Cannabis Road hacked despite using 3 levels of multi sig, 200 BTC hacked

[iluvpie60]

So how does this happen then? Was their server where the main hot wallet was storing bitcoins not multisig for protection or how does that work? Things that make you go hmmm.

http://www.coindesk.com/black-market-cannabis-road-hacked-loses-100000-bitcoin/ 

Multisig employed

The success of the attack is particularly notable given that Cannabis Road had moved to integrate safeguards aimed at better protecting user funds through multi-signature technology, an evolution of the traditional wallet offering that introduces an arbitrator to the transaction process.

In a May interview with DeepDotWeb, Crypto indicated that Cannabis Road was using a hybrid version of multisig, however, in part to make the technology easier for its customers to use.

At the time, he indicated that Cannabis Road had added three levels of multisig in response to a rise in attacks against illicit websites, explaining:

    “All three levels start off the same, asking for public keys of the buyer, vendor and market to create the shared (multisignature) address. The buyer sends funds to the shared address. Once the buyer is happy, the buyer agrees to finalize the order, this is where the three levels are offered.”

Two more advanced levels were added on top of this service, both of which put restrictions on the situations in which users would be asked to send their private keys.

[thisisthis]

That hacker should be hired by some big company like google or microsoft (after some years in jail of course).

[LiteCoinGuy]

maybe its just a lie and they ran off with the money

[BadBear]

"hacked"

[bitkilo]

I would like to see some proofe of a hack before i just belive what they write.
My understanding is that multi-sig is very secure but they were using some hybrid version they said.
I belive i read somewhere that silk road 2 is also in the middle of implamenting multi-sig escrow, maybe they will have 2nd thoughts now.

[Jamie_Boulder]

1. Inside job
2. Company lied about their security
3. He's jesus

You decide.

[EFS]

maybe its just a lie and they ran off with the money

Of course they ran off with the money. Who do you blame? Tell the police they stole my drug money!

[Jesu]

maybe its just a lie and they ran off with the money

That's exactly what I thought as soon as I saw this. This is just yet another reason why we need decentralized Markets.

[RodeoX]

maybe its just a lie and they ran off with the money

Guys, come on. We shouldn't accuse them of something. Maybe they were the honest, hard working kind of criminals? 

[montello]

"hacked"

Is there a proof to this effect?

[Bitcoinpro]

Sounds like it was a 2 of 3 multisig, so that means the vendor and market where the same person

though its was most probably a third party wallet so the market knew all three addresses anyway

[Jesu]

"hacked"

Is there a proof to this effect?

Proof to what? Whether they were hacked or "hacked"? I'm sure some more details will become available soon. Have they provided the addresses where the funds were sent to?

[bornil267645]

I think this is an inside job.

[yayayo]

I think they've been "hacked" almost for sure. It's the same story over and over again.

Semi-legal and illegal entities that attract funds can easily run away with them, because nobody can persecute them without admitting morally questionable or illegal activity as well.

ya.ya.yo!

[bitkilo]

"hacked"

Is there a proof to this effect?

Proof to what? Whether they were hacked or "hacked"? I'm sure some more details will become available soon. Have they provided the addresses where the funds were sent to?

You can follow this link from the story, it show the address that the btc went to.
http://blockchain.info/address/1CatnMd3jsEKhwhSLUf8V862im8gBp3NDF
But this alone is not proof of a hack, just where some btc went.

[iluvpie60]

Drug sites like the one in the OP should be expected to get hacked, they can't try to come after the person legally if they even know who it is and anyone dealing in this activity should have expected it as every one of these sites get hacked or taken by the feds.

interesting theory on that. while it could be quite true that they could run away with your coins because who is going to sue someone for a few thousand dollars of bitcoin when you are using it to buy illegal drugs?

probably no one.


"hacked" is probably a good way to put it.

i really do wonder though if it is possible to intercept the data going between somethinga nd actually grab the sigs then combine then for the multi sig then steal everything.

obviously whoever does that would have to be pretty good at doing that, but if just one person knows how to do it it would seem they are the same person who keeps hitting all these small exchanges also.

i lost like .2 btc on coinex.pw.... had some random mooncoins and small pieces of different coins and it got "hacked" too. but i can never really know.

[Jesu]

"hacked"

Is there a proof to this effect?

Proof to what? Whether they were hacked or "hacked"? I'm sure some more details will become available soon. Have they provided the addresses where the funds were sent to?

You can follow this link from the story, it show the address that the btc went to.
http://blockchain.info/address/1CatnMd3jsEKhwhSLUf8V862im8gBp3NDF
But this alone is not proof of a hack, just where some btc went.

I know it's not proof, but people can follow where the money goes and possibly trace it back to someone, or at least it may provide some clues.

[zeetubes]

I agree with a couple of others above that it was almost certainly an inside job. Just because they have multi sig capability doesn't mean they're actually using it, or at least using it properly. Also, they may have been using a lot of their own product and just forgot to do something.

[sandykho47]

I doubt they really hacked, expect the one who hacked is highest-level hacker
I think someone inside the company created backdoor & hacked it (when they want)

Maybe they not use 3 level multi sig properly 

But, looks like it "hacked" not hacked

[CtrlAltBernanke420]

I agree with a couple of others above that it was almost certainly an inside job. Just because they have multi sig capability doesn't mean they're actually using it, or at least using it properly. Also, they may have been using a lot of their own product and just forgot to do something.

Wasnt there an announcement about 2-3 weeks ago TOR was potentially compromised. Potentially not causing any panic for users or vendors but rather the site operators became vulnerable to.... justice.

I am guessing a inside job considering other sites did shut down on this announcement. Causing a 'migration' of vendors and buyers to other market places. Well these other market places probably were scams from the beginning simply waiting to gain some serious coin, and or once they learned of the potential TOR compromise they decided it wasnt worth the risk any more, but rather than closing shop 3 weeks ago it was more like, wait.. wait. waait.. waaaiit... okay now kill the site, call it hacked, we're done.

Considering most 'hacks' up so far have all very likely been inside jobs, whether it was intentional or not to steal from the ppl, they are likely smashing/burning hard drives right now and destroying potentially incriminating evidence. They hacked you, to save themselves. But they probably didnt mean to let you down, TOR let them down which let the rest of the users down.

If i was the site owner, this probably would have been my logic.