­Silk Road 2.0 emptied out by a hole in its Bitcoin pocket

­Silk Road 2.0 emptied out by a hole in its Bitcoin pocket

Money spilling out of hole in bag, image courtesy of ShutterstockA squishy number of Bitcoins has either been hacked out of the dark-net market for illicit goods, or, as Silk Road’s users muse, perhaps weaseled away by the site’s own administrators.

The squishy part comes in when you try to put a price tag on the total worth.

Forbes’s Andy Greenberg reports that a post put up on Thursday by one of the recently reincarnated market’s administrators – “Defcon” – listed a series of Bitcoin addresses that Silk Road’s administrators think were involved in the heist.

Those transactions apparently point to a single Bitcoin address containing 58,800 coins, worth more than $36.1 million (£21.6 million) at current exchange rates, but Greenberg noted that other estimates range from 41,200 coins by a Silk Road user and 88,000 by the Bitcoin news site.

More squishy still: an update to his original story notes that a researcher values the theft at only around 4,400 or so coins, worth around $2.6 million (£1.56 million).

The news temporarily melted Bitcoin’s value, but by Sunday it was back up at about $656.

At any rate, that about does it for Silk Road 2.0, one of the copycat sites to spring up after the original Silk Road was shut down by the FBI in October.

Defcon on Thursday reportedly posted a teeth-clenched message that began with, “I am sweating as I write this.”

He continued:

I must utter words all too familiar to this scarred community: We have been hacked.

Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as 'transaction malleability' to repeatedly withdraw coins from our system until it was completely empty.

That same Bitcoin flaw temporarily knocked offline two other major exchanges over the past few weeks: Bitstamp, which came back online on Saturday, and Mt.Gox.

Mike Hearn, a developer who works on the Bitcoin protocol, told IEEE Spectrum that the flaw is “a very subtle one” but is inherent to the Bitcoin protocol.

Defcon listed the online identities of the three supposed Silk Road 2.0 attackers and shared records of the transactions.

The administrator then called on the public to pick up their pitchforks, telling everybody to “stop at nothing to bring this person to your own definition of justice.”

But many skeptical Silk Road users are pointing their pitchforks at Silk Road administrators, accusing them of faking the hack and stealing the money themselves.

Given the lack of regulation of Bitcoin, and given that the dark net operates more or less beyond the law, investigating and proving such charges would be tough.

This is just another episode that points to how dangerous it can be to trust Bitcoins to exchanges that don’t rate such trust.

Even back in the early days of Bitcoin, they were tempting targets for thieves.

In 2012, they cost just over $10 each – a prize plenty worth it for the crooks who stole unencrypted backups from one poor guy, Roman Shtylman, whose security lapse during a server upgrade led to his losing a sideline Bitcoin business worth $250,000 overnight.

But compare that to today’s rate of about $656 (£389), and you can see why hackers are acting like bees swarming around Bitcoin honey.

It’s not just hackers and breaches we should worry about. Online Bitcoin exchanges are still immature, and many have suffered outages.

In a study of 40 exchanges, 18 of them had failed, leaving customers empty-handed.

Of course, this all underscores the fact that Bitcoin holders should be extremely careful about a given repository’s trustworthiness before trusting it to keep Bitcoin data safe.

Naked Security recently dispensed some tips on Bitcoin wallets and how to keep your money safe.

Definitely check out the tips to keep your digital currency safe. Bitcoins are tricky things even if you aren’t wandering around in the dark web with your pockets bulging.

Image of money spilling out of hole in bag courtesy of Shutterstock.