Bitcoin Forum

So how does this happen then? Was their server where the main hot wallet was storing bitcoins not multisig for protection or how does that work? Things that make you go hmmm.

http://www.coindesk.com/black-market-cannabis-road-hacked-loses-100000-bitcoin/ 

That hacker should be hired by some big company like google or microsoft (after some years in jail of course).

maybe its just a lie and they ran off with the money

"hacked"

https://i.imgur.com/RVcZa0n.jpg

I would like to see some proofe of a hack before i just belive what they write.
My understanding is that multi-sig is very secure but they were using some hybrid version they said.
I belive i read somewhere that silk road 2 is also in the middle of implamenting multi-sig escrow, maybe they will have 2nd thoughts now.

1. Inside job
2. Company lied about their security
3. He's jesus

You decide.

Of course they ran off with the money. Who do you blame? Tell the police they stole my drug money! ::)

That's exactly what I thought as soon as I saw this. This is just yet another reason why we need decentralized Markets.

Guys, come on. We shouldn't accuse them of something. Maybe they were the honest, hard working kind of criminals?  :D

Is there a proof to this effect?

Sounds like it was a 2 of 3 multisig, so that means the vendor and market where the same person

though its was most probably a third party wallet so the market knew all three addresses anyway

Proof to what? Whether they were hacked or "hacked"? I'm sure some more details will become available soon. Have they provided the addresses where the funds were sent to?

I think this is an inside job. 8) 8)

I think they've been "hacked" almost for sure. It's the same story over and over again.

Semi-legal and illegal entities that attract funds can easily run away with them, because nobody can persecute them without admitting morally questionable or illegal activity as well.

ya.ya.yo!

You can follow this link from the story, it show the address that the btc went to.
http://blockchain.info/address/1CatnMd3jsEKhwhSLUf8V862im8gBp3NDF
But this alone is not proof of a hack, just where some btc went.

interesting theory on that. while it could be quite true that they could run away with your coins because who is going to sue someone for a few thousand dollars of bitcoin when you are using it to buy illegal drugs?

probably no one.


"hacked" is probably a good way to put it.

i really do wonder though if it is possible to intercept the data going between somethinga nd actually grab the sigs then combine then for the multi sig then steal everything.

obviously whoever does that would have to be pretty good at doing that, but if just one person knows how to do it it would seem they are the same person who keeps hitting all these small exchanges also.

i lost like .2 btc on coinex.pw.... had some random mooncoins and small pieces of different coins and it got "hacked" too. but i can never really know.

I know it's not proof, but people can follow where the money goes and possibly trace it back to someone, or at least it may provide some clues.

I agree with a couple of others above that it was almost certainly an inside job. Just because they have multi sig capability doesn't mean they're actually using it, or at least using it properly. Also, they may have been using a lot of their own product and just forgot to do something.

I doubt they really hacked, expect the one who hacked is highest-level hacker
I think someone inside the company created backdoor & hacked it (when they want)

Maybe they not use 3 level multi sig properly  ???

But, looks like it "hacked" not hacked

Wasnt there an announcement about 2-3 weeks ago TOR was potentially compromised. Potentially not causing any panic for users or vendors but rather the site operators became vulnerable to.... justice.

I am guessing a inside job considering other sites did shut down on this announcement. Causing a 'migration' of vendors and buyers to other market places. Well these other market places probably were scams from the beginning simply waiting to gain some serious coin, and or once they learned of the potential TOR compromise they decided it wasnt worth the risk any more, but rather than closing shop 3 weeks ago it was more like, wait.. wait. waait.. waaaiit... okay now kill the site, call it hacked, we're done.

Considering most 'hacks' up so far have all very likely been inside jobs, whether it was intentional or not to steal from the ppl, they are likely smashing/burning hard drives right now and destroying potentially incriminating evidence. They hacked you, to save themselves. But they probably didnt mean to let you down, TOR let them down which let the rest of the users down.

If i was the site owner, this probably would have been my logic.

200 BTC, that's shit load of money. The hacker really is millionaire now!!

Another drawback of BTC..^^

Yeah it could have been an inside job. So another 200 BTC that are about to get dumped?

Which is the case with most """hacks"""

My guess it was an inside job for sure.

I wonder what the hacker would have done with those money..

Also was the security flawed that hacker got into?

probably buy some weed  :D

It is certainly not using multi-sig for their customer accounts. Maybe once they initiate a purchase, the system puts the money in escrow with a multi-sig transaction but before that, the money sits in at an address protected with a single key.

If you want to see why, follow the link they provided to blockchain.info
https://blockchain.info/address/1CatnMd3jsEKhwhSLUf8V862im8gBp3NDF (https://blockchain.info/address/1CatnMd3jsEKhwhSLUf8V862im8gBp3NDF)

There are 4 transactions that totalled 50 BTC each. Click on any of them. They have lots of small inputs and a single output. Every input corresponds to a customer account.
Click on any of them. Look for the address in the output side. It's the transaction that funded that account. Follow that transaction. The output script looks like OP_DUP OP_HASH160 xxxxxx OP_EQUALVERIFY OP_CHECKSIG which is a standard pay-to-hash transaction.

Basically, their system has an inherent flaw. When a custom funds his account, he does a normal transaction. They have a script that collects everything from all the deposits and moves it to their own address. From there they can do the multi-sig stuff.

The developper of the website gave the tool to the hacker himself. The hacker just had to change one parameter, the target address and he was done.

Honestly, this looks like very shabby work and also shows once again that we shouldn't believe the marketing crap. Multi sig ... right

If they use multisig like Bitgo does, which I'm using, the hacker would have to compromise both the users computer AND the website of the drug-market. Unlikely but not impossible. Since the majority are not using multusig yet I would choose and easier target if I was a hacker I guess...

Hahaha nice :)

That's probably just fake hack, never trust criminals! (Exept for Ross William Ulbricht)

if this news is true ,
should we be carefull  :)

Another company that says it got hacked how very convenient.

200 bitcoins, now that's what real money means. Probably the real owner got indebted or something, I also wonder how the heck did he manage to get into after such a tight security.

I think nails it right on the head. Over the past year there have been several illegal TOR drug related sites that have claimed to have gotten hacked at a time when they have reached their peak of amount of deposits from customers. The fact that the owners attempt (and generally are successful) to be anon it will be very difficult for anyone to figure out who had stolen their bitcoin.

For all anyone knows, all of the illegal drug sites that have their coins stolen are all run by the same person/group of people.

That sounds about right, you  can't have multisig transactions hacked unless they all came from the same PC using the same core wallets which defeats the purpose of having a multi-signature wallet.

Where each key is generated independently on separate systems, the only way this would fail is if someone compromised all the computers and the keys or they were stored in a digital server cache like dropbox.
In other words it didn't happen someone either is lying or they really did something stupid to mess that up so badly.

Whatever if it did really get hacked legitimately I look forward to the code audit some core developers will have a field day on this one if it was real ^^. (Something wrong in the ECDSA when generating more than one protection key kid :P)

it makes sense also that it was inside job because who wants the risk of running it indefinitely? they have to have an exit strategy and this one gives them a nice pay day.... especially considering it is hard to sell the business as you could do more easily with a legal operation.

I wonder where are these 200 BTC by now.

Why would anyone use a Computer to buy illegal narcotics? It just boggles the mind...  :-X

With such a robust security supposedly in place I would have to think this was an inside job as well. Unfortunately there is no real recourse for people that lost money in an illegal business. The BTC drug market seems to be destroying itself.

cha ching, this guy gets it.

as if the customers are now going to go to the cops or try to get a court order saying that their drug money had been stolen.
when dealing with people that handle illegal stuff, assume its them that you cannot trust and that they will be the ones to stab you in the bck first, because they know the customer cant do a damn thing about it.

then assume that they will come up with some cunning excuse to shift the blame to then repeat the same scam again

the "we can't recover from this so we need to shut down" is bogus. it costs next to nothing to run a tor hidden service.  run and pay back the customers , didn't sr2 do that ?

Will OpenBazaar fix this issue? I guess it will.

Im sure this is an inside job

This is exactly correct. The people that run these kinds of sites do not reveal their identities and go to great lengths to keep their identities hidden. If after a certain amount of time they are not arrested by law enforcement (who have vastly greater resources then most drug buyers on these sites) then the sites operators can be more or less assured that anyone that they steal from will not be able to find their identities.