The reincarnation of the Silk Road website has apparently been rinsed dry by hackers, who made off with 4474.26 Bitcoins worth around $2.7 million from its user’s accounts, according to a report in Forbes.
Silk Road 2.0 administrator Defcon broke the news via a forum post, saying that the attackers took advantage of Bitcoin’s recently exposed transaction malleability exploit to compromise the site. The malleability makes it possible for users to mask transfers and ask for the same amount of Bitcoin to be transferred multiple times, and is the same bug that forced Mt. Gox to temporarily suspend all withdrawalsHackers . According to Defcon, the problem lay in the fact that Silk Road 2.0 only uses transaction IDs to confirm each Bitcoin transfer. He claims that six vendors colluded with each other to exploit this system by making multiple orders from one another and then submitting repeated requests for refunds.
Now, sounding rather desperate, Defcon is asking the hackers to return what they’ve stolen:
“Given the right flavor of influence from our community, we can only hope that he will decide to return the coins with integrity as opposed to hiding like a coward,” he wrote.
Silk Road 2.0 users are now attempting to hunt down the thieves. Defcon provided a few clues in his post, reports TechCrunch:
# Attacker 1: (Responsible for 95% of theft)
Suspected French, responsible for vast majority of the thefts. Used the following six vendor accounts to order from each other, to find and exploit the vulnerability aggressively.
## Usernames used:
Forbes reports that not everyone is buying Defcon’s story, however. A number of users wrote angry posts accusing the site’s administrators of incompetence, while some even accused them of running off with the loot themselves. Defcon has denied these claims, but admits that full responsibility lies with the site’s operators.
“I have failed you as a leader, and am completely devastated by today’s discoveries…It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch,” he wrote.
Not surprisingly the attack has had a negative effect on the price of Bitcoin, which fell from $650.51 yesterday to a low of $555.59, before rebounding slightly to $585.47 at the time of writing, according to Bitcoinaverage.com.
Despite the hack, it looks as though Silk Road 2.0 will continue its illicit trade. Defcon said that the site will stop using its escrow system, and will instead let users to take care of their own transactions. He said that the site will try to introduce something called “multi-signature transactions” that involve third-parties signing off any Bitcoin transfer, effectively acting as escrows without having any access to the funds.