Online black market Silk Road 2.0 has pledged to pay back more than £1.7 million worth of bitcoins stolen from its servers during a heist last week.
Speaking in a post on Reddit, Silk Road 2.0 moderator Defcon said the website would refund the more than 4,000 bitcoins stolen during the heist, and would not pay its staff until users had been reimbursed.
"Silk Road is not a name easily forgotten, and how we pull through this struggle will only solidify our name as the strongest community in the darknet," Defcon said, adding: "We are committed to getting everyone repaid even if it takes a year."
Defcon sought to dispel rumours that the theft had been an inside job, stating: "We are deep into the investigation of data surrounding the attacks, and there is absolutely zero evidence of any staff member being involved. We will publish more information as we determine its accuracy, thank you to all who have contributed tips on the attackers' identities."
Silk Road's bitcoin wallet was hacked using the widely publicised 'transaction malleability' exploit, a problem discovered back in 2011 with the way bitcoin transactions are handled, but which caused Mt Gox, Bitstamp and other exchanges to halt withdrawals and rewrite their code.
The shady marketplace lost 4,474.26 bitcoins in the heist, worth nearly £1.7m at the time of publication.
Slow to respond and too skeptical...I have failed you
Admitting blame for the theft, Defcon said: "I should have taken MT Gox and Bitstamp's lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand," Defcon said.
Apologising to vendors using Silk Road 2.0, Defcon added: "You are welcomed and encouraged to vend on multiple markets. I only trust myself, and will not endorse any of them. But I have failed you. Wherever you vend, may you prosper."
The only currency accepted on Silk Road 2 is bitcoin. The website used a centralised escrow service to send and receive bitcoins from buyers and sellers, and only used the bitcoin transaction ID to confirm the transfer.
The transaction malleability bug allowed hackers to mask the transaction ID and continually ask an account to deposit more bitcoins.
Defcon said the breach affected 26% of the site's monthly active users, and that this represents 47% of its total user base. To help repay the losses, all purchases will now incur a 5% commission, which will go towards paying back the stolen bitcoins; more funds can be donated with each purchase if the buyer wants to offer more than 5%.
The anonymous moderator signed off by saying: "I don't care how long it takes or how expensive it is, we will fight to get this community repaid."