Silk Road 2 Hacked, 88,000 Bitcoin Allegedly Stolen

  • 13 February 2014
  • 11 replies
  • 4 views

Userlevel 7
Badge +54
Silk Road 2 moderator Defcon reported in a forum post that hackers have used a transaction malleability exploit to hack the marketplace. The hackers stole over 88,000 bitcoins worth $41,474,415, emptying the site’s escrow account.

The site used a central escrow service to send bitcoins from buyers to sellers. The hackers exploited the transaction malleability bug – essentially a way users can mask transfers and ask for the same amount of BTC multiple times – to clean out this wallet. This is the same bug that forced Mt. Gox to halt all withdrawals and recent updates have made average bitcoin wallets secure against this sort of attack. According to the site, hackers used the Silk Road’s automatic transaction verification system to order from each other and then request refunds for unshipped goods. Hackers were able to use the transaction malleability bug because the Silk Road used only transaction ID to confirm the transfer of bitcoins. You can read more about the problem here.

They supposedly run an automated refund system for their vendors that relies on the TXID to verify transactions. Their claim is that six vendors colluded to exploit that system by ordering from one another and then submitting circular refund requests.
 
Full Article

11 replies

Userlevel 7
Badge +52
World’s largest Bitcoin exchange Mt. Gox has shut down its website, withdrawal system, deleted its Twitter feed and halted all trading systems after it detected "unusual activity."
The Bitcoin Foundation, a Bitcoin advocacy group, confirmed that Mark Karpeles, the chief executive of Tokyo-based Mt. Gox bitcoin exchange has resigned from the board of the Bitcoin Foundation. This comes just days after the exchange gave an update regarding the technical issues.
Last week, Mt. Gox said a technical glitch that had forced the exchange to suspend bitcoin withdrawals for a week. They discovered the transaction falsification glitch and same flaw alleged to have been used to steal all of the bitcoins worth about $2.7 million from Silk Road 2.0.
Later, some sources close to the matter have confirmed that more than 700,000 bitcoins are indeed missing from MtGox records, in a 'slow-leak' hack that went on for years. The repeated technical glitches over the past several months caused the Shut down of the biggest Bitcoin Industry.
Bitcoin companies 'Coinbase, Blockchain.info, Circle, Kraken, Bitstamp, and BTC China' have issued a joint statement regarding MtGox.
"This tragic violation of the trust of users of Mt.Gox was the result of one company’s abhorrent actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants." "We strongly believe in transparent, thoughtful, and comprehensive consumer protection measures. We pledge to lead the way."
MtGox has also deleted its entire Twitter feed, which is nearly unprecedented. Late last week, Bitcoin prices dropped to the lowest they have been since June, by $300 and currently, the value on MtGox is swinging between $300 and $500.
Source
Userlevel 7
Badge +52
Bitcoin exchange Mt. Gox files for bankruptcy with debts of $63.6 million
Mt. Gox has filed for bankruptcy, its lawyer told Japanese media at the Tokyo District Court
Embattled Bitcoin exchange Mt. Gox is filing for bankruptcy protection with liabilities of ¥6.5 billion (US$63.6 million), according to Japanese media reports.
A lawyer for the exchange, which had suspended bitcoin withdrawals weeks ago, made the announcement at a press conference at the Tokyo District Court.
[ For a quick, smart take on the news you'll be talking about, check out InfoWorld TechBrief -- subscribe today. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]
CEO Mark Karpeles also apologized for the exchange's collapse, according to media reports.
The fall of Mt. Gox, once the world's biggest exchange for the digital currency, came amid reports that about 744,000 bitcoins had gone missing, either due to criminal fraud or theft.
Its website went offline this week as U.S. and Japanese authorities began looking into the situation surrounding the Tokyo-based exchange.
Source
Userlevel 7
Badge +52
Mt. Gox Source Code Leaked By Hackers Along With Team Information, Customer Data
 
Those interested in building a Bitcoin exchange should look no further than this chunk of source code posted by a “Russian leaker” called nanashi_. It alleges to contain the 1,700-line source code for Mt. Gox’s electronic exchange.
The code is describes the Bitcoin class for Mt. Gox and the various methods for transmitting and receiving BTC. Hacker News believes that CEO Mark Karpeles AKA MagicaTux wrote some of the code.
Here is a private mirror of the code but you can also read it here. The hackers also claim to have a 20GB data dump of customer data along with passport scans and a list of contact information for Mt. Gox employees. The full IRC exchange with the leaker is here.
Source
Userlevel 7
Badge +54
If you’re one of the people affected by the recent Bitcoin blowout over on Mt. Gox, be wary of too-good-to-be-true mentions of lost digital cash being returned to worried owners. From the following Reddit thread:

“I’ve noticed a scam mail that is going around the internet recently claiming that mtgox has decided to return customers their bitcoins.

It goes by

    Have you lost your MTGOX Coins?
    go watch our news to claim your Bitcoins back!
    [dot]bitcoinbreaknews[dot]com/mtgox-lost-coins”

The poster mention that running the offered executable attempted to download additional files. They’ve also upped some screenshots of their digging around which are worth checking out.

After looking at it myself, it seems that the original URL in the link above (“mtgox-lost-coins”) has been taken down – however, the site itself is still up, is still offering up “Flash Player” and it has a different MD5 to the file originally served so they’re likely changing up the download files every so often.

The site appears to have scraped the content of wsj.com, and added an “Install Adobe Flash Player” box over the top which is supposedly required to play the video. Clicking the Install button downloads a .rar file containing the executable in question.
 
Full Article
Userlevel 7
Badge +56
Ouch, that just rubs it in.
Userlevel 7
For those interested in this phenomenon but who don't really understand what Bitcoins are there is an excellent article in the UK Sunday Times, published yesterday, that explains quite well how all this started and the hunt to identify the elusive Satoshi Nakamoto...Daddy of the Bitcoin...worth a read if one can get hold of a copy.
 
Baldrick
Userlevel 7
Badge +54
Mismanagement apparently allowed a massive bitcoin heist.
 
Japanese authorities are trying to unravel what happened at Mt. Gox, the popular Bitcoin exchange that collapsed last week, and recent revelations are only serving to thicken the plot, not clarify it.
The tale of the Tokyo-based exchange appears to be like the code its software ran on; the latter was deemed "a spaghetti mess" by a company source who spoke on condition of anonymity.
Mt. Gox filed for bankruptcy protection in the Tokyo District Court on Feb. 28, saying that some 750,000 customer bitcoin and 100,000 of its own bitcoin had vanished, possibly stolen. Based on the valuation of the volatile cryptocurrency at the time of the filing, that is roughly US$474 million. An additional AY=2.8 billion (about $28 million) in cash was unaccounted for.
Tokyo police are now scratching their heads. "The National Police Agency seems to lack the ability to analyze the bitcoin trading history of Mt. Gox," a government official told a source probing the investigation.
 
Full Article
Userlevel 7
Badge +54
The Bitcoin community has been angrily pressing for details on what the Bitcoin exchange Mt. Gox has described as a massive hacker attack that stole hundreds of millions of dollars worth of its users’ bitcoins and left the company bankrupt. Mt. Gox’s staff isn’t talking. So another group of hackers say they’ve broken into the company’s servers to provide answers of their own.

On Sunday, hackers took over the Reddit account and personal blog of Mark Karpeles, Mt. Gox’s CEO, to post an angry screed alleging that the exchange he ran had actually kept at least some of the bitcoins that the company had said were stolen from users. “It’s time that MTGOX got the bitcoin communities wrath instead of [the] Bitcoin Community getting Goxed,” wrote the unidentified hackers, referring to the multiple occasions over its three year history when Mt. Gox has gone offline, delayed trades or suspended withdrawals, events so common that Bitcoin users coined the phrase to be “goxed”–to suffer from Mt. Gox’s technical glitches.

The hackers also posted a 716 megabyte file to Karpeles’ personal website that they said comprised stolen data from Mt. Gox’s servers. It appears to include an Excel spreadsheet of over a million trades, a file that purports to show the company’s balances in eighteen difference currencies, the backoffice application for some sort of administrative access to the databases of Mt. Gox’s parent company Tibanne Limited, a screenshot of the hackers’ access to those databases, a list of Mark Karpeles’ home addresses and Karpeles’ personal CV.
 
Full Article
Userlevel 7
Badge +56
That is crazy.  I wonder when the whole truth will come out, if ever?
Userlevel 7
Badge +54
Mt. Gox, the Tokyo-based Bitcoin exchange that collapsed last month after the loss of around $474 million worth of Bitcoins, has filed for bankruptcy protection in the U.S.
The petition, made late Sunday in the U.S. Bankruptcy Court in Dallas, will be heard later Monday—a day before a court in Chicago is expected to rule on whether a U.S. class-action lawsuit can proceed against the company.
If successful in its Dallas filing, lawsuits in the U.S. against the company would be temporarily halted.
That would give Mt. Gox a little breathing room while the Tokyo District Court works through the collapse of the company and how best to proceed with bankruptcy.
 
Full Article
 
The next installment @ 
Userlevel 5
Oh god i hope my bitcoins are safe!

Reply