How FBI brought down cyber-underworld site Silk Road
- Silk Road%27s operator and his customers thought the site was impenetrable
- The feds used both digital and traditional sleuthing
- The site was an online bazaar for drugs%2C guns and porn
Criminals who prowl the cyber-underworld's "darknet" thought law enforcement couldn't crack their anonymous trade in illegal drugs, guns and porn. But a series of arrests this month, including the bust of the black market site Silk Road, shows the G-men have infiltrated the Internet's back alley.
Computer experts suspect the government simply beat the cyber-pirates at their own game: hacking.
The Silk Road website, which has a customer-friendly electronic storefront that displayed bricks of cocaine as deftly as Amazon displays books, was the cyber-underworld's largest black market, with $1.2 billion in sales and nearly a million customers. Beyond illegal drugs, the site served as a bazaar for fake passports, driver's licenses and other documents, as well as illegal service providers, such as hit men, forgers and computer hackers.
FBI Agent Christopher Tarbell of the FBI's cyber-crime unit in New York called Silk Road "the most sophisticated and extensive criminal marketplace on the Internet today."
Silk Road used an underground computer network known as "The Onion Router" or "Tor" that relays computer messages through at least three separate computer servers to disguise its users. Customers conducted business using a virtual currency called bitcoin. The site repeatedly assured its users that their illegal transactions were wrapped in layers of privacy.
But the FBI's seizure of Silk Road's servers allowed agents to unwrap the website's innards, exposing the vendors' and customers' private accounts to law enforcement scrutiny.
Court papers show that federal agents used the full bag of traditional investigatory tricks as well as high-tech cyber-sleuthing to dismantle Silk Road. The site's alleged operator made critical missteps that allowed agents to locate the website and link him to it, court papers show.
FBI, DEA, IRS and Customs agents located six of Silk Road's supposedly off-the-grid computer servers hidden around the world, in places including Latvia and Romania, copied their contents and watched as buyers and sellers completed their illegal transactions. It shut down the website, seized its assets, including 26,000 bitcoins worth about $4 million, and arrested Ross Ulbricht, the alleged operator, in San Francisco on Oct. 1.
The FBI estimates that Silk Road's operator made $80 million in commissions from the site's users, court papers say.
Ulbricht is charged in federal court in New York with money laundering, drug dealing and conspiring to murder a witness. A second indictment filed in a federal court in Baltimore charges Ulbricht with drug dealing and attempting to have a former employee murdered.
Ulbrict will be extradited to New York to face the charges. His court-appointed attorney, assistant federal defender Brandon LeBlanc, who said his client denied the charges at a court hearing Oct. 4, did not return phone messages left at his office.
The investigation into the cyber-underworld swept up suspected drug dealers and buyers in the USA, Britain, Australia and Sweden with alleged ties to Silk Road.
"These arrests send a clear message to criminals: The hidden Internet isn't hidden, and your anonymous activity isn't anonymous. We know where you are, what you are doing and we will catch you," Keith Bristow, director of Britain's National Crime Agency, said after the arrest Oct. 8 of four men for alleged drug offenses.
The criminals, he said, "always make mistakes."
The FBI hasn't said how it found Silk Road's servers or compromised them. Members of the FBI's cyber-crimes unit were not available, FBI spokesman Peter Donald said.
"That is the $64,000 question. They have not explained how they did it," says Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, Calif., who specializes in network security and underground economics.
Weaver suspects from reading the court papers that federal agents found weaknesses in the computer code used to operate the Silk Road website and exploited those weaknesses to hack the servers and force them to reveal their unique identifying addresses. Federal investigators could then locate the servers and ask law enforcement in those locations to seize them.
DREAD PIRATE ROBERTS
Authorities say Ulbricht started Silk Road on Jan. 27, 2011.
By then, Ulbricht, 29, who grew up in Austin, had graduated from the University of Texas-Dallas, where he earned a degree in physics in 2006, school records show. He attended graduate school at Penn State, where he earned the prestigious Anne C. Wilson Graduate Research Award for materials science for the 2008-09 academic year, school records show. On his LinkedIn page, he identified himself as an entrepreneur and investor.
Statements Ulbricht made in college and posts he made online show he leaned libertarian. On Facebook in 2010, he posted a page-long essay inspired by Independence Day. "Always, freedom arises in the absence of limitation," he wrote. He embraced Austrian economic theory, whose advocates favor strong protection of private property rights, but minimal economic regulation.
On Silk Road, federal investigators say, Ulbricht called himself "Dread Pirate Roberts," shortened often to "DPR." The moniker comes from a character in the novel The Princess Bride, depicted as a ruthless pirate who takes no prisoners. Eventually, "Captain Roberts" is revealed as a series of people who pass on the "dread pirate" alias, and his fearsome reputation, to a successor on retirement.
In one post to the site, after users complained about a hike in Silk Road commissions, investigators say, Ulbricht wrote, "Whether you like it or not, I am the captain of this ship. You are here voluntarily, and if you don't like the rules of the game, or you don't trust your captain, you can get off the boat."
In San Francisco, where court papers say he moved in September 2012, Ulbricht lived quietly and cheaply, first bunking with friends, then renting a room for $1,000 a month. He paid in cash. His roommates knew him as "Josh" and told authorities he spent a lot of time on his computer.
Court papers say Ulbricht procured computer hosts for the Silk Road website, wrote most of the computer code and maintained the security on the site by himself.
HOW TOR ENABLED SILK ROAD
Central to the operation of Silk Road was a complex underground computer routing system known as Tor. Ulbricht allegedly used the system to hide the location of the computer servers that hosted the Silk Road website.
But Tor is no secret, especially to the U.S. government.
The U.S. Naval Research Lab developed onion routing, the concept behind Tor, as a way to protect naval communication so an enemy could not trace computer messages and detect a ship's position. Every computer on the Internet has an Internet Protocol, or IP, address that can be used to find its physical location. Tor ensures privacy by randomly routing computer messages through several places on the Internet, wrapped in layers of encryption, so no single point can link the source to the destination.
The routing system is public and maintained by a non-profit organization that runs on donations from a variety of organizations, including Human Rights Watch, Radio Free Asia, the National Science Foundation and Google. Dissidents in countries that restrict Internet access use Tor to publish out of government reach. Journalists use Tor to communicate with confidential sources. WikiLeaks used Tor to collect documents from whistle-blowers who wanted to remain anonymous. Law enforcement agents use Tor to visit websites without leaving a record of a government computer or IP address in the Web's log.
Though some government agencies may use Tor for their own research or communication, the National Security Agency seeks to unmask anonymous Internet communication, director of National Intelligence James Clapper said in response to documents revealed by fugitive whistle-blower Edward Snowden.
"The Intelligence Community's interest in online anonymity services and other online communication and networking tools is based on the undeniable fact that these are tools our adversaries use to communicate and coordinate attacks against the United States and our allies," Clapper said Oct. 4.
Tor also hosts black markets, such as Sheep Marketplace and Black Market Reloaded, that deal in guns, drugs, stolen credit card numbers and child pornography. The United States seeks the extradition of Eric Marques, who was arrested in Ireland for allegedly hosting a website on the Tor network that allowed people to share child pornography.
Silk Road created a private network through Tor by using software to build encrypted connections through relays on the network. The system is created so no single relay, or server, knew the complete path. A computer algorithm on Tor generates a complex Web address that ends in .onion and can be accessed only by downloading Tor software.
Once logged into Silk Road, buyers and sellers could conduct business in a virtual currency called bitcoin, which, unlike a credit card or a check, leaves little traceable information. Silk Road used a bitcoin tumbler that sent the individual transactions through a complex series of dummy transaction to disguise the link between buyers and sellers.
DEA agents learned of Silk Road within months after it went online. In June 2011, Sen. Charles Schumer, D-N.Y., called on federal agents to investigate it. Court papers indicate federal agents began making hundreds of undercover purchases from the site in November 2011.
MARKETING A 'SECRET' SITE
To attract customers and vendors and direct them to the secret site, Silk Road's operator initially had to publicize it on the Web.
One FBI agent did a simple Internet search and found a post from Jan. 27, 2011, on a forum for people who use magic mushrooms called "Shroomery" (www.shroomery.org) in which a user identified as "altoid" mentioned Silk Road under the guise of seeking information. The post explained that it's a Tor-hidden service and the address could be found at silkroad420.wordpress.com. "Altoid" posted about Silk Road two days later, this time at "Bitcointalk.org," an online discussion forum.
"Altoid" posted again Oct. 11, 2011, in "Bitcoin Forum," seeking "the best and brightest IT pro in the bitcoin community" to help develop a bitcoin start-up company. This time, the FBI caught a break: "Altoid" instructed potential candidates to reply to his Gmail address, rossulbricht@gmail.com.
The FBI subpoenaed subscriber records from Google for the Gmail address, which was registered to Ulbricht and included a photo that matched a photo of Ulbricht on LinkedIn. His Google profile included YouTube videos from the Mises Institute, an Austrian economic think-tank.
In his postings on Silk Road's forum, the site operator "Dread Pirate Roberts' " signature included a link to the Mises Institute website. "Dread Pirate Roberts" often cited Austrian economic theory and the works of Ludwig von Mises as the philosophical underpinning of Silk Road.
The Google records showed every IP address used to access Ulbricht's Gmail account this year from Jan. 13 to June 20, court papers said. The IP address associated with the Gmail account led to a computer in an apartment on Hickory Street in San Francisco, where Ulbricht had moved in September 2012. The logs indicated Ulbricht accessed his Gmail account from a cafe on Laguna Street, less than 500 feet from the apartment, court papers say.
Ultimately, the FBI linked the computer at the Hickory Street apartment and its IP address to code on the Silk Road server that allowed the computer access, court papers say.
The FBI got insight into Ulbricht's computer code from an undisguised post on a computer programming website. On March 5, 2012, Ulbricht opened an account under his own name on stackoverflow.com, posted 12 lines of computer code and sought advice for fixing a coding problem. Realizing his error, he quickly deleted his real name and changed his user name to "frosty" and his e-mail to frosty@frosty.com.
Forensic analysts found a revised version of the same code on the Silk Road website, court papers say. The analysis also found encryption keys that end with "frosty@frosty."
THE STING
The FBI used one of its tried and true techniques: the sting.
An FBI agent went undercover in 2012 posing as a drug dealer who wanted to do business on Silk Road. The agent e-mailed "Dread Pirate Roberts," directly seeking help finding a buyer for a kilogram of cocaine. Ulbricht allegedly instructed one of his employees to help. The alleged buyer, who turned out to be the employee, deposited $27,000 in bitcoins in a Silk Road account and arranged a shipment to his home. Federal agents arrested the employee, who is not named in court papers.
On Jan. 26, the FBI says in court papers, Ulbricht e-mailed the undercover agent to say the employee had been arrested and had stolen funds from other Silk Road users. He allegedly asked the agent to have the employee beaten up and forced to return the money.
The next day, Ulbricht allegedly asked the FBI agent to have the employee killed because "now that he's been arrested, I'm afraid he'll give up info." The FBI says Ulbricht agreed to pay $80,000 for the hit and on Feb. 4 wired $40,000 from Technocash Limited in Australia to a bank account at Capital One in Washington. Ulbricht deposited another $40,000 after the undercover agent e-mailed him staged photographs of the killing, court papers say.
That case, filed in May and unsealed with Ulbricht's arrest Oct. 1, charges Ulbricht with a drug dealing conspiracy and attempted murder of a witness.
By July 23, investigators had located at least one of Silk Road's servers in a foreign country, which the FBI has not identified. IP addresses listed in court papers are linked to servers in Iceland, Latvia and Romania, according to Internet registries. Once the FBI found the server, it executed a Mutual Legal Assistance Treaty request that allowed law enforcement in that country to make a copy of the Silk Road server and give it to the FBI. The snapshot gave the FBI records of 1.2 million transactions from Feb. 6, 2011, to July 23 and all of the site operator's e-mail exchanges.
How the FBI located a Silk Road server remains a mystery. Computer experts don't know for sure how federal investigators defeated a system that most people, including Ulbricht, thought impenetrable. Jerry Brito, a senior research fellow at the Mercatus Center at George Mason University with expertise in technology regulation, says many experts have speculated that the FBI has identified a flaw, or back door, in the Tor system that computer experts have missed.
More likely, Brito says, the FBI compromised Silk Road by bypassing the website's security through weaknesses in Ulbricht's computer code, hacking into the site and issuing computer commands that allowed it to act like the site's administrator and talk to the server. The FBI's computer experts knew from the posts on the computer programmer forum that Ulbricht had coding challenges.
"We know he was not the most proficient coder in the world," Brito said. "It's very easy, if you are a novice programmer, to do things that you're not aware of that can compromise security."
SILK ROAD UNRAVELS
Federal investigators also had a stroke of luck. On July 10, as part of a routine search at the Canadian border, customs agents intercepted a package of nine fake IDs. Each of the IDs had different names, but the same picture of Ulbricht. E-mail exchanges found on the Silk Road server indicate "Dread Pirate Roberts" had sought IDs in June from several Silk Road vendors so he could rent servers under an assumed name to buttress Silk Road's reliability.
On July 26, three days after federal investigators located one of Silk Road's servers, investigators from Homeland Security paid Ulbricht a visit at his San Francisco apartment.
Court papers say Ulbricht refused to answer any questions when investigators confronted him with the fake IDs, except to point out that "'hypothetically' anyone could go onto a website named 'SilkRoad' on Tor and purchase any drugs or fake identity documents the person wanted."
On Oct. 1, federal agents waited until Ulbricht logged into his computer before sweeping in to the Glen Park branch of the San Francisco Public Library to arrest him, making it easier for agents to simply plug in a thumb drive and download everything on the computer without having to break his passwords.
The agents found the alleged Dread Pirate Roberts in the science fiction section.