An administrator for the site said hackers had manipulated computer code enabling them to withdraw $2.7m (£1.6m) worth of the virtual currency. It follows similar attacks on two exchanges that trade in bitcoins earlier in the week. Silk Road 2 is known for selling drugs and other illegal items. The site is only accessible through Tor, a network that allows users to browse anonymously online. The virtual currency Bitcoin is often used in transactions as it also grants users a degree of anonymity. The original Silk Road site was shut down by the FBI in 2013 but those behind it said they would start a new site and shortly afterwards Silk Road 2 appeared online.
In a statement posted on Silk Road 2 forums, the administrator of the site, known as Defcon, said: “We have been hacked.” “Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker. Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as ‘transaction malleability’ to repeatedly withdraw coins from our system until it was completely empty,” he said.
Transaction malleability involves someone changing the cryptographic code - known as a transaction hash - used to create an ID for the exchange of funds before it is recorded in the blockchain - a database of every transaction carried out in the currency. This method can result in the system thinking a transaction has not been carried out when it has and therefore repeatedly paying out bitcoins. The two exchanges hit by attacks earlier in the week, MtGox and Bitstamp, had suspended transactions to prevent it happening again. Defcon admitted that Silk Road 2 should have done the same.
“I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand,” he said in the forum posting. In an article for CoinDesk, a news site for digital currency, Danny Bradbury an expert on Silk Road, said that bitcoin-based sites should put “bitcoins under management in cold storage (i.e. stored offline) so that they could not be stolen by online attackers.”
Defcon said that all its customers’ bitcoins were being stored online because of planned relaunches of some of the site’s features. “In retrospect this was incredibly foolish, and I take full responsibility for this decision.” Despite Defcon denying that he had “run with the gold,” several Silk Road 2 users questioned whether the operators of the site were involved or covering for people involved. “Does that even sound plausible? Or does it make more sense that they were waiting for the right moment…so that they could retire comfortably,” wrote aqualung. “Imagine you run this site, you see a huge amount of money sitting right there, and you know that you can take all of it and easily blame it on a hacker,” wrote cubensis.
The site said as a result of the attack it would no longer host “escrow wallets” - an account where bitcoins are held until goods ordered are delivered. The chief executive of the company that runs the MtGox bitcoin exchange was confronted by an angry customer at the company’s headquarters in Tokyo this week. Kolin Buges, a bitcoin trader from London, said he had travelled to Japan as he was unhappy at MtGox’s explanation for its recent problems on the site which prevented customers from making withdrawals. He had 250 bitcoins, worth $155,000 in his MtGox account.
“I want to get my bitcoin back, or get MtGox to bring back public confidence that the company is solvent and people’s money [is] safe,” Mr. Buges told the Wall Street Journal. One bitcoin is currently trading for around $620, significantly lower than the $830 level it was at before news of the various attacks broke.