bitcoin’s anonymous features.

            Maybe to insure your Bitcoins, you have to technically “sell” the insurer (or bank) your Bitcoins, and they automatically and seamlessly “sell” whatever number of bitcoins are in your account at the time, whenever you need them. That way, they can discourage you from committing insurance fraud against them.

            Regardless, I am confident that entrepreneurs who’ve been handling financial transactions and selling insurance will be able to innovate something workable.

            And if whatever methods they devise aren’t foolproof, well, insurance for other things isn’t foolproof either. Merchandise gets stolen, and insurers pay. Insurers get defrauded, too. Both things happens every day, and the insurance industry marches on.

          3. Insure against theft only, not loss of value.

    2. There probably will be soon. Everybody in the US is afraid of being classified as a money transmitter.

      Things coming down the pipeline – second-gen distributed apps like OpenTransactions, Etherium, and probably Ripple and a few others will allow contracts with BTC, including options. Should be reasonable to do insurance, too.

    3. Until the Feds illegalize insuring currencies other than those issued by central banks. Which would arguably fall under the international commerce and money coining powers in A1S8.

      1. Tulpa, what I mean is trustless, decentralized contracts. Throw it over TOR if you want. Willing buyers and sellers of insurance (options, contracts, exchanges of currencies, bets, etc) voluntarily, anonymously making those transactions on a decentralized platform.

        Bitcoin is just the beginning.

        1. How do you enforce a contract with an anonymous counterparty?

          1. The software enforces it. Digital contracts.

            You make the contract, and the software enforces it. One method (not the only) of giving it teeth would be for the parties to post bonds, with the contract setup to only release those bonds when both parties sign off on it (maybe with an escrow agent as a third-party).

            That also means you can handle things like timestamping (of documents) — the title to land or a house could be represented on that, as well. No need for a notary, it’s known legit by virtue of the history that is publicly available, and anyone (in the world) can verify it.

            Granted, physical delivery can still be difficult.

            1. That might work for even-probability bets, but I don’t see how insurance could possibly work in that situation. If an insured loss occurs, and the claim value is greater than the bond posted by the insurer, they’re better off disappearing and forfeiting the bond (and the market can’t punish them for this since it’s anonymous). And no one is going to sell insurance if they have to post a bond equal to the maximum loss for every policy they sell.

              That’s only one possible approach, as you say, but I’m sure there’s similar problems with all of them.

              1. One thing is you can still have a reputation in an anonymous situation. Maybe insurance isn’t the spot for that (and it was the start of the thread).

                My point is that several business models won’t be able to be effectively outlawed. I’m sure they’ll try, but that will just: 1) drive the innovation out of the US. 2) drive more people to use more decentralized technology.

                Oh, didn’t mention it before, since I didn’t want to drag the thread off, but:

                Which would arguably fall under the international commerce and money coining powers in A1S8.

                I’d suggest the powers that they would regulate something like that under don’t really matter at this point. We operate under the FYTW clause now. Obama can just do an EO for it. Really no point in looking for a justification.

  7. Transaction malleability — what they’re calling a bug — isn’t. It’s a necessary thing for changing transactions before they confirm — which lets you do things like assurance contracts or escrow contracts. Or making a deposit and adjusting it down to the actual payment.

    Gox relied on that not changing, so people called them and said x transaction didn’t work, and they resent the payment. Attacker got both. It’s stupid procedures and software on Gox’s part.

    SR II – I’m pretty sure they just scammed some folks, it they really did get hacked, but nothing to do with this. The money in it was probably a mixer.

  8. Oh, somebody should mention too that hard currency is pretty easily stolen, too. Nobody blames the U.S. Mint when their money gets stolen. I thought Bitcoin’s problem was that because a huge chunk of the market for Bitcoin was tied up in Silk Road transactions, people were afraid that the value of their Bitcoin would drop when Silk Road was raided. Didn’t Bitcoin jump back up after the raid? Why won’t the same thing happen after this fiasco?

    1. Bitcoin dropped a hundred or so when SR was raided, but recovered in hours. SR wasn’t as big of a deal as we thought. After the bust it really went on a tear.

      This drop is mainly because Gox is melting down (maybe, certainly having serious problems). Gox used to be 80% of exchange volume, now they’re around a quarter. Creative destruction in action.

      BTC price will recover. Might be days, might be months. Doesn’t change the fundamentals.

      Oh, and price spikes hit 3 months after big publicity as new users come in.

      1. Yeah, seems to me like…

        And for anyone who reads this, past performance is no indication of future results, before you get involved in any investment, you should seek the advice of a licensed investment professional. Not all investments are appropriate for everyone, and anything you say can and will be used against you in a court of law.

        …there’s some risk there, but this looks like a buying opportunity.

        1. Heh, true-that.

          Gox is down below $350 at the moment, and touched $302. I wouldn’t touch them right now, of course, but if I had dollars in there, yea, convert them to BTC and hope you can get ’em out. Them trading that low (all by themselves) tells me that they probably aren’t going to survive this.

          $561 on bitstamp, wondering if it bottomed.

          I’ll get a bit on this dip, just a matter of trying to time it.

          1. Them trading that low (all by themselves) tells me that they probably aren’t going to survive this.

            By “them” I assume you mean Mt Gox.

            I don’t see how that matters one way or the other.

            If Mt Gox bitcoin prices go down to $1 or stay or go up to bitstamp prices why should it matter if withdrawals resume?

            Why would the price being low or high matter in Mr Gox’s survival?

            1. I’d suspect Mt. Gox emptying out as soon as they resume withdrawals, and having a much lower trading volume after would be bad for them. That there is such a differential now suggests that as soon as people can, they’ll get out (to me, at least).

              1. Basically, it’s a run on a bank.

  9. But but but but…. I thought without government regulation, no business anywhere would be honest.

    Specially, without laws forcing private companies to disclose to users when they find security breaches, we would never know.

    & here – they could’ve easily have lied. I assume they have some nominal control over “vendors” and since you’re buying things that are not traceable for obvious reasons, just say “all stuff was shipped”.

    Unless a large number of people start complaining same time, same place, and given what the market sells and how, with so few users affected it’s unlikely anyone would’ve known.

    As the users would likely just say to these losses “it sucks, but when buying what I want to buy and only being able to buy under certain conditions due to laws, losing money from time to time is just the price of doing business. & besides, losing money is still better than losing one’s freedom.”

    Not that most will notice nor care – but example #2,89.893… X 10^12 that humans engaging in voluntary transactions have built in incentives to do the right thing and generally will do so.

    & those that don’t – even in a scary black markets – will be punished (fail).

    But according to Obama – companies today cannot even be allowed to offer me different insurance plans – because I’m being “exploited”.

    They’re right about that – we’re being exploited. & as usual, they are doing the exploiting while arguing it’s not them, but others doing the exploiting (projection).

  10. BTC will come back; the Foundation will shore up the protocol, probably within 72 hours; but the convertibility problems with Magic Online the FOREX will remain. Could be opportunity, could be recipe for disaster. All I know is once the protocol is that much tougher there will be huge crypto-markets in places like Argentina and Venezuela before year’s end. It’s places where El Presidente currency collapses that crypto-money will naturally take over for the first time.

    Look to such places for barometers of crypto-money if you’re playing a long-money game.

    1. Foundation doesn’t control the protocol, core devs do. The foundation employs one of the core devs, but doesn’t get to choose that.

      Also, the protocol is fine, and isn’t changing. The main, reference client that the core devs maintain (Bitcoin-QT) is getting a new status to make it more clear to the user know about trickery going on.

      Otherwise, entirely agree.

  11. Wow nice score!! Not bad at all!

  12. I was going to buy some BitCoin, so I could order some drugs off of Silk Road, but now I don’t see the point.

    Besides I hear everyone is switching to Dogecoin.


  13. It’s too crazy for bitcoins,maybe it’s a little early for Bitcoins to accepted by the world

Please to post comments

Comments are closed.