Bitcoin Forum
November 08, 2024, 05:46:59 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 »  All
  Print  
Author Topic: Silk Road 2.0 hacked through malleability, ~4000 BTC STOLEN  (Read 28427 times)
codro (OP)
Member
**
Offline Offline

Activity: 91
Merit: 10


View Profile
February 13, 2014, 07:51:37 PM
Last edit: February 13, 2014, 09:26:25 PM by codro
 #1

This hack was possible because of a bug/oversight in their implementation...

More info here: http://www.deepdotweb.com/2014/02/13/silk-road-2-hacked-bitcoins-stolen-unknown-amount/
http://www.reddit.com/r/DarkNetMarkets/comments/1xtqty/sr_has_been_hacked/
http://www.reddit.com/r/Bitcoin/comments/1xtsrq/silk_road_got_hacked_all_funds_stolen_cheap_coins/

EDIT: Looks like the summed balances of all the addresses given is 4083BTC.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I am sweating as I write this.
Christmas brought grave news. I cannot adequately express how deeply honored I was by your unconditional support of my staff.
I do not expect the same reaction to today’s revelations. This movement is built on integrity, and I feel obligated to be forthright with you.
I held myself to a high standard as your leader, yet now I must utter words all too familiar to this scarred community:
We have been hacked.
Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.
Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.
Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.
This attack hit us at the worst possible time. We were planning on re-launching the new auto-finalize and Dispute Center this past weekend, and our projections of order finalization volume indicated that we would need the community’s full balance in hot storage.
In retrospect this was incredibly foolish, and I take full responsibility for this decision.
I have failed you as a leader, and am completely devastated by today’s discoveries. I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand. It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.
I’ve included transaction logs at the bottom of this message. Review the vendor’s dishonest actions and use whatever means you deem necessary to bring this person to justice. More details will emerge as we continue to investigate.
Given the right flavor of influence from our community, we can only hope that he will decide to return the coins with integrity as opposed to hiding like a coward.
It takes the integrity of all of us to push this movement forward. Whoever you are, you still have a chance to act in the interest of helping this community. Keep a percentage, return the rest. Don’t walk away with your fellow freedom fighters’ coins. DPR2 returned the cold storage. I didn’t run with the gold. But two people alone cannot move us forward. It takes an entire community committing to integrity – and though this crushing blow will not stop us, it sure is a testament to how greedy some bastards truly are.
Being a part of this movement might be the most defining thing you do with your entire life.
Don’t trade that for greed, comrades.
I will fight here by your side, even the greedy bastards amongst us.
This community has suffered great financial loss over and over again, and I am devastated that it has happened again under my watch.
Hindsight is already suggesting dozens of ways this could have been prevented, but we must march onward.
The only way to reverse a community’s greed is through generosity. Our true character is revealed during trying times.
If this financial hardship places you at risk of physical harm, contact me directly and I will do my best to help you with my remaining personal funds.
- —————-
Now what.
- —————-
Never again store your escrow bitcoins on a server.
Silk Road will never again be a centralized escrow storage.
This week has shown the collateral damage we can cause by being a huge target and failing in just one unforeseen area.
I am now fully convinced that no hosted escrow service is safe.
If I cannot trust myself to keep a hosted escrow solution safe, I cannot trust anyone.
Multi-signature transactions are the only way this community will be protected long-term.
I am aggressively tasking our devs on building out multi-sig support for commonly-used bitcoin clients. Expect a generous bounty if you have the skill to implement this.
- —————–
Until then.
- —————–
1. We will never again allow ourselves to be a single point of failure. We will never again host your Escrow wallets.
2. Vendor registration is closed while we regroup.
3. All listings on Silk Road are now No-Escrow (Finalize-Early) for 1-2 months while we implement multi-signature transactions and lobby for mainstream Bitcoin client multi-sig support.
4. All unshipped orders have been cancelled.
5. Vendors may link to other marketplaces on a trail basis until we launch multi-sig, then we will re-evaluate based on community input. We do not want to be a centralized point of failure, but we also do not want to lead our buyers into dangerous waters.
6. From this point forward DO NOT trust markets with centralized escrow. Use multi-signature transactions whenever possible, with trusted third parties as escrow providers.
Everything will be offline for 24-48 hours to minimize variables as we continue to investigate. The evidence we have below will be expanded based on our findings.
- ——————
No marketplace is perfect. Expect any centralized market to fail at some point. This is precisely why we must unite in the decision to decentralize.
We are relieved that our security procedures protected user identities, and that no servers were compromised. This was not a worst-case scenario: nobody will be getting arrested from this. Financial loss is terrible, but will not put all of us behind bars.
The details we have on the hacker are below. Stop at nothing to bring this person to your own definition of justice.
Humbled and furious,
Defcon
rat
Sr. Member
****
Offline Offline

Activity: 253
Merit: 250



View Profile
February 13, 2014, 07:53:09 PM
Last edit: February 13, 2014, 08:22:49 PM by rat
 #2


allow me to translate:

"i took your coinz lol!"
c0dex
Full Member
***
Offline Offline

Activity: 151
Merit: 100



View Profile
February 13, 2014, 07:56:41 PM
 #3

What a load of shit from a faceless, petty prick in a long line of them.

Wirel
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile
February 13, 2014, 08:01:36 PM
 #4

How can you possibly withdraw coins due to Transaction Malleability exploit?

I mean, exploit or shitty implementation ?
vpitcher07
Sr. Member
****
Offline Offline

Activity: 342
Merit: 250


View Profile
February 13, 2014, 08:03:37 PM
 #5

If you keep your BTC on an illegal goods website run by drug dealers you deserve to get your funds stolen...

Bitcoin: The currency of liberty
1HBJSf3Lm9i8KxjZ7fuoN9FJ8hniniFbv4
Rannasha
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


View Profile
February 13, 2014, 08:04:18 PM
 #6

You need to code you wallet in a really shitty way (as in: much worse than Gox) to allow people to continuously withdraw in this manner.

Or... The guy saw an opportunity to run with the money by making use of the widespread confusion about the transaction malleability issue and took it.
bitcoiner49er
Sr. Member
****
Offline Offline

Activity: 457
Merit: 250



View Profile
February 13, 2014, 08:05:08 PM
 #7

You need to code you wallet in a really shitty way (as in: much worse than Gox) to allow people to continuously withdraw in this manner.

Or... The guy saw an opportunity to run with the money by making use of the widespread confusion about the transaction malleability issue and took it.

The later. How stoopid does he think users are?

Homo doctus is se semper divitias habet
BldSwtTrs
Legendary
*
Offline Offline

Activity: 861
Merit: 1010


View Profile
February 13, 2014, 08:05:52 PM
 #8

This is sad  Sad
impulse
Full Member
***
Offline Offline

Activity: 151
Merit: 100


View Profile
February 13, 2014, 08:05:57 PM
 #9

How can you possibly withdraw coins due to Transaction Malleability exploit?

I mean, exploit or shitty implementation ?

Good question. That would only be possible if they had automated their dispute resolution system and given their vendors free-for-all access to exploit without limits.
raskul
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250



View Profile
February 13, 2014, 08:07:46 PM
 #10

does this mean i'm not getting my new james bond identity and 30000 kalashnikovs, stuffed full of the purest columbian white powder?


tips    1APp826DqjJBdsAeqpEstx6Q8hD4urac8a
g27wr
Full Member
***
Offline Offline

Activity: 221
Merit: 100


I like guns.


View Profile
February 13, 2014, 08:13:04 PM
 #11

Am I missing something here? The coins are still there...

https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

Barek
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile
February 13, 2014, 08:13:33 PM
 #12

Guess this explains why the price dipped a bit.

Glad we got that out of our system.

And yeah, agreed that this is likely just a convenient excuse to make a run for it.
jongameson
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
February 13, 2014, 08:14:36 PM
 #13

either we are looking a system crash, or fraud

raskul
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250



View Profile
February 13, 2014, 08:14:45 PM
 #14

Am I missing something here? The coins are still there...

https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

$18million, who wouldn't be tempted to steal that amount from a litter of junkies?

tips    1APp826DqjJBdsAeqpEstx6Q8hD4urac8a
mnemonick
Newbie
*
Offline Offline

Activity: 17
Merit: 0



View Profile
February 13, 2014, 08:16:25 PM
 #15

Ouuuu comeOn! They robbed themselves. Don't be fool Smiley
BTCisthefuture
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
February 13, 2014, 08:17:02 PM
 #16

Whatever happened to the good ol days of just calling up your local drug dealer/pot head to get your drug fix.  These online black markets really seem unsafe.

Hourly bitcoin faucet with a gambling twist !  http://freebitco.in/?r=106463
jongameson
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
February 13, 2014, 08:18:12 PM
 #17

Am I missing something here? The coins are still there...

https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

$18million, who wouldn't be tempted to steal that amount from a litter of junkies?

together with me and babay break the chains of lOOOVOE!!
Doublelucky
Member
**
Offline Offline

Activity: 113
Merit: 10


View Profile
February 13, 2014, 08:18:25 PM
 #18

Is this why the BTC price is rocketing downwards atm? Because the thief is dumping all the stolen coins?
cr1776
Legendary
*
Offline Offline

Activity: 4214
Merit: 1313


View Profile
February 13, 2014, 08:19:57 PM
 #19

Am I missing something here? The coins are still there...

https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

Yes, those are the Silk Road coins seized by the FBI.  This guy is talking about Silk Road 2.
raskul
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250



View Profile
February 13, 2014, 08:20:31 PM
 #20

Is this why the BTC price is rocketing downwards atm? Because the thief is dumping all the stolen coins?

i don't think so, I just think it's meant to be, doesn't phase me personally... up, down, round and round. Bitcoin has many many many moons ahead of it.
panic ye not.

tips    1APp826DqjJBdsAeqpEstx6Q8hD4urac8a
Pages: [1] 2 3 4 5 6 7 8 9 10 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!