From the Blake Benthall complaint:
16 a. On or about September 10, 2014 and September 11, 2014, Defcon sent a series of messages to his support staff, reporting, in sum and substance, that a computer hacker had stolen all of the Bitcoins from the Silk Road 2.0 marketplace server. Defcon's messages indicated that the stolen funds had been held on the Silk Road 2.0 server to cover user balances available for withdrawal.
b. On or about September 10, 2014, Defcon provided his support staff with the Bitcoin address where he believed the hacker had transferred the stolen funds to (“Bitcoin Address- 1”). I have checked publicly available information on the Blockchain regarding Bitcoin Address—1, which indicates that, on or about September 10, 2014, hundreds of transfers were made to that address, for a total of approximately 2,987.8 Bitcoins, the equivalent of approximately $1,412,000 in United States currency based on the prevailing exchange rate that day.
It is probable that the address referred to as "Bitcoin Address-1" in the complaint is 1rundZJCMJhUiWQNFS5uT3BvisBuLxkAp, which contains 2,967.8 BTC. The complaint states "Bitcoin Address-1" contains approximately 2,987.8, 20 additional BTC than what the address actually has. 1rundZJCMJhUiWQNFS5uT3BvisBuLxkAp first received a transaction on 09/09/2014 and the last on 09/10/2014 which is consistent with the dates specified in the complaint.
The first Silk Road 2.0 theft occurred on the 02/13/2014. Defcon alleged that the hack was a result of transaction malleability saying:
"Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty."
That same day, 149.9998 BTC was transferred to address 1MpghW1Jvr2QvCLDecCr5k6aqQF66CgAtX from address 18w5TK7pi5Drd2ji97n2MfzFmBPDh3wQr2 which one can speculate were both under the control of Defcon at the time because as we follow transactions from 1MpghW1Jvr2QvCLDecCr5k6aqQF66CgAtX > 1EPVbPawakf122Tq6poaFH1x89PboH9txz > 1D71DPEzT8zVuFNuKFeGKxcEUR9bGUGaDD > 1Kz6BDMQKbiUKy8GJZDqJrQHWx5Frakwh > 148MpUsfJvgv5xGWvVqKLeVuuvy3pN8QGg, we find the last address in the chain was used to donate 3.009 BTC to the NutFund charity at address 1DMWskVpj59VqKcXAJe7W5d3WbGXaEqbJs on 03/05/2014. The date is confirmed by the blockchain as well as a post on Blake Benthall's Facebook page which states:
"raising BTC for charity: water! first $2000 donation, so exciting… nutfund.co is live!
Going back to address 1MpghW1Jvr2QvCLDecCr5k6aqQF66CgAtX, which was likely used by Blake Benthall on the day of the first Silk Road 2.0 theft, we can follow it to 1EPVbPawakf122Tq6poaFH1x89PboH9txz > 1D71DPEzT8zVuFNuKFeGKxcEUR9bGUGaDD > 13o1M8QGmCtzFuGvUXpnpjwSRSQtHhDLAo > 1QF1ob8sHzatabRNQyo1dsR1ZmsnPZvGx in which a small amount of BTC sit from 02/13/2014 until 09/10/2014 at which point it is sent to 1rundZJCMJhUiWQNFS5uT3BvisBuLxkAp which is where funds from the second Silk Road 2.0 hack were sent.
A month ago, a post on reddit speculated that the Silk Road 2.0 had once again been the victim of theft. The poster states:
I had made a deposit not long before the market went down. As I always do, I checked the blockchain for confirmations. Then I noticed that there were transactions on that address that didn't look right.
I followed the trail and it lead back to one address. My other deposit addresses show the same exact trail!
Go look at your own deposit addresses. They all lead to this wallet 1rundZJCMJhUiWQNFS5uT3BvisBuLxkAp which has a balance of 2,967.8 BTC!!!! Can anybody fucking explain this in a way that doesnt make me think I just lost all my damn money again?
The 1rundZJCMJhUiWQNFS5uT3BvisBuLxkAp is mentioned by the poster but he is quickly shot down by other /r/Silkroad users.
None of this answers the question whether or not Blake Benthall orchestrated the two thefts from Silk Road 2.0. Some of the information, such as the fake charity donations can be corroborated using his Facebook page but then one must ask the question how funds from what is assumed to be his personal wallet end up in the 1rundZJCMJhUiWQNFS5uT3BvisBuLxkAp address used to hold coins from the second theft.
Credit to imposter for the tip.
Nutfund.co is now defunct and archive.org is stating the machine with the only copy of a mirror is unavailable. ↩