Attackers have used the ‘transaction malleability’ flaw which prompted Mt Gox exchange to stop withdrawals a few days ago
The exact number of stolen bitcoins is unknown, but based on transaction records, experts estimate it to be around 4440 to 4673 BTC, currently worth approximately $2.6 million (£1.56m).
On Monday Mt Gox, one of the largest and oldest virtual currency exchanges in the world, warned about transaction malleability and said it would stop transferring Bitcoins into wallets operated by third parties until the issue is fixed.
According to a statement written by an administrator called ‘Defcon’ and later reposted to Reddit, on Thursday several attackers have raided the Silk Road’s centralised escrow accounts and took every last Bitcoin.
“I am sweating as I write this,” said the post. “We have been hacked.
“Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as ‘transaction malleability’ to repeatedly withdraw coins from our system until it was completely empty.”
Transaction malleability is not a new discovery – the flaw has been known since 2011 – but one that has been largely ignored by developers. It requires a set of specific circumstances in which a dishonest trader can request and receive bitcoins from a wallet or an exchange, and then make it look like they had never been sent. The transaction would then be repeated.
After analysing Defcon’s post, Nicholas Weaver, a security researcher at the International Computer Science Institute in Berkeley, suggested that at least 4,400 bitcoins were taken from the accounts belonging to the shady website.
“I have failed you as a leader, and am completely devastated by today’s discoveries. I should have taken Mt Gox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported,” wrote Defcon.
The administrator believes the virtual currency has been transferred to accounts located in France and Austria. By posting all of the available transaction data, he essentially instructed the community to hunt down the thieves. “Review the vendor’s dishonest actions and use whatever means you deem necessary to bring this person to justice,” said the statement.
Defcon assured that the attack doesn’t mean illegal shopping enthusiasts should expect law enforcement agencies to knock at their door, since no information from the servers was compromised. He added that after a 48 hour break the Silk Road will resume operations, although it will have to cancel all unshipped orders.
The administrator promised that the website will never again rely on a centralised escrow service, instead implementing multi-signature transactions in the next few months.
As for the flaw in the protocol, Mt Gox has proposed using an additional hash for transaction tracking to remedy the issue, which would work exactly the same way as the current hash used to identify Bitcoin blocks within a blockchain.
The original Silk Road used to sell everything from drugs and weapons to malware, forged documents and stolen credit card details, before the FBI arrested Ross William Ulbricht, a 29 year old US citizen who allegedly ran the website since 2011 under the alias Dread Pirate Roberts.
The FBI claimed that over 9.5 million bitcoins had been traded on the website over the course of its existence, constituting roughly 80 percent of all BTC currently in circulation.
The new Silk Road, still hosted on the anonymous Tor network, picked up where the old website left off, along with a number of smaller drug bazaars run by a new breed of young, opportunistic, well-educated criminals.
What do you know about Bitcoin? Take our quiz!