BitcoinTalk forum hacked by 'The Hole Seekers'

Article updated on October 7 at 11:00

Popular digital currency forum BitcoinTalk has been hacked by a group calling themselves "The Hole Seekers".

The site is now down, but for a period, it displayed animations of bombs exploding and photos of classical music conductors, all set to the 1812 Overture, which is also the soundtrack to the explosion scene in V for Vendetta.

Toward the end of the animation, a banner was displayed, stating:

"Hello friend, Bitcoin has been seized by the FBI for being illegal. Thanks, bye"

Theymos, the administrator of BitcoinTalk, told CryptoLife.net that the attack was worse than he originally thought.

"There’s a good chance that the attacker(s) could have executed arbitrary PHP code and therefore could have accessed the database, but I’m not sure yet how difficult this would be. I’m sending out a mass mailing to all Forum users about this," he explained.

Theymos summarised that the forum will be down for a while and said he thinks that password hashes were not compromised, but he can't be sure at this time.

"Passwords are hashed using sha256crypt with 7500 rounds (very strong). The JavaScript that was injected into bitcointalk.org seems harmless," he added.

The administrator said the attacker injected some code into $modSettings['news'], which is the news at the top of the forum pages. Updating news is normally logged, but this action was not, so Theymous believes the update was done in "some roundabout way" and not by compromising an admin account.

"Probably, part of SMF related to news-updating or modSettings is flawed. Possibly, the attacker was somehow able to modify the modSettings cache in /tmp or the database directly," he added, concluding:

"Figuring out the specifics is probably beyond my skills, so 50 BTC to the first person who tells me how this was done. (You have to convince me that your flaw was the one actually used.) The forum won’t go back up until I know how this was done, so it could be down for a while."

Reddit forum members have been discussing the payloads involved in the hack – both the HTML source and the Javascript payload. Forum member 'super3' said he can't see anything that stands out as malicious, but 'itsmemax' claims the Javascript payload is a bluff.

Michael Parsons, of BitcoinByte.com, said: "Whoever hacked the BitcoinTalk forum has deliberately confused the 'illegality' of the Silk Road site with bitcoin in general."

He went on to say bitcoins were seized from Silk Road not because they're inherently illegal – which they’re not – but because they played a part in money laundering.

"Any money, either State fiat or decentralised bitcoin, found during a drug bust would be seized," Parsons clarified.

He suggested BitcoinTalk may have been hacked in an attempt to undermine the bitcoin protocol, thus damaging confidence in the ecosystem.

"Perversely, I think it will be a benefit to the bitcoin community, as it will encourage debate about bitcoin and how it is not illegal just because some hackers say so," Parsons concluded.

Update:

BitcoinTalk is now up and running again. It went back online on the morning of 7th October (UK time). Some posts on reddit lay blame for the attack at the door of members of the SomethingAwful forum, whereas others are blaming the US government.

One forum member links to a screen shot of IRC, which appears to show a conversation between Theymos and another user, with Theymos stating a SomethingAwful "goon" was responsible for the hack. All BitcoinTalk users are advised to change their forum passwords.