It was Willy the Bot all the time

After long digging I finally found a workable scenario explaining virtually everything: missing coins and fiat and even so called Willy the Bot.
lnovy> Yes... stay tuned... I have a clue :) gammer> lnovy any news ? lnovy> yes... almost... I'm missing just one single piece now gammer> if you're pulling a prank on us these couple of days... it so not cool :D lnovy> They way the theft worked was usign the paybutton api lnovy> there is an obvious cross-site request forgery bug in it lnovy> attacker create a one-shot button, setting a price in USD and putting in a bitcoin address lnovy> then he made a victim with mtgox account "click" this pay button lnovy> which caused market buy order for that amount to be filled (known as satoshi's thrust, or willy the bot) and after filling coins were instantly send to target address gammer> lnovy: you know this for a fact? lnovy> when you combine this with some other scamming/carding technique and faked AML documents, mtgox would lose bitcoins and fiat deposit would be charged back lnovy> I'm sure of it up to the second part (when you combine...) lnovy> I can prove it lnovy> well... not prove it... but I have no other possible explanation gammer> how you get the victim to click your "custom" button? lnovy> check the source of this page lnovy> no protection against csrf gammer> We lack data. These are all great (impressive) guesses, but far from a smoking barrel. lnovy> notice that when you google 21b2e5c5-79d5-4192-bd6e-9e08975cc3ac lnovy> You already paid that transaction in the past! We have a transaction from your account on the 2013-08-08 13:20:12 lnovy> When you lookup "2013-08-08 13:20:12" in withdrawals db lnovy> ae04aae7-d6dc-4f34-a2df-0930480786e6,e887c417-1fbe-4988-a76d-515b6a528e8b,"2013-08-08 13:20:12",withdraw,-26.92114483 lnovy> this user did two withdrawals only, no deposits lnovy> ae04aae7-d6dc-4f34-a2df-0930480786e6,ce7a32a0-1be7-4c0c-b06c-75aa77f5c311,"2013-08-08 13:05:45",withdraw,-27.18101624 lnovy> this is the second one lnovy> his balance is lnovy> | ae04aae7-d6dc-4f34-a2df-0930480786e6 | 83d24ca9-0f6e-4061-ad75-f4698c9ad58a | BTC | 56783893 | 0 | 7 | virtual | NULL | NULL | N | 2013-08-08 13:20:12 | gammer> hmm, maybe there is some smoke there. lnovy> | 673c4e76-a8e1-424a-af72-f994054236f4 | 83d24ca9-0f6e-4061-ad75-f4698c9ad58a | USD | 7952770 | 0 | 4 | virtual | NULL | NULL | N | 2013-08-08 13:04:28 | lnovy> notice that no more moving of BTC was done after withdrawal at 2013-08-08 13:20:12 lnovy> ../trades/2013-08_coinlab.csv:1375967016444075,"2013-08-08 13:03:36",592438,83d24ca9-0f6e-4061-ad75-f4698c9ad58a,ec0919d81d73ab12dc7375677723fea9,NJP,buy,USD,54,5507.94438,97.114,534897.778,0,97.114,0,0.1296,1330.073,US,NJ lnovy> ../trades/2013-08_coinlab.csv:1375967068401809,"2013-08-08 13:04:28",592438,83d24ca9-0f6e-4061-ad75-f4698c9ad58a,ec0919d81d73ab12dc7375677723fea9,NJP,buy,USD,1,101.97792,97.114,9903.47,0,97.114,0,0.0024,24.631,US,NJ lnovy> he did only this two trades... lnovy> notice that all of his limit value on wallets is null, but dissable limit is false lnovy> last piece: lnovy> this address leads to mixnet :) lnovy> so... is the barrel smoking now? gammer> Looks convincing gammer> Any way to tell how much flowed through that exploit? lnovy> well... my query is still running... But I bet, that everything that was considered to be "will the bot" will be linked to this method lnovy> can I leave your nicknames in when I paste this on reddit? 
A guide to using Silk Road, specifically for /r/UKtrees

Hey all, I’ve seen a few posts on here asking about using Silk Road to purchase trees. I’m not an expert, but I have used it successfully a few times now, so I figured I’d write a guide to help anyone out.
1. Getting on Silk Road.
Silk Road exists on what is commonly referred to as the ‘Hidden internet’, or ‘Deep Web’; Websites on the hidden internet are not indexed and thus not accessible by regular search engines or DNS lookups. You can do more research on this if you want - to be perfectly honest, I don’t understand it entirely - but you don’t need to.
To access Silk Road and the rest of the Hidden Internet, you need to download a piece of Software, called Tor. This software allows you access hidden websites via a regular browser window. Just head to Tor’s Website and click the download. Once the files are downloaded, unzip and click Start Tor.
To head to Silk Road, enter the following address silkroadvb5piz3r.onion
You’ll need to make an account, this is pretty straight forward. (Make sure you remember your pin. You don’t need it when logging in, but you do need it when confirming transactions. Also, your pin doesn’t actually have to be a ‘pin’, mine is just another regular password)
Note: Due to the nature of the Onion network/service, it’s quite slow. And a busy site like Silk Road can be even slower. So, it may be that you have trouble connecting. If it doesn’t work, hit refresh a couple of times, and then just try again later. I usually have better luck in the morning 9pm-12pm and late evening 10pm-4am
2. Bitcoin.
Bitcoin is a decentralised peer 2 peer based currency. Essentially, it’s an untraceable and anonymous currency. Purchasing Bitcoin can be a little tricky, there are a number of ways to do it.
There are exchanges such as MTgox and Intersango, and many direct Bitcoin purchasing sites such as Bitstamp, and BitInstant. The problem with many of these sites is they operate outside of the UK, and as such getting money into them can be tricky. They tend not to accept debit credit cards, and often require bank transfers via IBAN. However, banks will often charge you a fee for using IBAN (I know Natwest charges £10).
These websites will allow you to deposit money into your account, and then place orders to convert that money into Bitcoin.
Other easier websites are Virwox, and Block Chain.
With Virwox, you first need to convert currency into Linden Dollars (SLL) (a currency used in the game Second Life) then into Bitcoins. However, Virwox does not allow for fractions of bitcoins, which means you can easily end up being just shy of a full bitcoin and having ‘worthless’ SLL. One nice thing about Virwox is that they accept UKash vouchers. So if you want no trace of your purchases, you can go buy UKash vouchers at any Paypoint and then deposit those.
Block Chain used to only be depositable via Barclay’s Pingit, but has since opened up regular bank transfers, I found this worked really well the last time I used it, so I’d recommend it.
You can also buy bitcoins in person by searching on Local bitcoin. In addition, there are also people selling Bitcoins on Ebay, but very overpriced, so I wouldn’t recommend that.
There are a tonne of places to buy bitcoin, some accept cash/cheques in the mail as well. You can always find more by googling.
3. The purchasing process.
You need to send your purchased Bitcoins to your SR account, you can find your bitcoin address under ‘Account’ at the top of the screen. It can take a few hours for the transfer to take place.
Once in your account, you’re ready to purchase, simply find whatever it is you wish to buy, click add to cart, and then head to the checkout. Select a postage method for your items and click go to confirm the postage.
Now, you need to input your address and your pin.
Now, you might have heard of PGP encryption by this point, it’s a form of public/private key encryption used on SR to protect the addresses of its users.
For this, I’m just going to steal mr_kyitty’s guide from this thread.
  1. Get gpg4win, install, and open 'GPA'
  2. Now you need to make your own key. Go to Keys>New Key, and follow the prompts. Use a fake name/e-mail. Before entering a passcode, write it out (the longer the passcode, the better, and you have to enter it every time you encrypt something). Once that's done, you have your own key.
  3. Import the seller key from the seller page. To do this, copy the public key from the page, paste it into a blank notepad file, and save the file. Then click 'Import' in GPA and load that file. You now have that seller's public key.
  4. To encrypt your address, open the clipboard in GPA and type in your address. Click encrypt, select the seller's public key, and in the lower box, check "sign" and select your own key. Then you will be prompted to enter your passcode. Once complete, copy the block from the clipboard and paste it into the address box on the shopping cart page.
I’d like to add, that you don’t need to ‘sign’ the encryption. What this does is allows the seller to verify that you are the actual sender of the message. However, I’d argue this isn’t entirely necessary, as it will also require you to post your public key somewhere.
Click to confirm the transaction, and that’s the order placed.
It will now show up under your ‘orders’ section. You’ll notice an option to ‘finalize’.
Silk Road uses escrow, i.e. they hold your money when you place an order, and when the order is confirmed to have gone through (after x days) the money will be sent to the vendor. You can Finalise early, by clicking the finalise button and sending them their payment. It’s common courtesy to do this once your item has arrived. If an issue arises, you can click resolve, and attempt to claim a refund/resolve the issue. I don’t have any experience with this so I’d recommend you search /silkroad for advice if you need assistance on resolving a matter.
Some vendors might ask you to finalise early before they will send your order. Now, this is actually against Silk Road policy, but its common for vendors to ask for this from first time buyers. Personally, I would say just don’t do it. You never know what’s going to happen. But generally speaking, a vendor's reputation is probably worth more than your particular order, so the risk of being 'ripped off' is low.
Still, I wouldn't recommend it.
4. Additional Comments
Do I recommend it for weed?
I started using SR Last year after I moved back home from Uni, because I no longer had a dealer. Personally, if I had a choice, I would choose to buy from a dealer every time. SR is a lot of hassle, so I wouldn’t recommend it for your general Eighth or quarter, unless you have no other connection (as is unfortunately the situation for me).
However, there are a variety of strains and products available, ranging from hashes to oils to edibles, so some of you might like to have those options.
In terms of price, I’d say it’s fair. A lot of Weed vendors will have a standard strain that they’ll sell for a (roughly) standard £20/eighth. You will generally be spending a little more given the nature of the process.
Is it risky?
In terms of general legal risk, you can't control what people send to you. If there's no record of you having bought it (Which there isn't, buying bitcoins is not a crime) then you should be fine. In terms of 'Will I get scammed risk' - it's just like ebay, people value their reputation. Buy from high repped vendors, and you should be fine.
Anyway, that’s all folks, I hope you’ve found this helpful. If you have any questions, leave a comment, and I’ll do my best to help you out.
Also, if any other more experienced SR users have noticed any mistakes or things I should alter in this guide, please leave a comment and let me know, and I’ll make the necessary amendments.
