Stolen $3bn Bitcoin mystery ends with popcorn tin

The US Department of Justice has revealed it seized $3.36bn (£2.9bn) of Bitcoin last year which was stolen from an infamous darknet website.

The stash of 50,676 Bitcoin was found hidden on various devices in a hacker’s home in an underfloor safe and inside a popcorn tin.

James Zhong has pleaded guilty to hacking the funds in 2012 from the illegal Silk Road marketplace.

US authorities say the seizure is the second largest in history.

A German police team shut down Hydra, the world’s largest darknet marketplace.

The website was a bastion of cyber-crime, surviving for more than six years selling drugs and illegal goods.

But, after a tip-off, German police seized the site’s servers and confiscated €23m (£16.7m) in Bitcoin.

Shortly after the German action was announced, the US Treasury issued sanctions against Hydra “in a coordinated international effort to disrupt proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through the Russia-based site.”

In the past six months, many high-profile darknet markets have shut down but Hydra was seemingly impervious to police attempts to stop it.

The website launched in 2015 selling drugs, hacked materials, forged documents and illegal digital services such as Bitcoin-mixing - which cyber-criminals use to launder stolen or extorted digital coins.

The site was written in Russian, with sellers located in Russia, Ukraine, Belarus, Kazakhstan and surrounding countries.

It took many months to locate which firm might be hosting Hydra in Germany. Ultimately it was found to be a so-called ‘bullet-proof hosting’ company.

A bullet-proof hosting company is one that does not audit the websites or content it is hosting, and will happily host criminal websites and avoid police requests for information on customers.

The news comes during a turbulent time for darknet markets with the most prominent sites closing down in recent months, either voluntarily or as a result of police activity.

Many of the closures have come from criminals choosing to gradually bring their operations to a close, and disappear with their riches.

In January the administrators of UniCC, a darknet site selling stolen credit card details, retired, citing health reasons.

Voluntary closures also brought to an end the White House Market in October 2021, Cannazon in November and Torrez in December.

The most common way for darknet sites to close is via so-called ‘exit scams’ where the administrators voluntarily shut down the sites but steal their customer’s funds in the process.

Although celebrating their success, German authorities say they fear this won’t be the end of the Hydra cyber-crime group, unless they can find and arrest them.

“We know they will find another way to do their business. They will probably try to build a new platform, and we will have to keep our eye on it. We don’t know the perpetrators, so that’s the next step,” says Mr Zwiebel (of the German police).