Hacker News new | past | comments | ask | show | jobs | submit login
Bitcoins stolen from the users of Sheep Market Place? (blockchain.info)
72 points by arvindravi on Nov 30, 2013 | hide | past | favorite | 63 comments

Seems a little premature to point at the blockchain and say "STOLEN!". Most people won't be able to make much sense of that. The whole situation is complicated.

More info: http://www.reddit.com/r/SheepMarketplace/comments/1rpy1t/i_w... http://www.sheepmarketscam.com/

tl;dr: For a week or so, many users have been unable to withdraw BTC from Sheep. Admins have been claiming technical problems as they try and implement an automatic tumbler (money laundry to obfuscate transactions) - which (conveniently) could be claimed as a legit reason for all the huge transfer activity seen in the blockchain. They implemented a countdown timer for withdrawals, which for many users and vendors has now counted down to 0, yet withdrawals still aren't happening. They've set a minimum withdrawal amount of 1BTC, which given the insane price of BTC right now seems really outrageous.

Most damning, several vendors who are admins, moderators, or closely affiliated with admins, are reported to have suddenly started doing something which is very frequently seen in drug market cons: Offering far larger quantities than they ever have before, at unusually low prices (50% or less than their previous pricing), and requiring FE (immediate and upfront release of funds to them rather than going through escrow). Frequently done to rope in the maximum amount of hopeful suckers before bailing with the money.

The market is still up and running right now, although their forums are down with this message: "We are enabling a spam filter for the forums, as the number of posts had got out of control. We will be enabling the forum once this is in place. Please try to stay calm. This is a temporary measure, and we will keep everybody updated when we have further information".

Obvious question: why not let people check the "I understand the risks" box and withdraw without mixing?

They're not claiming that mixing is required to let people withdraw securely or anything; it was never implemented before, the original SR never had it implemented the way that people assumed they did, etc. They seem to be claiming that attempts to implement the mixing led to technical problems which has buggered up withdrawals rather fundamentally.

With weeks having passed, it should have been easy to implement some sort of emergency measure that would let them transfer money back to people who wanted it. Instead they continued doing business as usual - money in, but not out - while implementing things like this withdrawal countdown system, which arguably seems calculated to try and maintain some confidence and keep the BTC rolling in.

It seems very likely that this is in fact a big scam, particularly given the shady behaviour of prominent and admin-affiliated vendors also happening, but the blockchain info linked isn't in and of itself definitive proof of anything much right now.

To be frank,

the site never worked 100% and the support was always kind of terrible. So it is possible (not very likely, but > 0% probability) that it is just a miscommunication on their part.

I wouldn't bet on it though.

You are surprised that when you trust your coins to the anonymous operator of a drug marketplace that you get ripped off?

There's three separate reasons why you're screwed:

1) You have no recourse because you can't report the theft to police.

2) You have no recourse because you can't identify the operator, he's anonymous, which means he's also hidden from you.

3) You have no recourse because you can't undo your transaction.

As a good rule of thumb, only perform transactions in bitcoin doing legal things, that leave you at least with some recourse in case things do go wrong. And if you sat there, holding your coins, thinking "oh, I'm just gonna buy drugs with them, what could possibly go wrong", you seriously shouldn't have bitcoin, they're not good for you. Oh, and drugs are also not good for you, so please don't do them.

> As a good rule of thumb, only perform transactions in bitcoin doing legal things

How is this a good rule of thumb? If you want to stay in legality, then do legal things, if you don't want to stay in legality, then do whatever you want. Your good rule of thumb seems more like a "how to be a good sheep" to me.

> you seriously shouldn't have bitcoin, they're not good for you.

Who are you to judge what people are doing with their coins? People like you are the ones who give a bad image of bitcoin. Don't enforce bitcoins onto others, don't enforce your personal view of bitcoins onto others.

> Oh, and drugs are also not good for you, so please don't do them.

We're not on a rehab website, I don't see how this comment influenced from your "lifestyle" is relevant here. If you're not drinking alcohol, not smoking coffee, then good for you. But we've never asked for your input.

  How is this a good rule of thumb?
A small fraction of the population are assholes who are constantly thinking "if I robbed this person right now would anything bad happen to me? On balance, would it be profitable?"

If you don't want to be robbed, you've got to make sure any assholes who consider robbing you are going to decide not to because you can make bad things happen to them.

One way of making bad things happen to assholes who try to rob you is calling the cops, but you won't want to do that if you'll get arrested too.

There are other ways, of course. Depending on the market that may be chargebacks, marketplace reputation, the loss of future trade worth more than the profit from the robbery, tipping off the cops anonymously, pulling a gun and shooting the guy, killing their prized racehorse, whatever.

It's a good rule of thumb to keep the call-the-cops option open, especially if you don't have access to alternative means of dispute resolution.

Seems to me if you're a customer of bitcoin drugs marketplaces, you don't really have any options to make bad things happen to assholes. So that customers got robbed is unfortunate, but not surprising.

Even using bitcoins for legal things leaves you little recourse - this is the whole point of bitcoin. When you avoid government regulation and oversight you also avoid the protections it gives - this should hopefully be obvious to anyone.

If by recourse you only mean chargeback, sure. But that's not the whole story.

If you have a legal entity behind something, like say, bitpay or coinbase, you can take legal steps if they screw you over. You can take them to small-claims etc.

And if you don't trust some entity, you can use escrow with bitcoins, it's possible to setup a transaction where the escrow provider has no way to get at the funds, but can just release to either of two addresses (back to you or forward to the merchant). But of course, the escrow provider would also be a legal entity, otherwise you'd have no recourse against them if you feel they unfairly resolved a dispute against you.

Bottom line is, if you engage in legal business, with legal entities, and take appropriate precautions, you are no less protected than using national currency and chargebacks. If you don't, well, you've got nobody else to blame but yourself.

You can do a perfectly seeming legal transactions with an entity that ends up being smoke and mirrors. In the case of real currency, the amount would need to be transferred through banks which can be investigated for crimes by authorities. In the case of BTC, once you send off that payment there is nothing law enforcement can do to help you if the entity who appeared legal was not so legal after all.

Feel free to talk to any fraud investigator and ask them just how common this kind of thing is. They spend their whole work day tracking these down, after all.

Because there's nothing law enforcement can do when you give cash to someone who scams you.


Please look into what escrow means. Of course you can do business with an entity you're not sure is legit. The assumption is that you trust the escrow provider, and the Escrow provider is trusted by the merchant. So, the critera of trust for the escrow provider, is quite a bit higher than a random online store.

If carefully select the escrow provider, check their business registration, make sure there's a legitimate entity behind them, this makes dealing with possibly fraudulent entities as safe as with fiat.

You're going to use escrow for all of your transactions? There is no way the general public is going to do that. I think even those who are more paranoid would give up the attempt after using escrow to do transactions after a few months and just use regular money. Or more likely, just stop using escrow and use bitcoins anyway, and then complain when they get stolen.

You're using escrow already when you use a bank account, CC processor, paypal, google wallet etc.

You don't really get a choice, and you carry the mandatory cost because merchants roll the cost of chargeback fraud, CC fees and banking fees over into your purchase price, no matter if you think you'll need the added service or not.

Why not? People use credit cards now.

I think Bitcoin can be serve as a money transport protocol and Escrow services can be built on top of it. Think about buiding HTTPS on top of HTTP protocol.

There different ways to implement escrow with bitcoin.

1) You could ignore all technicalities and simply send the coins to a third party which releases it back to you or forward to the merchant. That's probably the least recommendable way, but is the easiest to explain.

2) A smarter way to do it is to use bitcoins transaction script that can process multi signature transactions, which can work in a way that if A wants to send B money, he can setup an address that can only withdraw coins from if C also signs the transaction. This method is supported by Electrum and by the Blockchain.info wallet.

Bitcoin works like cash right? Legally speaking you get a contract perhaps, a bill, then a receipt of payment. If something doesn't go right, you bring those documents to court with you and state your claim just like if you used cash. Am I wrong here?

There are plenty of drugs that are not legal and at least not bad for you, although I think the rest of your analysis is decent.

I hope you're not referring to marijuana, it can't truthfully be said that it's harmless, not even close. And any drug can be harmful, just look at the side effects of Tylenol.

He's probably referring to marijuana, and there's numerous studies that would both support and contradict that notion.

Anything consumed in excess can be harmful in the short-term and long-term, including food, water, or oxygen.

The thing that is illegal, thc, is hardly dangerous. Inhaling burnt cannabis might be, but then again nobody smokes 24 or 48 blunts a day.

I have smoked and ingested marijuana for over 20 years and my doctor says I am in absolutely wonderful condition for my age.

>marijuana makes you smarter, stronger, and happier

Prove me wrong. And I was high when I wrote this. Zero mistakes, flawless use of internet comment section.

Just because YOU didn't get cancer from smoking cigarettes, doesn't mean that smoking cigarettes doesn't cause cancer.

There are significant health risks associated with smoking pot, including serious mental health issues for some people. Quoting from http://www.drugabuse.gov/publications/drugfacts/marijuana:

Research clearly demonstrates that marijuana has the potential to cause problems in daily life or make a person's existing problems worse. In fact, heavy marijuana users generally report lower life satisfaction, poorer mental and physical health, relationship problems, and less academic and career success compared to their peers who came from similar backgrounds. For example, marijuana use is associated with a higher likelihood of dropping out from school. Several studies also associate workers' marijuana smoking with increased absences, tardiness, accidents, workers' compensation claims, and job turnover.

I know "correlation doesn't equal causation". But there are clear risks associated with marijuana use that should not be dismissed so casually.

> Several studies also associate workers' marijuana smoking with increased absences, tardiness, accidents, workers' compensation claims, and job turnover.

In other words, marijuana users appreciate life more and make for bad slaves.

Btw, smoking is not the only way of consuming marijuana. There are also water pipes and green dragon.

I'm sorry, but I don't buy that being honest (showing up when you said you'd be there, and showing up period, and in general being a trustworthy individual) makes you a slave. I'm sure there's plenty of habitual smokers who are great dependable employees who would be insulted at this idea.

>Btw, smoking is not the only way of consuming marijuana. There are also water pipes and green dragon.

And these differ from smoking how?

Green dragon is a drink.

"Water pipes" or "bongs" still involve smoking, but the smoke is passed through water. I don't know to what extent this reduces the ill-effects of inhaled smoke.

I think you prove my point perfectly. If you hadn't dulled your intellect by smoking so much weed, it might be obvious to you that your current state of health has no bearing on whether smoking marijuana causes lung cancer or other deleterious effects.

You seriously think that byproducts of incomplete combustion are harmless? Even wood smoke is terrible for your health. So is tobacco smoke and marijuana smoke and just about anything else that you can burn.

You commit the same fallacy... his current state of intellect has no bearing on whether smoking marijuana causes a decrease in mental functioning.

Aside from smoking, vaporizing and eating edibles are popular and safe ways to ingest marijuana.

I'm not so sure. Where this Bitcoin is spent can now be tracked, right?

You'd then just connect those accounts as bad / dirty, and perhaps even with laws, have them being accomplices --- would make you / force you to make sure the Bitcoins aren't connected to known frauds or crime.

Doubtful. The balance was never 39,917BTC, it's been dropping funds in and out for almost a month now. If it was stolen, they took their time doing it.

The scam has been going on for at least a week. There's no hurry.

I wonder why you don't see news articles stating 'bank robbers steal $ 123000 from users of [random-bank-branch]' ... could it be because if someone hacks or robs a bank or a legitimate payment service provider such as westernunion or paypal, they are required to eat the loss, not pass it on to users?

Bank robbers typically walk away with a few grand if they're lucky, and it'll almost certainly have a dye pack and a tracker in it. Bank robbery is a fool's business.

39k BTC is what, $39 million worth? You're right, news articles cover that differently than a $123,000 loss that's covered by insurance.

> Bank robbers typically walk away with a few grand if they're lucky, and it'll almost certainly have a dye pack and a tracker in it. Bank robbery is a fool's business.

Exactly. It's all fraud now - much higher rewards with much lower risk of getting caught. Why try to break into a bank vault waving a gun in the air when you can skim relatively small amounts from millions of credit cards or commit identity theft and take out loans in someone else's name, all from a different country to your victim.

My understanding, in the US, is if you have a personal account the bank eats the loss. If you have a business account its gone.

This actually is very common. All it requires is enough mule bank accounts to wire amounts below suspicion and spyware on the user's machine (snatches RSA authentication key at entry if two factor verification is used.) The banks don't want the event to be publicized and the company/small business doesn't want it publicized either.

To clarify, it depends on who was robbed. If bank robbers steal green paper from the vault, the bank doesn't know which business account that money came from. If it's wire transferred out because your password was 'banana', it may be gone for good.

The more usual issue is businesses getting their machines used for banking hacked and the hacker sniffing all their credentials and emptying their accounts. Many banks don't support two-factor authentication for business accounts because they don't have to - it's not their money on the line.

Totally true. That's just not what most people have in mind when you say "the bank was robbed".

Outside of the asymmetrical reporting angle (which I would say doesn't exist, unless your question is why normal thefts aren't on the front page of HN?), large value thefts are very uncommon in traditional commerce. There was one recent one where an international ring with many participants stole from ATMs using skimmed cards, yielding $45 million, but that has been international news repeatedly for quite some time.

Bitcoin is making hacking seriously profitable.

This sums up all the references to this sheep scam matter http://www.deepdotweb.com/2013/11/30/sheep-marketplace-scamm...

Apparently that the owner also got doxxed.

Expect organized crime to take an interest in bitcoins. Shady operators and little oversight makes it an easy target.

They already have. CryptoLocker is raking in tens of millions of Bitcoins as ransom payments.

I think you mean tens of millions in bitcoins. There are not now (nor will there ever be), more than 2.1 tens of millions of bitcoins.

You're right, sorry! Yes, tens of millions of dollars worth of BTC.

source please

That's not "millions of bitcoins"! Also just speculations. Aren't the used wallets known?

don't understand why multi signature isn't more commonly used.

Rumors are that SMP was a scam and that it wasn't hacked, but that those operating the site stole money mainly from the vendors. There is also a page about this:


Are there any recorded cases of someone recovering stolen BTC?

It's not possible in general.

If someone steals your bitcoins, he can send them wherever they want. That's the "beauty" of bitcoin - if someone has the keys, he can do whatever he wants with it.

I read at least one case where an exchange seized funds coming from hacking into a site.

As far as I know, the exchange never released those funds.

as I understand it, the chances are very slim, but a solution might be to "ban" addresses with stolen coins from making transations... but there probably always will be a black market.

honestly this sounds more like silk road 2.0 is launching a campaign to rune sheep marketplaces image to try to regain customers and vendors. i personally think that sheep marketplaces web design is waay better than SR and BMR. they are probably under attack by SR 2.0


Cash = unlimited demand and unlimited supply

Bitcoin = unlimited demand and limited supply (21 million)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact