The anonymous online marketplace Silk Road 2 says it has been hacked resulting in the loss of all its customers' bitcoins.
An administrator for the site said hackers had manipulated computer code enabling them to withdraw $2.7m (£1.6m) worth of the virtual currency.
It follows similar attacks on two exchanges that trade in bitcoins earlier in the week.
Silk Road 2 is known for selling drugs and other illegal items.
The site is only accessible through Tor, a network that allows users to browse anonymously online. The virtual currency Bitcoin is often used in transactions as it also grants users a degree of anonymity.This incident may be particularly interesting to watch because of the notable degree of ineptitude demonstrated by the website's administrator, known (ironically) as Defcon. Defcon should have known that the website was vulnerable to this type of hack because an earlier, similar attack on the Slovenia-based bitcoin exchange firm, Bitstamp, occurred only a few days earlier. That hack made international news, with the BBC reporting about the attack and its underlying mechanics here.
Defcon himself admitted that he should have been taking more precautions:
"I should have taken MtGox and Bitstamp's lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too sceptical of the possible issue at hand," he said in the forum posting.
In an article for CoinDesk, a news site for digital currency, Danny Bradbury an expert on Silk Road, said that bitcoin-based sites should put "bitcoins under management in cold storage (ie stored offline) so that they could not be stolen by online attackers."
Defcon said that all its customers' bitcoins were being stored online because of planned relaunches of some of the site's features.
"In retrospect this was incredibly foolish, and I take full responsibility for this decision."Several Silk Road 2 users suspect that Defcon or other website administrators may have been involved in the hack, which Defcon denies.
Even if Defcon was not maliciously involved in the hack, it seems that his administration of the website was notably foolish. The failure to halt withdrawals in light of widespread reports on Bitcoin security breaches and the storing of all customers' Bitcoins online both contributed to the success of this hack. These failures, combined with Defcon's admission that he should have taken additional precautions, set the stage for a substantial negligence lawsuit against Defcon and Silk Road 2.
As far as I am aware, there have not been many similar negligence lawsuits against Bitcoin exchanges. I am aware of one lawsuit that is pending in California against the Bitcoin exchange, Bitcoinica, following the loss of thousands of Bitcoins following a hack on the exchange. The complaint in that case is available here. And at The Verge, Adrianne Jeffries reports on obstacles that case may face here. Jeffries also reports on another lawsuit against Bitcoin exchange Tradehill, but that lawsuit apparently has proceeded to arbitration.
While the Bitcoinica lawsuit is in its early stages, potential problems with that lawsuit highlight issues that may arise in a lawsuit against Silk Road 2. From Jeffries:
The plaintiffs may face some challenges. The question of jurisdiction is not addressed, and although some of the plaintiffs live in San Francisco, Bitcoinica is now based in the UK. The suit also hopes to pull in up to 100 defendants. "Bitcoinica is an entity of unknown form and origin," says the complaint, which names three defendants and "Does 1 through 100." A representative for Intersango declined to comment. The lawyer for the plaintiffs declined to comment because his lead client could not immediately be reached.Similar problems may arise in a lawsuit against Silk Road 2. Bitcoin exchanges operate in a world of anonymity, and it may be difficult for plaintiffs to determine the true identity and location of website administrators like Defcon.
It will be interesting to see if any lawsuits result from this recent hack. Because the facts are very favorable for a negligence lawsuit, and because millions of dollars were lost as a result of this hack, I think that there is a high possibility of legal action. If lawsuits occur, this will be a good opportunity to see how the plaintiffs and courts address the obstacles of the defendants' anonymity.