Two Australians are suspected of taking part in a staggering $3 million Bitcoin heist from the second iteration of the infamous Silk Road drug marketplace.
The 4400 Bitcoins were stolen from the site and its users via the 'transaction malleability' bug, which allows attackers to alter the unique ID of Bitcoin transactions before they are confirmed on the network.
The administrator of Silk Road 2 - using the handle Defcon - admitted in a lengthy post that three users had exploited the recently-discovered bug to drain the site and its customers of funds.
Australian users LethalWeapon and mrkermit were suspected of each stealing 2.5 percent of the total, with the remainder taken by a user known by at least six handles.
Silk Road's administrators released the usernames and transaction information in a bid to track down the thieves.
The identities of the sites' buyers and sellers was not compromised, the admin said.
"I am sweating as I write this," Defcon said. "Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as transaction malleability to repeatedly withdraw coins from our system until it was completely empty."
The attacker struck as administrators moved the community's cash into hot storage in preparation for an upgrade to facilitate escrow. Defcon said the move was "incredibly foolish".
The admin regretted not following exchanges MtGox and Bitstamp in disabling Bitcoin withdrawals when the malleability bug was reported this week, adding that they were sceptical of the vulnerability.
"It is a crushing blow ... I am now fully convinced that no hosted escrow service is safe."
But the vulnerability may not have been the cause of the breach, according to analysis of the MtGox blunder by Pirate Party founder Rick Falkvinge. The technology expert said it was more likely caused by poor software code development which did not keep track of long-scheduled changes to the Bitcoin protocol.
Those changes cut out unnecessary information from transaction records, causing MtGox to issue invalid transaction records for Bitcoin withdrawals, Falkvinge said.
"What this means is that Mt Gox wasn’t the subject of some skilled hacking related to transaction malleability. Instead, bad code hygiene was causing MtGox to broadcast invalid transactions, which could trivially be corrected and re-broadcast, causing all these problems downstream," he said.
Meanwhile, users suggested the admins' notice may be an elaborate scam to hide a possible theft of the Bitcoins by site administrators.
Such an attack was thought to have occurred when administrators of Silk Road spin-off the Sheep Marketplace stole a whopping $40 million in Bitcoins, the largest theft to date. Administrators left a terse statement claiming that a vendor stole the coins.
The original and infamous Silk Road was shuttered late last year when its head Ross William Ulbricht was arrested in October.
Defcon called for a developer capable of building a platform to support multi-signature transactions for popular Bitcoin clients.