Hackers Exploit Bitcoin Vulnerability in $2.6 Million Theft

Where there’s a will, there’s a way. That’s the credo of pretty much any market out there, regardless of its legality. The FBI shut down one notoriously shady market, The Silk Road—an online outlet where users could purchase drugs, firearms, stolen credit cards, and more—in October 2013. Less than one month later, the site re-launched under a movie sequel-like moniker: The Silk Road 2.

But the celebratory re-launch of the one-stop-shop for all things black market didn’t last. You see: peddling shady items online tends to attract shady elements like cybercriminals and hackers. This truth came to a head late last week when The Silk Road 2 itself fell victim to a $2.6 million Bitcoin hack.

I’ve previously discussed the security risks behind virtual currencies like Bitcoin. These risks just keep on growing. This time, according to a site administrator going by the alias “Defcon,” Silk Road 2 fell victim to a Bitcoin vulnerability known as “transaction malleability,” a process allowing users to delay payments made through Bitcoin. Because the hackers were able to change the unique ID associated with the Bitcoin, they made it appear as though the transactions never went through.

Both the Bitcoin Foundation—the organization charged with managing the Bitcoin currency—and Silk Road 2 have been quick in responding to and addressing the vulnerability. The Bitcoin Foundation released a statement saying they are “creating workarounds and fixes right now,” while Silk Road 2 emphasized to its users that “[Silk Road] leadership and [its] community will not stop until you are completely repaid.” Unfortunately for them, it may be quite difficult to trace this trail of virtual cash, as Bitcoin operates on a platform of anonymity.

As far as who was behind the hacking, there are many different theories—all of which are hard to prove, given the hidden nature of both the victim and the perpetrator in this situation. DeepDotWeb, a Silk Road 2 user who has been particularly quick in posting updates on this issue, has speculated that the story of a hack is a cover-up so that Silk Road administrators can keep the stolen Bitcoin for themselves (a theory that we’ve seen once before). Meanwhile, there are reports that another Silk Road user has already identified the full name and location of the hacker and has encouraged users to do what they see to fit best in this situation.

It’s hard to garner sympathy for drug traders and buyers. However, this case does highlight the risks behind using an unregulated virtual currency. In our McAfee Labs™ 2014 Threats Predictions Report, we foresaw that virtual currencies would continue to attract the attention of cybercriminals. It looks like that prediction is holding true.

Even for those of us who do not foray into the world of Silk Road 2, this massive theft does remind us of a few general security lessons, both on and offline:

  • Think before you invest: Bitcoin value changes rapidly. Current affairs like this hacking effort can impact the currency’s value. Just like with any investment, it’s important to know what you’re getting yourself into. Do some research beforehand if it’s your first time purchasing Bitcoin.
  • Don’t use your personal bank account. If you must buy Bitcoin, then do so in ways that don’t require you to give up your routing and bank account numbers. PayPal is one option. Money orders are another.
  • Know who’s on the other end. Bitcoin’s pseudo-anonymity is one of the currency’s main attractions. But using Bitcoins often means you don’t know who’s on the other end. If you can, learn as much as you can about whomever you’re dealing with through reviews and online forums.
  • Lockup your Bitcoins. If you’re going to take the jump into virtual currency, then keep your Bitcoins stored on a device that’s not connected to the Internet—like an external hard drive. Use a strong password and software that provides hard drive protection and scanning for malware. McAfee LiveSafe™ service is a great option for all three.

To stay updated on the latest consumer security news, follow us on Twitter at @McAfeeConsumer and Like us on Facebook.

Gary Davis

 

Leave a Comment

4 × one =