Silk Road 2 Hacked, $2.5M in User Bitcoin Stolen

Though it crowed about relaunching after FBI raid, Silk Road 2 still struggles.

One day after news that darkweb drug-marketplace Utopia was seized by Dutch police comes word that the latest incarnation of Silk Road has been hacked, losing $2.7 million worth of Bitcoin in the process.

Five people were arrested in a raid on Utopia for the sale of controlled drugs, weapons and ammunition by Dutch police who said the bust showed even highly anonymized encryption service networks such as TOR don’t make anyone untouchable. Utopia is the relaunch of Black Market Reloaded, which closed during 2013.

The FBI shut down the original Silk Road in October and arrested Ross Ulbricht (a.k.a. Dread Pirate Roberts), alleging he’d tried to have a Silk Road member murdered to prevent the disclosure of information that could shut the site down.

Silk Road 2 launched in November, amid whispers that it was actually a honeypot set up to catch vendors from the original site, and frequent intimations that the sequel was being run by people not quite as bright or reliable as those who created the original.

During the Christmas holidays, a vendor signed up to discreetly sell goods of undetermined legality exploited a flaw in the “transaction malleability” protocol of the Bitcoin cybercurrency “to repeatedly withdraw coins from our system until it was completely empty,” according to a post signed by Defcon, director of Silk Road 2.

“Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker,” Defcon wrote.

The attack was focused on the escrow wallet server for the site, into which both vendors and buyers must install their own electronic Bitcoin wallets, an arrangement designed to give both sides confidence to trade based on their trust that the site’s escrow account is secure and that the site, if not an individual buyer or seller, will guarantee payment for a specific transaction.

Allowing the site to hold escrow requires users to give up control of their own Bitcoin stores which, in the case of Silk Road 2, meant everyone’s money was tied up in a single data store, most of which is “hot,” or available for trade, while the rest is stored offline to keep it safe until the user asks that it be brought online.

All the wallets belonging to Silk Road 2 community members were brought online to allow for the re-launch of a transaction auto-finalize feature and transaction-dispute center, both of which Silk Road managers expected would increase the volume of transactions.

The attackers got away with approximately 440BTC,worth an estimated $2.5 million, according to Univ. Calif at Berkely security researcher Nicholas Weaver, who posted his calculations and criticism of security at Silk Road 2 on his Twitter account.

“Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself,” wrote Defcon, who begged the thieves to keep only a portion of the stolen coin and return the rest, immediately before suggesting the rest of the Silk Road 2 community identify the perpetrator and “stop at nothing to bring this person to your own definition of justice.”

In retrospect, Defcon wrote, putting all the wallets into a single hot escrow server “was incredibly foolish, and I take full responsibility for this decision.

“I have failed you as a leader, and am completely devastated by today’s discoveries. I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand. It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch,” Defcon wrote.

The lessons for Bitcoin users is to never store escrow BTC on a server, never trust a site using centralized escrow storage, and begin to trust only sites that require the use of multi-factor or multisignature authentication to reduce the chance that users authorized and trusted to a limited extent by the system will hack the remaining security barriers and steal the bank belonging to all the members, according to Defcon.

Suspicions are already circulating among community members, however, who point out that information about the transaction malleability flaw had circulated as early as 2011, and that the transaction-malleability function was actually a necessary feature to allow for the recovery and re-launch of transactions that failed on first attempt.

The question is whether the theft was accomplished without the knowledge of Silk Road 2 administrators, with their knowledge and cooperation, or whether the theft could have been the reason for launching the site in the first place, as one site suggested immediately after the launch of SR2.

“The Silk Road faithful hope that this is a new beginning and proof that, as the closure of Napster did nothing to stop piracy, the closure of the single largest black market will be ineffective in the grand scheme of online narcotics sales,” according to a Nov. 7 post on All Things Vice.

“The cynical think it might be the beginning of a long con (it wouldn’t take long before the administrators have access to $millions in Bitcoin), or just a big hoax to affect Bitcoin prices,” All Things Vice continued. “And the paranoid deem it a honeypot.”

Image: Silk Road 2