Silk Road 2 loses $2.7m in bitcoins in alleged hack
The anonymous online marketplace Silk Road 2 says it has been hacked resulting in the loss of all its customers' bitcoins.
An administrator for the site said hackers had manipulated computer code enabling them to withdraw $2.7m (£1.6m) worth of the virtual currency.
It follows similar attacks on two exchanges that trade in bitcoins earlier in the week.
Silk Road 2 is known for selling drugs and other illegal items.
The site is only accessible through Tor, a network that allows users to browse anonymously online. The virtual currency Bitcoin is often used in transactions as it also grants users a degree of anonymity.
The original Silk Road site was shut down by the FBI in 2013 but those behind it said they would start a new site and shortly afterwards Silk Road 2 appeared online.Completely empty
In a statement posted on Silk Road 2 forums, the administrator of the site, known as Defcon, said: "We have been hacked."
"Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.
"Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as "transaction malleability" to repeatedly withdraw coins from our system until it was completely empty," he said.
How Bitcoin works
Bitcoin is often referred to as a new kind of currency.
But it may be best to think of its units being virtual tokens rather than physical coins or notes.
However, like all currencies its value is determined by how much people are willing to exchange it for.
To process Bitcoin transactions, a procedure called "mining" must take place, which involves a computer solving a difficult mathematical problem with a 64-digit solution.
For each problem solved, one block of bitcoins is processed. In addition the miner is rewarded with new bitcoins.
This provides an incentive for people to provide computer processing power to solve the problems.
To compensate for the growing power of computer chips, the difficulty of the puzzles is adjusted to ensure a steady stream of about 3,600 new bitcoins a day.
To receive a bitcoin a user must have a Bitcoin address - a string of 27-34 letters and numbers - which acts as a kind of virtual post-box to and from which the bitcoins are sent.
Since there is no registry of these addresses, people can use them to protect their anonymity when making a transaction.
These addresses are in turn stored in Bitcoin wallets which are used to manage savings.
They operate like privately run bank accounts - with the proviso that if the data is lost, so are the bitcoins owned.
Transaction malleability involves someone changing the cryptographic code - known as a transaction hash - used to create an ID for the exchange of funds before it is recorded in the blockchain - a database of every transaction carried out in the currency.
This method can result in the system thinking a transaction has not been carried out when it has and therefore repeatedly paying out bitcoins.
The two exchanges hit by attacks earlier in the week, MtGox and Bitstamp, had suspended transactions to prevent it happening again.
Defcon admitted that Silk Road 2 should have done the same.Run with gold
"I should have taken MtGox and Bitstamp's lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too sceptical of the possible issue at hand," he said in the forum posting.
In an article for CoinDesk, a news site for digital currency, Danny Bradbury an expert on Silk Road, said that bitcoin-based sites should put "bitcoins under management in cold storage (ie stored offline) so that they could not be stolen by online attackers."
Defcon said that all its customers' bitcoins were being stored online because of planned relaunches of some of the site's features.
"In retrospect this was incredibly foolish, and I take full responsibility for this decision."
Despite Defcon denying that he had "run with the gold", several Silk Road 2 users questioned whether the operators of the site were involved or covering for people involved.
"Does that even sound plausible? Or does it make more sense that they were waiting for the right moment... so that they could retire comfortably," wrote aqualung.
"Imagine you run this site, you see a huge amount of money sitting right there, and you know that you can take all of it and easily blame it on a hacker," wrote cubensis.
The site said as a result of the attack it would no longer host "escrow wallets" - an account where bitcoins are held until goods ordered are delivered.
The chief executive of the company that runs the MtGox bitcoin exchange was confronted by an angry customer at the company's headquarters in Tokyo this week.
Kolin Buges, a bitcoin trader from London, said he had travelled to Japan as he was unhappy at MtGox's explanation for its recent problems on the site which prevented customers from making withdrawals.
He had 250 bitcoins, worth $155,000 in his MtGox account.
"I want to get my bitcoin back, or get MtGox to bring back public confidence that the company is solvent and people's money [is] safe," Mr Buges told the Wall Street Journal.
One bitcoin is currently trading for around $620, significantly lower than the $830 level it was at before news of the various attacks broke.