Image: Shutterstock/Low Chin Han
“I am sweating as I write this… I must utter words all too familiar to this scarred community: We have been hacked.”
That is what Defcon, the current administrator of the infamous black market site Silk Road (the 2.0 version), wrote back in February on the site’s forums. In total, an estimated $2.7 million worth of bitcoin belonging to users and staff of the site was stolen.
Some in the Silk Road community suspected that the hack might have involved staff members of the site itself, echoing scams on other sites. Project Black Flag closed down after its owner scampered with all of their customers' bitcoin, and after that users of Sheep Marketplace had their funds stolen, in an incident that has never been conclusively proven as an inside job or otherwise.
In the wake of Mt. Gox claiming that their Bitcoin exchange service had been the victim of a documented weakness in Bitcoin known as “transaction malleability,” it was thought Silk Road had suffered a similar attack.
But after weeks of internal investigations, and with coveted members of the community offering to help, Defcon told me that staff concluded there was a vulnerability in the “Refresh Deposits” function of the site. Using this, the hacker was able to spam the link and exponentially credit their account with more and more bitcoins, taking them out of the section of Silk Road that stored the currency while it was being traded. A large stockpile of bitcoin was in transit at the time because of planned upgrades to the infrastructure of the site.
Many site owners would probably have given up at this point, and perhaps attempted to join another site, or start up a new one under a different alias. Why would you bother to pay back millions of dollars when you could just disappear into the digital ether? But Silk Road appears to be trying to rebuild, and to repay users' lost bitcoins.
Hanging out in one of my deep web haunts, DoctorClu, a staff member of Silk Road, approached me. We spoke via the same means I have been throughout my reporting on Silk Road: encrypted messages. Since the rise of Silk Road 2.0—the original was shut down by the FBI in October 2013—I have been in regular contact with the administration and some staff members of Silk Road.
DoctorClu told me that although many users of the site have had their lost funds returned, a huge amount of bitcoins are just lying there, repaid to people who haven’t logged in since the hack.
According to Silk Road staff members, 50 percent of the hack victims had been completely repaid as of April 8, and users themselves have been continually reporting payments since the breach, posting on the site forum when they receive their payment. Since February 15, the administration of the site has not made any commissions on sales. Instead, every time a purchase is made, a five percent slice of the cost goes directly into the account of a randomly determined hack victim.
I asked for additional verification of exactly how many Bitcoins laid unwithdrawn, but the staff explained this was difficult to provide without giving away information that could compromise the security of the site. It's also not clear how many accounts the unclaimed bitcoins are spread across, as revealing that information to the public would indicate the size of Silk Road, something the administration is hesitant to do in order to protect the site and its users.
Defcon, however, did provide this screenshot, which could not be independently verified, showing the total number of repaid balances:
According to Defcon, “over 1000 BTC is sitting in the wallets of victims who have not logged in since the hack.” At today's exchange rates, that is approximately $500,000.
“Most simply did not think that such a large repayment was possible given its amount,” DoctorClu told me. “Like so many other hacks/seizures/scams, many could not believe that we would ever be able to give back what was stolen, or that we would even promise such a thing. They have stayed away from Silk Road and possibly the Darknet in general.”
In one way, it may be a good thing that people haven't been logging back into their accounts and cashing out. The value of one bitcoin fell to around $300 last week, but the world's most popular cryptocurrency is now floating around $500.
Another reason for the lack of logins could be that users are concerned with the security of the site, and have decided it is safer to avoid it altogether. Without knowing which users haven’t logged in and then speaking with them, this is difficult to tell. What is certain, though, is that some people are getting repaid. On the Silk Road forums, users have been keeping a self-reported tally of who has received their funds or been partly paid back, and those who are still waiting for the repayment process to begin.
“Just to let the community know that as of today I am fully repaid from the hack,” said senior member 'Gravitax-UK,' “Very nice surprise when I logged in!” Another user writing under the pseudonym 'uglypapersbox' chimed in, “[...] despite having to wait one week short of 2months I got paid back in full. BTC is in my account.”
A phrase that keeps popping up in the testimonials is “faith restored.” This hits upon a common theme in the realm of online black markets. Maintaining any sort of trust in an anonymous space such as the deep web is hard enough: how do you know who I say I am, and how do you know my motivations? Combine that intrinsic problem with the recent history of marketplaces turning out to be scams, and it's near impossible to take the word of a digital avatar that you will never meet.
“Establishing trust as an anonymous leader of an anonymous community is certainly a challenge,” Defcon told me.
Perhaps in a similar way to how vendors on the deep web build up a reputation by providing a high quality service and product, the administration of Silk Road are doing the same. “May our actions speak louder than our words,” Defcon wrote in a recent statement on the site's forums, posted after the hack.
While many have had all of their lost funds returned, however, some haven't seen any bitcoins land in their laps yet, at least according to the user-generated poll on the site's forum. Just over a quarter of respondents state, "i am still awaiting a payment." There are several caveats to this though: not all users of the site have participated in the poll, and its results could be corrupted by trolls.
The site admins say this shouldn't be the case for much longer. “We are fighting to repay every coin lost, and hope that users remember to check their accounts for repayments,” Defcon told me. “All of our staff's fee earnings will continue to be invested back into the community until every victim is paid back." The administrator of the site expects to have everyone repaid by mid-June, assuming that the site's current usage levels remain stable.
After the original site being shut down by the FBI, high-ranking staff members being arrested in various parts of the world, and of course this crippling hack, Silk Road is still standing. In Defcon's view, that’s not just a reflection of its staff, but its remaining users, who could have left the marketplace or turned to other sites after its troubled past.
“We are blown away to be part of such a resilient community,” he said. “It is clear that Silk Road is a movement, not just a marketplace.”