back to article Silk Road reboot claims: Hacker STOLE all our Bitcoin funds

The latest incarnation of the Silk Road underground market says it lost all of its Bitcoin reserves (estimated to be worth two to three million dollars) in a fraud attack. A site administrator said on Wednesday that a group of hackers appear to have exploited the Bitcoin "transaction malleability" loophole to withdraw funds …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    All I can say is......

    Ha. Fucking. Ha.

    Virtual currency my arse. It's a trap for gullible fucks or a haven for criminals depending on how you look at it.

    1. Anonymous Coward
      Anonymous Coward

      Re: All I can say is......

      This is what comes of using Open Source products...

      1. Loyal Commenter Silver badge
        Facepalm

        Re: All I can say is......

        "This is what comes of using Open Source products..."

        Because software where the source code is not available to the user for examination is always more secure, isn't it. There have never been any problems with the concept of 'security by obscurity'. There are no securty experts, such as Bruce Schneier, who repeatedly point out the flaws with this kind of thinking.

        Also there is no crime, and everyone lives for ever.

    2. Stuart 16

      Re: All I can say is......

      Are you describing a bank?

    3. Loyal Commenter Silver badge

      Re: All I can say is......

      You know those numbers in your bank account aren't actually backed by anything physical either, don't you? The main difference being that the authenticity of a Bitcoin transaction is verified by the network as a whole, and the authenticity of your imaginary numbers in a bank are verified by a group of sociopathic arseholes in suits. I know who I'd rather trust.

      bitcoin and related cryptocurrencies are still in their infancy and no doubt there are still issues to be ironed out. This particular vulnerability was known about, and patched, three years ago. Anyone stupid enough to still be using software that is vulnerable to it after this amount of time, especially to handle large transactions deserves what they get (including MtGox).

      Essentially, as I understand it, the 'vulnerability' involves one person (Alice) requesting a payment from another (Bob). Bob does not correctly record the details of the transaction, so when Alice says, "I never got the money", Bob checks, does not see it has gone through, and sends the money again. Alice repeats the process until she has all of Bob's money.

      Understandably, this has resulted in a fair loss of confidence in Bitcoin as a whole, but really the only problem lies with those who have not kept themselves up-to-date with the software. These are akin to those people who use a fresh install of Windows XP, don't install any security patches, log straight in to their bank's web site, ignore all the warnings and then act all surprised when all their money is missing a week later.

      1. Tom 38

        Re: All I can say is......

        You know those numbers in your bank account aren't actually backed by anything physical either, don't you?

        The first £85,000 in my bank* are backed by a country of 70 million people with nukes and a standing army.

        * I wish

        1. Loyal Commenter Silver badge

          Re: All I can say is......

          The first £85,000 in my bank* are backed by a country of 70 million people with nukes and a standing army.

          So, if an employee of that bank were to abscond with your money, to a country without an extradition treaty with us, you would expect the government to step in and nuke them for you? Didn't think so.

          1. Tom 38

            Re: All I can say is......

            So, if an employee of that bank were to abscond with your money, to a country without an extradition treaty with us, you would expect the government to step in and nuke them for you? Didn't think so.

            No, I expect the government to give me my money back.

            The point is, bitcoins aren't backed by anything. GBP is backed by the british government. Deposits of GBP are covered by GB banking regulations, which provide security.

            1. BongoJoe

              Re: All I can say is......

              Tom, the British Pound is not backed by anything other than good will and faith in the system.

              Being covered by banking regulations alas means nothing because one can't spend nor eat banking regulations. In previous times the Pound was backed by gold and that worked becuase we all had faith in gold (even though that essentially is arbitary).

              So, no. The Britsh Pound is not backed by anything other than the thought that if it goes belly up then the government will have a bit of a crisis on its hands. And it's only the thought of their heads being put on pikes on Westminster Bridge is the only thing which keeps it going.

      2. opaque

        Re: All I can say is......

        The different is that if you were hacked for example your losses are covered by the banks under legislation. If your Bitcoins are hacked that's it, they are gone. There is no compensation.

    4. Anonymous Coward
      Anonymous Coward

      Is it wise

      To steal millions of dollars (worth of bitcoin) from a bunch of drug dealers and other associated dangerous criminals??

      Taking the money was probably the easy part..............

      1. ecofeco Silver badge

        Re: Is it wise

        It is if you are also criminals.

        No honor among thieves, right?

  2. Gray Ham Bronze badge
    Holmes

    A group of hackers who knew exactly when the site would be under maintenance and the funds vulnerable?

    If I were a copper, I think I'd start by questioning the staff.

    1. Khaptain Silver badge

      They should also start checking out Swiss banks for new accounts with a user name of "Defcon"...

    2. Frankee Llonnygog

      Or

      Start by questioning the coppers.

  3. Anonymous Coward
    Anonymous Coward

    Victim Or Perpetrator?

    For how long was this data in a vulnerable location?

    Who knew the location of that data in that vulnerable location?

    I'm gonna point my finger directly at the reported 'victim.' There, you'll find the perp!

    1. Simon Harris

      Re: Victim Or Perpetrator?

      Vulnerable location?

      Will "Defcon" later be saying... "The money was just resting in my account" ?

  4. Trevor Marron
    WTF?

    As this is a virtual currency, has a theft actually occurred?

    As per title, as the stuff does on actually exist, can it be stolen?

    1. solo

      Re: As this is a virtual currency, has a theft actually occurred?

      Sometimes I wonder if the site had any customer or they all were just virtual as well :0

      Good self appeasing exercise it might be creating a site, showing it trading in millions and poof.

      Or just an imposter site by NSA may be :)

    2. Wzrd1 Silver badge

      Re: As this is a virtual currency, has a theft actually occurred?

      Intellectual property is not real property, but it can be stolen.

      Patents are issued on intellectual property that has yet to physically exist. If those plans are stolen, a theft has occurred in every jurisdiction on the planet.

      Hence, if plans, an idea can be stolen, virtual currency can be stolen.

      Indeed, the only true difference between bitcoin currency and current monetary currencies in use around the world is that the money around the world is created, owned and variably valuated by various governments by artificial means.

      1. Frankee Llonnygog

        Re: As this is a virtual currency, has a theft actually occurred?

        The bitcoin libertarians were crowing about how they were independent of any government and only bound their own rules. So they have two choices: unleash the libertarian pay-on-demand law enforcement agency (oh, sorry, there isn't one); or, admit that all this tax, government and law stuff might have some good points after all. Wait - I forgot the third, Ayn Rand hypocrite option: talk the libertarian talk but suck up the government dollar.

        I must admit the irony hammer dropped sooner than I thought it would but no less amusing for all that

        1. Mark .

          Re: As this is a virtual currency, has a theft actually occurred?

          This is assuming the set of people using Bitcoin to buy drugs on this site are the same set as the "libertarians" claiming Bitcoin is totally free of taxes and laws (not to mention that most Bitcoin users are neither).

          Using an irony hammer is easy, when you're using it to hit a straw man.

    3. Loyal Commenter Silver badge

      Re: As this is a virtual currency, has a theft actually occurred?

      On these grounds, if you hand me your bank login details (which does on [sic] really exist), I'll just transfer those numbers (which don't really exist) from your bank account (which doesn't really exist) into mine (yeah, this doesn't exist either...)

    4. Trevor Marron

      Re: As this is a virtual currency, has a theft actually occurred?

      Wow, ask a reasonable question in the hope that someone on here can answer it, and get four thumbs down! Way to go folks!

  5. Anonymous Coward
    Anonymous Coward

    The thing that strikes me as odd ...

    ... is the current $100 spread between the various BTC exchanges at the moment - you can buy at $400 on MtGox and then sell at $500 on two other exchanges.

    Money for nothing - so something must be seriously wrong.

    1. Khaptain Silver badge

      Re: The thing that strikes me as odd ...

      Isn't this disparity exactly the same modus operandi of all the major stock exchanges ? Albeit the differences are much smaller.

    2. Loyal Commenter Silver badge

      Re: The thing that strikes me as odd ...

      Have MtGox resumed the ability to withdraw BTC funds yet though? Otherwise, you're a bit stuck with the transferring of the funds from one exchange to the other.

      presumably, this is the reason for the plummeting value of BTC on this particular exchange - anyone with funds there wants them out, and the only way at the moment is to sell them for traditional currencies. If and when they resume processing transfers, the value may bounce back, or MtGox may go under for good due to this monumental cock-up on their part.

  6. frank ly

    Words

    " ... maintenance work that required funds to be placed in a vulnerable location."

    No. I'm sure the work required the funds to be placed in a 'different' location, not a 'vulnerable' location.

    1. Nick Ryan Silver badge

      Re: Words

      I'm struggling to wonder even why funds had to be moved at all. Anybody?

      1. badger31

        Re: Words

        My understanding of it is that most of the BTC are stored in offline wallets, but the admins were about to make some changes to the server and expected the vendors to withdraw their funds. This required the BTC to be made available to the vendors by putting them in an online wallet.

        At that exact moment, one of the vendors apparently used the malleability trick to syphon off the entire wallet. So despite the fact that they knew about the vuln, the admins went ahead and put every BTC they held online. Hmm. Sounds a bit fishy to me. The admins are either lying thieves or monumentally stupid.

  7. VulcanV5

    Bad news for Scotland then

    Seeing as the Scottish National Party has just confirmed that the Bitcoin will be its new currency come independence, this news will have come as a terrible shock to Kilt Road operations everywhere.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bad news for Scotland then

      I for one am looking forward to visiting the Republic of Scotistan once it is outside of the EU and we get our Duty Free allowance! I can't think of any other reason to want to go though....

  8. Anonymous Coward
    Anonymous Coward

    I laughed until I stopped!

    I haven't stopped yet.

  9. Sir Runcible Spoon
    Big Brother

    Sir

    Sounds like a black-op to me.

  10. GarethB

    Sounds fishy

    The "transaction malleability" just allows you to perform a transaction and then when it had been confirmed change the details of that transaction id so that when the sender goes back and looks at it, it appears as though it didn't get confirmed. That cant be used to steal money from an account which you have no authority to send bitcoins from to start with.

  11. Arachnoid

    " ... maintenance work that required funds to be placed in a vulnerable location.

    Somebody stole his usb thumb drive...........or its down the back of the couch somewhere

  12. Anonymous Coward
    Anonymous Coward

    way to make a few million bucks

    Tell the suckers you are setting up Silk Rd v3, collect escrow funds from prospective punters, walk off with the dosh and tell the punters it woz hackers that did it. Nothing like an advance fee fraud when the suckers don't know who you are to the extent Tor can prevent them from knowing.

  13. MatsSvensson

    Aaaannnd....

    aaand it's gone.

  14. Irongut

    So the balance went over his honesty threshold and he decided it is safer to pocket the cash than sell the hash.

  15. Tom 38

    Irony

    Giving your money to a drug dealer to hold in escrow.

  16. Pet Peeve

    Sounds like BS

    What possible maintenance activity would require the coins to be accessible? And wasn't this vulnerability supposed to have been fixed ages ago, with mtgox only vulnerable because they were using an old version?

    Betting it will turn out that silk road 2 (electric coinaloo) was a scam all along, waiting for enough people to deposit and then disappearing. Certainly not the first time for the currency for that to happen.

  17. ecofeco Silver badge

    Can I exchange my Bitcoins?

    For Flooz and Beenz?

    (please excuse my incorrect spelling in another post. it's been years since I've thought about those disasters)

  18. Anonymous Coward
    Anonymous Coward

    Transaction Malleability does not allow them to empty wallets. it only allows a kind of DOS attack where transactions are impossible to complete. SR2 is lying, straight up. and their busted ass system never worked correctly anyway, providing ample reason for them to rip off everyone and disappear.

This topic is closed for new posts.

Other stories you might like