Topic: Cannabis Road hacked despite using 3 levels of multi sig, 200 BTC hacked (Read 2864 times)

This is exactly correct. The people that run these kinds of sites do not reveal their identities and go to great lengths to keep their identities hidden. If after a certain amount of time they are not arrested by law enforcement (who have vastly greater resources then most drug buyers on these sites) then the sites operators can be more or less assured that anyone that they steal from will not be able to find their identities.

Im sure this is an inside job

Will OpenBazaar fix this issue? I guess it will.

the "we can't recover from this so we need to shut down" is bogus. it costs next to nothing to run a tor hidden service.  run and pay back the customers , didn't sr2 do that ?

cha ching, this guy gets it.

as if the customers are now going to go to the cops or try to get a court order saying that their drug money had been stolen.
when dealing with people that handle illegal stuff, assume its them that you cannot trust and that they will be the ones to stab you in the bck first, because they know the customer cant do a damn thing about it.

then assume that they will come up with some cunning excuse to shift the blame to then repeat the same scam again

With such a robust security supposedly in place I would have to think this was an inside job as well. Unfortunately there is no real recourse for people that lost money in an illegal business. The BTC drug market seems to be destroying itself.

Why would anyone use a Computer to buy illegal narcotics? It just boggles the mind... 

I wonder where are these 200 BTC by now.

it makes sense also that it was inside job because who wants the risk of running it indefinitely? they have to have an exit strategy and this one gives them a nice pay day.... especially considering it is hard to sell the business as you could do more easily with a legal operation.

That sounds about right, you  can't have multisig transactions hacked unless they all came from the same PC using the same core wallets which defeats the purpose of having a multi-signature wallet.

Where each key is generated independently on separate systems, the only way this would fail is if someone compromised all the computers and the keys or they were stored in a digital server cache like dropbox.
In other words it didn't happen someone either is lying or they really did something stupid to mess that up so badly.

Whatever if it did really get hacked legitimately I look forward to the code audit some core developers will have a field day on this one if it was real ^^. (Something wrong in the ECDSA when generating more than one protection key kid )

I think nails it right on the head. Over the past year there have been several illegal TOR drug related sites that have claimed to have gotten hacked at a time when they have reached their peak of amount of deposits from customers. The fact that the owners attempt (and generally are successful) to be anon it will be very difficult for anyone to figure out who had stolen their bitcoin.

For all anyone knows, all of the illegal drug sites that have their coins stolen are all run by the same person/group of people.

200 bitcoins, now that's what real money means. Probably the real owner got indebted or something, I also wonder how the heck did he manage to get into after such a tight security.

Another company that says it got hacked how very convenient.

if this news is true ,
should we be carefull 

Hahaha nice

That's probably just fake hack, never trust criminals! (Exept for Ross William Ulbricht)

If they use multisig like Bitgo does, which I'm using, the hacker would have to compromise both the users computer AND the website of the drug-market. Unlikely but not impossible. Since the majority are not using multusig yet I would choose and easier target if I was a hacker I guess...

It is certainly not using multi-sig for their customer accounts. Maybe once they initiate a purchase, the system puts the money in escrow with a multi-sig transaction but before that, the money sits in at an address protected with a single key.

If you want to see why, follow the link they provided to blockchain.info
https://blockchain.info/address/1CatnMd3jsEKhwhSLUf8V862im8gBp3NDF

There are 4 transactions that totalled 50 BTC each. Click on any of them. They have lots of small inputs and a single output. Every input corresponds to a customer account.
Click on any of them. Look for the address in the output side. It's the transaction that funded that account. Follow that transaction. The output script looks like OP_DUP OP_HASH160 xxxxxx OP_EQUALVERIFY OP_CHECKSIG which is a standard pay-to-hash transaction.

Basically, their system has an inherent flaw. When a custom funds his account, he does a normal transaction. They have a script that collects everything from all the deposits and moves it to their own address. From there they can do the multi-sig stuff.

The developper of the website gave the tool to the hacker himself. The hacker just had to change one parameter, the target address and he was done.

Honestly, this looks like very shabby work and also shows once again that we shouldn't believe the marketing crap. Multi sig ... right

probably buy some weed 

I wonder what the hacker would have done with those money..

Also was the security flawed that hacker got into?

My guess it was an inside job for sure.