Silk Road 2.0 hacked through malleability, ~4000 BTC STOLEN

[Frost000]

This could be Inputs.io v2.0
All these (alleged) hacks..

Yup, and it's so easy... And some people are so gullible, too.

[1714494040]

1714494040

[1714494040]

1714494040

[DoomDumas]

Think its related to Tx Maleability, BlockChain.info do not shows correct balance on my cold wallet... Checked locally, all fine..  AFAIK, it should resolved itself overtime @ blockchain.info.. Is this correct ?

Tought about it.. It is because blockchain.info dont know that the address were the change has been sent belong to the wallet... I just look @ a BTC the address I use to deposit in the cold storage.  It's not a blockchain.info wallet.

sorry for this missleading tought, and wrong thread btw !

[BTC5OOO]

This hack was possible because of a bug/oversight in their implementation...

More info here: http://www.deepdotweb.com/2014/02/13/silk-road-2-hacked-bitcoins-stolen-unknown-amount/
http://www.reddit.com/r/DarkNetMarkets/comments/1xtqty/sr_has_been_hacked/
http://www.reddit.com/r/Bitcoin/comments/1xtsrq/silk_road_got_hacked_all_funds_stolen_cheap_coins/

vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv vvvvvv

... " Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker. " ...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I quit reading about five lines into this guy's letter. Does not come across as genuine to me. That's all I know about this issue.

/\ya rinse and repeat lmao

[Gamer67]

That does not make it respectable or trustworthy. They just cashed in on the old name with the hopes of making some serious cash. Before DPR1's arrest these guys were making 4k a month each. Now they are pulling in close to 100k a month to split between themselves.

You really need to stop looking at this with rose tinted glasses.

[misternanyte]

anything that's drug related is generally bad. It needs to be peer 2 peer instead of site based. And you need to be able to trust your guy. Basically, you only do transactions with people you trust.

[redhawk979]

Don't worry, this could never happen with the upcoming Silk Road 3.0 because you see government regulation of businesses is bad

[Bit_Happy]

More bad news, when does it get better?

[j3steven]

I remember when this used to be a thread about BTC and SR2, ohh the good ol days

Very original..

[KC82]

Come on! How does a malleability attack steal their all coins 'SLOWLY' and they don't notice it until all of them are gone?
They stole the coins themselves and took advantage of the malleability situation as an excuse.

Ok, I'll bite.  In this scenario there are two ledgers.  One is the bitcoin block chain and the second is SR2 escrow service.

The interacton/use case goes like this:

1) Vendor A withdraws some money from SR2 escrow
2) the SR2 escrow sends a payment to the bitcoin P2P network
3) SR2 escrow records the payment's txid in it's database
4) waits for confirm (a miner to include it in the block)
5) before it's confirmed, Vendor A changes the txid (using malleability)
6) Vendor A broadcasts this transaction to the bitcoin network
7) Since, the inputs are the same, bitcoin network code sees this as a double spend
8 ) bitcoin marks the orignal transaction as dead (no miners will include it in a block)
9) SR2 escrow receives notification that the oridinal txid is dead
Note: this where all the websites are changing their code base, like SR2 should have when the bug exploit was discovered>
10)  SR2 escrow credits the vendors account for the "dead" funds, believing they are still in the escrow wallet (escrow ledger is now out of synch)
11)  the malleability transaction gets confirmed by miners
12) Vendor A now owns those bitcoins
13) Vendor A now goes into the SR2 escrow service and requests payment again
14) Vendor A is now at step 1 again and continues until the escrow wallet is no longer able to fulfill withdraw requests
14a) Process complete: SR2 sends out a sad message about their wallet being empty


so yes you can lose BTC with transaction malleability.

How do you defeat this?  

There are several ways:

• you send a request to the network for transactions on your wallet address and look to see if there are any between you and Vendor A on the network (check that the inputs aren't still in use)
• Flag the account for human intervention/review when fraud conditions are met
• Re-use the same inputs, so if there is another transaction (mutant) the network will not allow the double pay

or

• use multi-sig transactions with the SR2 service acting as the "Oracle" (What SR2 is talking about in the sad message)

Why does the network invalidate the original transaction and confirm the second? Does that happen every time, the newer transaction with the same inputs wins? That does seem like a flaw in the protocol if that is the case.

[jongameson]

bitcoin is like the homosexual to currency (don't get my wrong 1000 BTC is good, but peercoin is the way to go long term)

[buzybit]

bitcoin is a baby out there ! so we shall be very carefull
also if someone is dealing with bad things like drugs etc should be ready to take its chances

[jongameson]

bitcoin is a baby out there ! so we shall be very carefull
also if someone is dealing with bad things like drugs etc should be ready to take its chances

dark coin marketplace will be opened soon by Satan himself i've heard

[NordicMoose]

Silk road wasnt hacked. The owners took off with the coins, were duly exposed and now the forum is awash with thread after thread of distraught memmbers who are understandably after his blood. admin and mods tried to blame transaction malleability and  alleged the entire funds had been stolen under their noses.

you know, I really hate it when people come on here and start threads without checking the facts first.

[LouReed]

Malleability? Hahahaha, the fucking admins stole all of it. What kind of idiot would put money into that website is beyond me.

Why would the already wealthy admins of a darknet site steal a measly 4000 BTC when running the site with its reputation intact would net you 1000+BTC per week?

You don't know how wealthy they are. Fuck, SR 2 has only been up for a short period of time. If 4000 BTC meant nothing to them they would have eaten the loss and not said a fucking word about it as to keep trust in the site.

Also, where the fuck do you get off thinking they make 1000+ BTC a week?

And who said they were not? SR 1.0 made 125k BTC in a year.

Yes, and 90% of SR1's life Bitcoin was worth less than $15, and 50%+ Bitcoin was worth less that 5$ each. That would definitely make it easy to rack up a large number of coin in a year, eh??

Just for reference, 75%+ of SR2's life Bitcoin has been worth more than $600/coin. See the difference??

[LouReed]

Silk road wasnt hacked. The owners took off with the coins, were duly exposed and now the forum is awash with thread after thread of distraught memmbers who are understandably after his blood. admin and mods tried to blame transaction malleability and  alleged the entire funds had been stolen under their noses.

you know, I really hate it when people come on here and start threads without checking the facts first.

Wow, a member for less than a month, and already complaining about people not checking facts!! 

[technocoma]

Think they just saw it as a way to easily blame a hack because the coins they had was a nice chunk of change and running with it now means less likely to get caught. At end of the day the guy who ran it for years that never stole any coins ended up in a cell & his 100k BTC aren't much use there.

I can't see how this would of happened any other way than the admins taking the funds. Why would it of been setup with an automated system to check stuck transactions rather than have a human look at it. They also claim they knew about exchanges having issues & knew what the issue was so surely if they had an automated system that can re-send funds when it thinks the transaction didn't go through surely he would of shut it down or turned it off.

I'm sure most people in his position would take the money & run.

[NordicMoose]

Silk road wasnt hacked. The owners took off with the coins, were duly exposed and now the forum is awash with thread after thread of distraught memmbers who are understandably after his blood. admin and mods tried to blame transaction malleability and  alleged the entire funds had been stolen under their noses.

you know, I really hate it when people come on here and start threads without checking the facts first.

Wow, a member for less than a month, and already complaining about people not checking facts!! 

Lol. Er, yeah, I have been a member of bitcoin forum for less than a month and that means I'm automatically wrong about something I post does it? Maybe you should check your own facts before you write or people might start thinking you're a complete idiot.

[NordicMoose]

Think they just saw it as a way to easily blame a hack because the coins they had was a nice chunk of change and running with it now means less likely to get caught. At end of the day the guy who ran it for years that never stole any coins ended up in a cell & his 100k BTC aren't much use there.

I can't see how this would of happened any other way than the admins taking the funds. Why would it of been setup with an automated system to check stuck transactions rather than have a human look at it. They also claim they knew about exchanges having issues & knew what the issue was so surely if they had an automated system that can re-send funds when it thinks the transaction didn't go through surely he would of shut it down or turned it off.

I'm sure most people in his position would take the money & run.

Except, they did get caught. dpr2 and defcon has run off with members' coins, are being slammed around their own forum, no wait, Ross's forum --  and they are pissed. Guess the lesson is don't deal with a darknet, especially one with a bad track record. As for all these idiots pretending to know what they are talking about based on number of posts, it's getting really boring. Maybe hit the gym a bit.

[technocoma]

Think they just saw it as a way to easily blame a hack because the coins they had was a nice chunk of change and running with it now means less likely to get caught. At end of the day the guy who ran it for years that never stole any coins ended up in a cell & his 100k BTC aren't much use there.

I can't see how this would of happened any other way than the admins taking the funds. Why would it of been setup with an automated system to check stuck transactions rather than have a human look at it. They also claim they knew about exchanges having issues & knew what the issue was so surely if they had an automated system that can re-send funds when it thinks the transaction didn't go through surely he would of shut it down or turned it off.

I'm sure most people in his position would take the money & run.

Except, they did get caught. dpr2 and defcon has run off with members' coins, are being slammed around their own forum, no wait, Ross's forum --  and they are pissed. Guess the lesson is don't deal with a darknet, especially one with a bad track record. As for all these idiots pretending to know what they are talking about based on number of posts, it's getting really boring. Maybe hit the gym a bit.

Well thanks to this and sheep I'm sure no one will trust a market place where admins have access to all the coins

3 Signatures on a transaction vendor / buyer / escrow and 2 signatures needed to release funds is the only way to go now & if site gets taken down no coins will be lost and vendor can still get the money.

[Abel82]

I won't believe that one guy was able to hack silk road 2.0 ! Maybe he had help.
Many states don't like bitcoins, so i can imagine that he got "governmental help" to destroy reputation of Bitcoin in the world