Cannabis Road is now offline after suffering from an attack that saw hackers abscond with 200 BTC or roughly $100,355 at press time.

Users who attempt to access the online marketplace dedicated to cannabis products are now presented with a message from lead developer ‘Crypto’ detailing the attack and the potential paths forward for the development team.

Crypto writes that he discovered the theft at roughly 10:15 AM UTC, after logging into Cannabis Road’s bitcoin wallet and noticing the balance was near zero.

He recalls:

“At first I thought it was a mistake, until I double checked, and triple checked, only to find out, we had in fact been robbed not 15 minutes earlier!”

The developer goes on to reveal the bitcoin address allegedly holding the stolen funds, before asserting that he does not yet know how the money was stolen.

Crypto concludes his message by issuing an apology to site users while expressing his current uncertainty over whether the project will be able to continue, adding:

“I am deeply sorry that I have failed you as a developer and a leader, and if I can figure out how this happened, maybe you will find it in your hearts to move past this and help us bring Cannabis Road back to life once again.”

Multisig employed

The success of the attack is particularly notable given that Cannabis Road had moved to integrate safeguards aimed at better protecting user funds through multi-signature technology, an evolution of the traditional wallet offering that introduces an arbitrator to the transaction process.

In a May interview with DeepDotWeb, Crypto indicated that Cannabis Road was using a hybrid version of multisig, however, in part to make the technology easier for its customers to use.

At the time, he indicated that Cannabis Road had added three levels of multisig in response to a rise in attacks against illicit websites, explaining:

“All three levels start off the same, asking for public keys of the buyer, vendor and market to create the shared (multisignature) address. The buyer sends funds to the shared address. Once the buyer is happy, the buyer agrees to finalize the order, this is where the three levels are offered.”

Two more advanced levels were added on top of this service, both of which put restrictions on the situations in which users would be asked to send their private keys.

Transparency promised

Crypto also promises Cannabis Road users that he will share information on the attack as it was discovered in order to provide more information to the broader deep web community.

Further, he estimates the damage of the attack to be significant for the online marketplace’s brand, suggesting that whether it continues to exist will be up to the site’s community.

Crypto wrote:

“I don’t know if Cannabis Road will continue to exist or not at this point, because there may be no reasonable way for us to recover from this.”

Notably, the site had suffered an early hack under the care of a previous developer in February. Though no funds were stolen in this attack, the incident did result in a leadership change, with Crypto taking the role of lead developer for the site.

Illicit markets targeted

The setback is the latest for the deep web’s illicit online marketplaces, which have been the target of a number of attacks so far this year.

Silk Road 2.0 suffered a significant hack in February during which it lost more than $2.6m in bitcoin in what was perhaps the community’s most high-profile attack.

In his remarks, Crypto moved to separate his actions from those that were taken by Silk Road 2.0 at the time, noting that he would not blame “transaction malleability” for the issue and that he now sympathizes with the situation that the site’s lead developer Defcon faced at the time.

Silk Road 2.0, however, has since been able to rebound from the event, revealing in late May that more than 80% of the customer funds stolen in the attack had been repaid.

Hat tip to DeepDotWeb

Cannabis image via Shutterstock