A statement from the website Silk Road 2 says 4400 Bitcoins, which is currently worth about US$2.6 million, were stolen from the site and its users via the 'transaction malleability' bug, which allows attackers to alter the unique ID of Bitcoin transactions before they are confirmed on the network.
The site's admin Defcon said in a post (viewable with an Onion browser at this link) that three users had exploited the recently-discovered bug to steal the Bitcoins, and Aussie users LethalWeapon and mrkermit were suspected of each stealing 2.5% of the total, with the remainder taken by a user known by at least six handles.
In an effort to track down the culrpits Silk Road's administrators released the usernames and transaction information of exactly what was stolen.
Silk Road 2 popped up after the original Silk Road, an online illegal drugs and weapons haven, was sensationally shut down by the FBI last year.
"I am sweating as I write this," Defcon said. "Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as transaction malleability to repeatedly withdraw coins from our system until it was completely empty."
"I have failed you as a leader, and am completely devastated by today’s discoveries. I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand. It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch."
"It is a crushing blow ... I am now fully convinced that no hosted escrow service is safe."
Meanwhile Reddit user LedLevee threw cold water on the 'hacking' claim, instead suggesting the entire operation was a scam by the site's administrators.
Check out the user's post in full below.
Admins have been "post-poning" updates for months now, with delay after delay. No auto-finalization or resolution center with support means that literaly millions worth of Bitcoins are pilling up in escrow. Buyers and vendors were complaining about this but were told to shut up because the admins were working on it.
The supposed hack isn't possible. Defcon (the guy running SR2) has made a statement as to how it should have happened, except this is impossible. They point to a vulnerability that doesn't allow you to steal Bitcoins from a wallet. The supposed vulnerability was exposed in 2011 and it doesn't allow you to steal, only to hinder transactions being confirmed.
The "hack" is still going on (you can look up Bitcoins and bitcoinwallets in blockchain.info) even though the site is supposedly offline. They're still emptying out the place.
The admins either were planning to scam all along or realized halfway through they are in no way competent enough to run this ship and this was the best way to throw in the towel while still getting rich.
Edit: Lots of people commenting how this is devastating to Bitcoins. I doubt it is. Bitcoins have taken a lot of hits before, the most memorable being the SR1 bust (which was a much greater amount of coins) and most recently, the Chinese government blocking it. It's recovered from both, and if anything, gained in value (although I'll agree the $1000+ prices were a bubble perhaps). The same thing happened when SR1 got busted and they went up again afterwards, it's just the market's knee-jerk. Also, Silk Road ≠ the entire Bitcoin market.