The second incarnation of the (in)famous Silk Road underground market has been hacked, claims one of its moderators who goes by the online handle “Defcon”, and an estimated 4,400+ Bitcoins (currently worth between $2 and $3 million) that the market kept in a central escrow service have been pilfered by attackers.
“Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker, noted Defcon in a public announcement that has been reposted on reddit.
“Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as ‘transaction malleability’ to repeatedly withdraw coins from our system until it was completely empty. Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.”
“This attack hit us at the worst possible time. We were planning on re-launching the new auto-finalize and Dispute Center this past weekend, and our projections of order finalization volume indicated that we would need the community’s full balance in hot storage,” he explained.
“In retrospect this was incredibly foolish, and I take full responsibility for this decision. I have failed you as a leader, and am completely devastated by today’s discoveries. I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand.”
Defcon asked the thiefs to return the money, and has stated that “Silk Road will never again be a centralized escrow storage,” that he’s now convinced that “no hosted escrow service is safe,” and that the Silk Road team will begin working on multi-signature transactions.
He also shared the usernames of the attackers, and claims that the one that syphoned off most of the money is likely French, and the other two from Australia.
The Darknet Markets community on reddit has been vigorously discussing the credibility of the announcement and that of Silk Road administrators, and many believe that the people in charge are those who organized the heist.
Whatever the case turns out to be, this is one additional blow both to the underground market community and to Bitcoin as a digital currency that tries to gain global respectability.