QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$5 823 000 USD
NOVEMBER 2013
CZECH REPUBLIC
SHEEP MARKETPLACE
DESCRIPTION OF EVENTS
"Sheep Marketplace was an anonymous marketplace set up as a Tor hidden service. It launched in March 2013 and was one of the lesser known sites to gain popularity with the well publicized closure of the Silk Road marketplace later that year."
"The site use[d] technologies such as Tor and Bitcoin to enable users to purchase illegal goods online, and is one of a spate of successors to the Silk Road site which was shut down in October."
"Fears had already been raised over the security of the site. In October, members of the Sheep Marketplace subforum on social news site Reddit discovered glaring holes linking Sheep and an apparently unofficial normal website, sheepmarketplace.com. The latter existed as an online signpost to the former, but because it was an unprotected website, it let users discover the location of the black marketplace's owner. "sheepmarketplace.com's owner is the same as Sheep Marketplace; he is living in Czech Republic; he sucks at security," concluded one Redditor."
"Sheep was one of the main sites that came to replace the Silk Road when it closed in October." "It ceased operation in December 2013, when it announced it was shutting down after a vendor stole $6 million worth of users' bitcoins." "For a few days, visitors to Sheep received a notice blaming the theft for the closure, but [then] its entire online presence [was] removed."
"Originally it was thought that only 5,200BTC – or £3m – was taken, with a message posted on Sheep’s homepage blaming a vendor called “EBOOK101” for finding and exploiting a bug. However, over the weekend it became clear that the amount stolen was much, much larger." "The site's administrator reported that a dealer had found a bug in the system which had been exploited to steal 5,400 bitcoins." "[A]fter the November heist, Sheep Marketplace notified users, “We are sorry to say, but we were robbed on November 21, 2013 by vendor EBOOK101. This vendor found bug [sic] in our system and stole 5400 BTC - your money, our provisions, all was stolen.”"
"We are sorry to say, but we were robbed on Saturday 11/21/2013 by vendor EBOOK101. This vendor found bug in system and stole 5400 BTC – your money, our provisions, all was stolen. We were trying to resolve this problem, but we were not successful. We are sorry for your problems and inconvenience, all of current BTC will be ditributed to users, who have filled correct BTC emergency adress. I would like to thank to all SheepMarketplace moderators by this, who were helping with this problem. I am very sorry for this situation. Thank you all."
"[S]omeone (or some group) managed to fake the balances in peoples’ accounts on the site, showing that they had their bitcoins in their wallets when they’d actually been transferred out. Over the course of a week the whole site was drained, until the weekend when the site’s administrators realised what was happening and shut everything down."
"The administrators of the "sheep market" first talked about a hacker attack, then blocked the possibility of withdrawing money, and finally stopped communicating completely."
"Many former dealers and customers who used the Sheep Marketplace took to social news site Reddit to complain about the shutdown. Many wondered why the site was left to run for a week after the theft was spotted. None of those posting reported that their bitcoins had been sent to their emergency address."
"Sheep Marketplace closed down over the weekend after someone got away with 96,000 bitcoins." "96,000 bitcoins – that’s roughly £60m as of the time of writing – was taken from the accounts of customers, vendors and administrators of the Sheep Marketplace over the weekend."
“There was nothing where [Gibson and Mackert] were injecting code. There was no hacking. This was just a poorly created website that was just exploited by very young kids who immediately accepted responsibility for their actions,” said Jeffrey Lichtman, Gibson and Mackert’s criminal defense attorney, a high-profile New York lawyer who is known for having gotten extortion and racketeering charges against John Gotti, Jr., who was accused of ordering a 1992 kidnapping, dismissed.
However, Lichtman conceded, “They’re responsible for exactly what’s contained within that document.”
“These are not sophisticated criminals. These were not people who were well-versed in terms of criminality. They were curious kids who exploited a poorly made website,” he says, adding that since then, they’ve been working and have had no run-ins with the law.
"At the time, news articles and Reddit claimed the amount stolen was $100 million or $220 million and Reddit vigilantes watched transactions out of an address they were convinced was associated with the theft, until they realized it was instead owned by a Bitcoin exchange."
"It’s a little hard to work out exactly what’s happened, but Sheep customers have been piecing it together on reddit’s r/sheepmarketplace." "In a normal robbery that money would be gone by now, but it isn’t. Bitcoin is pseudonymous, not anonymous, and bitcoins can’t just disappear. It works because each and every transaction is public and visible to each and every other person using the Bitcoin network, and a person is only as anonymous as their link to their wallet."
"[The] person who allegedly robbed the web site Sheep Marketplace of 96,000 Bitcoins — about $100 million at current prices — is attempting to hide the heist by breaking up the massive online currency cache and repeatedly trading it through various "tumblers," which mix up and (supposedly) launder old Bitcoins for new."
"The thief appears to have split the 96,000 coins into packets of ~1,000 each, sending each one on a different route."
"The thief's problem is that the angry Bitcoin account holders whose money has gone are following the thief through the tumbler, by sending him small amounts of cash that are appended to the larger amount as it is split up and moved on. Each Bitcoin transaction generates a "blockchain" record showing its history, and the appended loose change thus identifies where the bulk of the money is going. The theft victims are hoping that eventually the thief will be prevented from cashing out his accounts because doing so would lead to him being identified in real life."
"[R]eddit user TheNodManOut managed to track where the first bunch of transfers out of Sheep went, and from there and silkroadreloaded2 worked out which tumbler that the thief was using. Here’s how silkroadreloaded2 describes what’s happened since (“Tomas” is the alleged owner of Sheep, and one of the suspects for many users)."
"All day, we’ve been chasing the scoundrel with our stolen bitcoins through the blockchain. Around lunchtime (UK), I was chasing him across the roof of a moving train, (metaphorically). I was less than 20 minutes, or 2 blockchain confirmations, behind “Tomas”."
"He was desperately creating new wallet addresses and moving his 49 retirement wallets through them, but having to wait for 3 or 4 confirmations each time before moving them again. Each time I caught up, I "666"ed him - sent 0.00666 bitcoins to mess up his lovely round numbers like 4,000. Then,all of a sudden, decimal places started appearing, and fractions of bitcoins were jumping from wallet to wallet like grasshoppers on a hotplate without stopping for confirmations."
"A major problem with tumblers is that they only work with lots of bitcoins coming and going from a lot of different sources – if a tumbler is taking in 96,000 bitcoins, those will massively outnumber all other bitcoins being tumbled and it’ll be easy to spot them coming out the other end. Mix in a little of your own with all those other ones and you’ll find out the wallet addresses that the tumbler uses, and it should be easy to spot large transactions splitting off from there."
"Unfortunately for those who have been ripped off, the chances of them getting any money back are slim: Once a Bitcoin transaction has been made, it cannot be reversed without the consent of the recipient."
"Selling those bitcoins and turning them into cash is going to be extremely difficult, as the major Bitcoin exchanges all demand proof of identity (specifically to avoid charges that they're involved in money laundering), and if they're broken down into smaller quantities to sell via a site like localbitcoins.com a paper trail will still be generated. As soon as it's possible to link one real-life bank account or identity to any bitcoins from that stash, it will be possible to work out their real-life identity."
"But then, the edifice came tumbling down. Another user on the subforum noticed their own bitcoins being transferred to the same address."
"And then the truth dawned: far from being a holding account for the biggest bitcoin theft in history, the wallet was actually part of the internal workings of BTC-E, an exchanges where users can trade bitcoins for conventional currency."
"It turned out that for three days, the community had been following not the increasingly desperate attempts of a thief to cover their tracks, but the internal workings of a currency exchange."
"At one point, at least, the internet detectives were on the right track. Sheep Marketplace really did shut down, and bitcoins were stolen. But rather than play a shell game to try and keep the money hidden, the thief appears to have done what any normal person would have: traded the digital currency for real money at the earliest opportunity."
"You aren't going to get anything back. None of you are going to get anything back, and it's by design. This is EXACTLY how Bitcoin is supposed to work. Bitcoin would be fundamentally broken if you somehow got your money back."
"Despite the fact that movements of the digital money are public, Gibson and Mackert deposited some of the stolen bitcoins into accounts at Coinbase, one of the most well-capitalized startups in the space that was also one of the first to bring Bitcoin from its Wild West days into its more law-abiding phase."
"It then details how two Department of Homeland Security special agents named only as Johnston and Gino used the website Blockchain.info, which publicly displays bitcoin transactions, to track the movement of the stolen bitcoins across various addresses, including one assigned by Coinbase."
"In response to a subpoena, Coinbase revealed the owner of that address was Gibson, that the account was linked to one at Bancorp Bank and that from late December 2013 to late January 2014, Gibson had deposited more than 842 bitcoins valued at more $646,000."
"He also was using the same IP address as Coinbase customer Mackert, who also linked his account to a Bancorp Bank one, and who, from late December to late January, had deposited more than 1,016 bitcoins valued at more than $670,000. (The price of bitcoin fluctuated quite a bit during this period from $700 to more than $1,000.)"
"In May 2016 two men from Florida, then 21-year old students Sean Mackert and Nathan Gibson, were arrested after tracing Bitcoin transactions via Coinbase. Subsequently, the pair pled guilty to the crime of Bitcoin wire fraud on Sheep Marketplace in 2018 and are now facing a maximum prison time of up to twenty years. About $4 million worth of Bitcoin stolen by Mackert and Gibson has since been seized by the United States Federal government."
"The U.S. government has seized $4.5 million from two Florida men who allegedly stole 5,400 bitcoins from illegal online drug sales site Sheep Marketplace in late 2013, shortly before the price of bitcoin hit its peak of around $1,200, according to forfeiture documents filed last week in Jacksonville, Florida."
"During the criminal investigation, HSI agents and local law enforcement, with the assistance of the United States Attorney’s Office, seized the funds and two vehicles. The United States commenced a civil forfeiture action against the funds, alleging that they were the proceeds of fraud. The district court ultimately ordered the forfeiture of the funds and two vehicles." "The money was forfeited back in the spring of 2014, along with a 2012 Toyota Camry and a 2008 Honda motorcycle, by Nathan Gibson and Sean Mackert, who are both 24, but were 21 at the time of the heist."
"United States Attorney Maria Chapa Lopez, along with Special Agent in Charge James Spero, U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI), announce today the distribution of more than $1.7 million in civilly forfeited funds to three law enforcement agencies. These awards are the result of a federal civil forfeiture of more than $4.5 million in funds obtained fraudulently through the hacking of bitcoin accounts. Pursuant to the Department of Treasury Equitable Sharing Program, the funds were distributed to the Nassau County Sheriff’s ($1,044,550.05); the Florida National Guard ($627,487.74); and the Jacksonville Sheriff’s Office ($209,162.58). The presentations took place today at the Jacksonville Office of Homeland Security Investigations."
Sheep Market was an online market for illegal products and services similar to Silk Road. On November 21st, 2013, it appears that a vendor exploited a security hole in the website to make off with 5400 bitcoins, which is believed to be the sum of all funds on the site. The bitcoin was ultimately traced to two individuals from Florida, who were arrested. The proceeds were distributed to different law enforcement agencies.
HOW COULD THIS HAVE BEEN PREVENTED?
It would appear that Sheep Market stored all bitcoins in an online hot wallet. This poor security allowed them to be taken. Bitcoin wallet keys should be properly secured offline, and a multi-signature setup should be used to prevent a single point of failure.
A Thief Is Attempting to Hide $100 Million in Stolen Bitcoins — and You Can Watch It Live Right Now (May 29)
Address: 1CbR8da9YPZqXJJKm9ze1GYf67eKAUfXwP | Blockchain Explorer (Jun 26)
There's a £60m Bitcoin heist going down right now, and you can watch in real-time - New Statesman (Jun 27)
I just Chased him through a bitcoin tumbler, and when he Came out with 96,000 BTC, I was Waiting for Him... : SheepMarketplace (Jun 27)
Sheep Marketplace - Wikipedia (Jun 27)
Mystery Solved: $6.6 Million Bitcoin Theft That Brought Down Dark Web Site Tied To 2 Florida Men (Jun 27)
https://www.justice.gov/usao-mdfl/pr/more-17-million-forfeited-funds-presented-law-enforcement-agencies (Jun 27)
Recovering stolen bitcoin: a digital wild goose chase | Bitcoin | The Guardian (Jun 27)
Online drugs marketplace shut down after £3.5m bitcoin hack | Bitcoin | The Guardian (Jun 28)
A friendly warning: Sheepmarketplace.com's owner same as sheep5u64fi457aw.onion and he sucks at security : SheepMarketplace (Jun 28)
Sheep Marketplace (Jun 28)
Sheep Marketplace (Jun 28)
Bitcoin price today, BTC live marketcap, chart, and info | CoinMarketCap (May 16)
https://www.lidovky.cz/byznys/obral-drogove-dealery-o-miliony-cech-jsem-nevinny-brani-se-programator.A131206_112108_firmy-trhy_mev (Jun 28)
Sheep "scam" thread : SheepMarketplace (Jun 28)
https://i.imgur.com/tzZ99s9.png (Jun 28)
'Sheep Marketplace' Goes Offline and up to $44 Million in Bitcoins Disappears (Jun 28)
https://www.bbc.com/news/technology-25185225 (Jun 28)
BMR and Sheep Leaking Platform Info Today. : SheepMarketplace (Jun 28)
Bitcoin Address 1CbR8da9YPZqXJJKm9ze1GYf67eKAUfXwP (Jun 28)
Silk Road Competitor Shuts Down And Another Plans To Go Offline After Claimed $6 Million Theft (Jun 28)
