Feeds

Silk Road reboot claims: Hacker STOLE all our Bitcoin funds

In shocking turn, drug world proves unworthy of trust

Protecting against web application threats using SSL

The latest incarnation of the Silk Road underground market says it lost all of its Bitcoin reserves (estimated to be worth two to three million dollars) in a fraud attack.

A site administrator said on Wednesday that a group of hackers appear to have exploited the Bitcoin "transaction malleability" loophole to withdraw funds from the site just as admins were conducting maintenance work that required funds to be placed in a vulnerable location.

The result, according to administrator "Defcon" was the complete loss of all Bitcoin funds the site had in its escrow holdings.

"This attack hit us at the worst possible time. We were planning on re-launching the new auto-finalize and Dispute Center this past weekend, and our projections of order finalization volume indicated that we would need the community's full balance in hot storage," Defcon said in announcing the attack.

The administrators believe that the attackers were able to exploit a transaction malleability flaw similar to those spotted in the MtGox exchange. Such errors allow attackers to manipulate hash information and spoof transactions before they are processed by the vendor. In the case of Silk Road redux, the administrators say that the attackers performed such operations many times over until all funds it controlled were drained.

Despite the headlines and attention afforded to the transaction malleability flaw, the condition has been known about since 2011, and experts say that sites and exchanges using best practices could eliminate the vulnerability from their bitcoin services.

"I have failed you as a leader, and am completely devastated by today's discoveries. I should have taken MtGox and Bitstamp's lead and disabled withdrawals as soon as the malleability issue was reported," Defcon said.

"I was slow to respond and too skeptical of the possible issue at hand. It is a crushing blow."

The admin also posted a series of accounts believed to have been used by an individual or individuals involved in the attack. The majority of the funds, says Defcon, went to an individual in France, while two others in Australia are also believed to be involved. The admin has asked users to contribute any information they may have which could lead to the recovery of the funds.

The theft is the latest misfortune to strike the Silk Road family of underground market sites. Once seen as a haven for users to anonymously trade in information and goods (okay, drugs) the original Silk Road was dismantled last year and its creator, and a San Francisco man who went by the alias Dread Pirate Roberts now faces a lengthy stretch in federal prison.

Subsequent efforts to re-launch successors to Silk Road have similarly been met with police takedowns and arrests, though that has not prevented the establishment of a number of other smaller anonymous markets. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.