Tracking the Silk Road – Lessons for darknet services

On Oct 2nd 2013, a person was arrested in San Francisco (CA USA) who allegedly operated the darknet marketplace website “The Silk Road”. Shortly after, the Silk Road went offline.

Within minutes discussions on the Internet sprung up with thousands of people trying to cope with their loss, trying to make sense of what happened. Several “official” documents (a criminal complaint and an indictment) were released shortly after which, in turn, lead to commentators rushing to explain what stupid mistakes DPR – the Silk Road operator – had committed. Now, after a few days have passed, I’d like to give analysis a try myself.

The sources for this are few, therefore I will be restricted to the official indictment and criminal complaint, as well as some reports on DPR’s arrest. The problem with the official documents is that they are not – as some read them – a complete and truthful narrative of the investigation that led to the arrest. Instead, they are both meant to establish probable cause for a judge or grand jury to issue forfeiture and arrest warrants against DPR. The contents are meant to convince the reader that the target of the legal action (DPR, the suspect/defendant) is really the person to blame for the activities connected to the Silk Road, and that those activities are unlawful. While I will give the benefit of doubt to the authors that the documents only include truthful statements it needs to be kept in mind that they do not include the whole and complete truth. The statements are worded and ordered to demonstrate that the activities in question are unlawful, and to demonstrate the (true) identity of DPR. This is the goal and method of structure. Also, one should keep in mind that the evidence presented in a later trial may be substantially different.

To find out what the causal chain of the investigation was the statements of the documents need to be reordered chronologically, and we will have to throw in some educated guesses to fill in the gaps. From this there should be some hints on what were the crucial points at which the investigation turned into actionable results – and how to prevent this in future cases. With this method I constructed the narrative of the investigation that now follows. Enjoy!

p.s.: I will not use the alleged real identity of DPR in this article. Instead I will use ARI as a stand-in. (ARI = Alleged Real Identity) There’s no reason to clutter the search engines with more entries on the real name, since the person might in fact be innocent.

—-

It is likely that the Silk Road (TSR) only got fleeting attention from law enforcement before June ’11. But with the media buzz started by Gawker and the demands made by Sen. Schumer it is likely that an agent was tasked with keeping an eye on TSR and make proposals if and how action against it should be taken. The first steps in such an investigation are to collect public knowledge on the subject and familiarize oneself with the matter. This also starts the ongoing iterative process of deciding if a case should be opened and what resources to assign to that case.

To open a case requires that an activity is brought to the attention of law enforcement and that the activity is viewed to be unlawful by the investigators. The resources assigned to a case dependent on various considerations including, but not limited to, constraint on resources by other cases, public and media attention, potential intelligence and other leads gained from the case, and most importantly the predicted outcome of a court trial. Not every case opened by the FBI is meant to end up in court, often the goal is just to gather intelligence that might be of use at a later point. A case may be opened but soon get no more attention simply because the resources are needed somwhere else. When the case has been opened, an agent is assigned to handle it (this is AGENT-1 mentioned in the documents).

When exactly the TSR-case was opened is unknown, but likely it happened some time between late June of 2011 and early April 2012, led by the DEA. The activities undertaken were mostly that of opening a file to collect information in, and to do research in public records (especially Internet searches) and public contents of TSR, to establish a timeline and connect people and resources to the case as well as find out what exactly that operation was about.

During these early days the agent in question had to familiarize himself with Bitcoin and Tor and he established the first bit of the timeline which would later be used in the attribution phase of the case:

2011-01-23: SOMEONE created a blog at wordpress.com detailing how to access the Silk Road (silkroad420.wordpress.com). More records on the creation of the account (like IP address used, or the email address at signup) were not yet available.

2011-02-27: A user by the name ALTOID posted a link to the above wordpress blog on a drug-related internet forum called “shroomery.com”.

2011-01-29: A user by the same name posted a link to the Silk Road on the bitcoin forum.

At this point ALTOID became a person of interest, but this was not enough to pull records. The public data simply ended up on the case file without further action taken. Requests for user records would have (and were) made later in the process. Just a little time after this the same user made the post on 2011-01-29, he made another post under the same account at bitcoinforums to ask for an IT professional to help with some coding. Included in this post was a gmail address that could potential be the ARI of the person of interest. Again, this piece of data simply went on file and would later be crucial in the attribution phase.

Presumably in early April 2012 the case was pushed to its next phase. Active undercover work started. This involves three steps in the first stage. First, familiarity with the terrain needs to be gained. This means slow but growing involvement in the TSR forums. Second, the targets of the operation need to be identified (DPR, vendors, administrators, members with high reputation). Third, the targets are profiled. For DPR this likely resulted in “male, caucasian, american born and raised, technical or mathematical education, 20-30 years old” based on his writing style and other clues.

On 2012-04-30 one of the undercover identities that would play a major part in this operation joined TSR, I will refer to him as UC-1 (simply called UNDERCOVER in the documents). Slowly working himself into the community at TSR, this agent then contacts DPR asking to help with a larger cocaine deal. UC-1 claimed that he wanted to sell 1kg of cocaine but that the market at TSR did not seem to be ready for this. DPR promised to handle the request and delegated the task to an administrator identified as EMPLOYEE in the documents.

EMPLOYEE is another critical player in this story. He became an administrator of TSR on 2013-04-30 which gave him access to all messages sent between users and their transactions. During the course of this first undercover activity, UC-1 got EMPLOYEE to give his own residential address as a shipping destination for the deal, the shipping to be be conducted by courier. When the shipping address was revealed to UC-1 on 2013-01-10, the agents involved started a surveillance operation on this address. At about 2013-01-14, at the latest, direct physical surveillance of the address was in place, recording the comings and goings of the people living there and likely wiretaps. This likely lead to UC-1 asking for the shipment method to be changed to courier, possibly because multiple people resided at the same address and the door itself was not easy to see.

On 2013-01-17 the delivery is made by two or more undercover agents and a little while later the payment was made. At this moment law enforcement knew enough to bring EMPLOYEE before a judge. The person was identified, the goods had changed hands, and the payment was completed. A multi-year sentence was certain for EMPLOYEE.

This is the point at which TSR started to unravel. With a person on the inside (having access to the messaging and payment system) compromised, the linchpin was pulled. Now law enforcement had to cash in on it.

The mistake on the side of TSR that lead to this dire situation is threefold:

First, the transaction was conducted without minimum standards of tradecraft. The exchange should have been done at a location agreed on only a short while before the meeting and the location should have had no connection with any party involved.

Second, persons involved in the operation of an organization have no place in exposing themselves in any transaction. This is where foot soldiers have their place (for example by utilizing the six-pawn-chess protocol).

Third, organizations of this kind require compartmentalization. Never may any second tier operator have wide access to data and at the same time be involved in facilitation.

On the side of law enforcement this operation went by the textbook. It was now time to maximize the profit from this catch.

Some time between 2013-01-17 and 2013-01-26, most likely on or around 2013-01-20, EMPLOYEE was arrested by law enforcement and presented the facts of the matter at hand. He was set to go to jail for a substantial time and be separated from his wife and child. The alternative was a deal leading to a light sentence, in exchange for full cooperation in the ongoing undercover operation.

This, again, is standard procedure. The structure of most organizations, the law on the book, the quality of the prison system and the character and experience of the targeted individuals work strongly in the favor of law enforcement. Especially for online crime, where the personal bounds and loyalty between members of an organization are weak and no expectation of “taking care” of the trial and his family exists, suspects are easy to turn. They have everything to lose and exactly nothing to gain from staying loyal.

There is no social safety net for criminals waiting for them in jail, nobody who will protect and feed their family, nobody who will send a well paid lawyer. This makes these organizations far easier to infiltrate than the classical mafia.

After being presented with the options EMPLOYEE agreed to cooperate fully. At this point law enforcement had access to almost all messages sent on TSR and the details of past deals. These records almost certainly went back at least to mid 2011 (it seems there was later a purge initiated by DPR on 2013-05-24). All data available was immediately copied and retained, in the order of importance of the various targets (DPR included).

It can be assumed that the conversations collected from the system were incomplete in that they may not have included DPR’s messages themselves but only replies (including quotes) from his contacts. This may also have led to a sustained high-level access on the messaging system, either by gaining valuable information on other adminstrators, direct access to other administrators’ accounts or by DPR failing to later shut down EMPLOYEE’s account. I shall return to the importance of this data later when talking about how the server infrastructure of TSR was uncovered.

It is not clear when exactly EMPLOYEE turned on DPR, but he did, no later than when DPR asked the undercover agent UC-1 to execute a hit on EMPLOYEE. That EMPLOYEE cooperated is demonstrated by him helping to stage a photo that is meant to prove his death to DPR. At this point the case immediately escalated to be an FBI operation (if it wasn’t already before).

Armed with this massive trove of data law enforcement was in the position to both start a second undercover operation to attack DPR directly and to locate the servers.

Starting 2013-03-13 a user of the platform called “FriendlyChemist”(FC) tried to extort money out of DPR by threatening to release a large amount of user data that was allegedly stolen from a vendor on the platform. The reason given were money problems FC had with a supplier of his. DPR asked to be brought into contact with the supplier “Redandwhite” (RAW). Over the next 2 weeks a story develops in which DPR purchases a hit on FC from RAW.

I am inclined to think that this story is another undercover activity by law enforcement to position RAW into DPR’s circle of trust. Multiple hints point at this reading:

1.) UC-1 (the undercover agent and killer in the first undercover operation) was tainted because he was affiliated with the arrest of EMPLOYEE. This could have, and probably did at some time, raise suspicion for DPR.

2.) Before DPR’s laptop falls into the hands of the FBI contents of a TorChat conversation between RAW and DPR is known to law enforcement (conversation is on 2013-06-01, laptop ist only available after 2013-10-02 while the contents are known latest 2013-09-27).

3.) RAW procures counterfeit identity documents (passports, etc.) for DPR (2013-06-05) and ships them to DPR’s home address. This shipment is intercepted by Customs and Border Protection (2013-07-10). For this to be the result of a random inspection seems unlikely given the history and timing of the case.

4.) The first undercover action leading to the cooperation of EMPLOYEE likely generated enough data to convince DPR that the extortion threat was serious and imminent.

 

The ID documents later procured and shipped to DPR’s home address by RAW is the cornerstone on which the identification of DPR’s alleged real identity rests. The combination of photos, birth dates, home address and various social media records made that point watertight. Additional postings conducted early in 2011 (shroomery.com, bitcoinforums) and in March of 2013 (Stack Overflow) just hardened the evidence.

At this point, between 2013-06-05 and 2013-06-20, the undercover agent RAW receives at least the photos and birthday information to be put on the forged documents and this leads to a match between a previously recorded person of interest in the file (from the posting on bitcoinforums looking for an IT pro and including the gmail address) and data received directly from DPR. This constitutes reasonable suspicion to pull the data on DPR’s gmail account, leading to IP records dating 2013-01-13 to 2013-06-20. Multiple entries are located to be from the location of one of DPR’s friend’s apartments and an internet cafe in San Francisco. Additional IP address data pulled for both locations reveals a list of IP addresses and times they were assigned to those ISP accounts.

The data revealed by google likely also revealed the Stack Overflow account (SOA) created by DPR on 2012-03-05. The SOA later becomes an important link between authentication data found on the Silk Road servers and DPR.

Please keep in mind that all this information ends up in the case file and is double-checked and cross referenced which might have led to the following find:

On 2013-05-24 a TSR user had warned DPR that the site leaked an IP address (included in that message) that was used to restrict administrative access to the software running on it.

If the FBI had sustained access to the messaging system of TSR after turning EMPLOYEE, this would have lead to an immediate location of that address to gain access to the data stored on that machine (hereafter TSR-VPN). As the documents show, this server was located and imaged between 2013-06-03 and 2013-09-15 latest. When the image was pulled from TSR-VPN, it revealed that on 2013-06-03 someone had accessed the system for the last time, wiping the contents of the user accounts and log files. However, this person forgot that his last access would also generate an entry when logging off, leaving the IP address used in the last access on the machine. This address again matched the records for the internet cafe mentioned above. However, it is unclear if TSR-VPN was discovered before or after the main web server of TSR was imaged.

Some discussions on the Internet in the aftermath of DPR’s arrest also claim that DPR used a VPN service provider to access the servers of TSR. This is a misunderstanding that becomes evident with the close reading of the official documents. The system in question was a virtual private server that was used by DPR to connect to via a VPN, and to move from there to TSR. It was a single purpose machine only used by persons working for TSR.

It is safe to assume that with the data made available through EMPLOYEE, RAW, the early case file and the IP records pulled for DPR’s google accounts and both the friend’s apartment and the internet cafe, the FBI had enough to being closing in on DPR. From 2013-06-20 (approx.) DPR was under direct physical surveillance to establish his habits and movements as well as to acquire additional digital evidence.

It appears likely that DPR continued to do system administration tasks from the Internet cafe. The use of the TSR-VPN suggests that using SSH over Tor was too cumbersome for DPR (and any admin regularly doing this is now nodding his head in agreement). Therefor it seems to be likely that it was this that lead the FBI to find the TSR-WebServer. If DPR logged in from the cafe without using additional protection or with inadequate protection (like using an unencrypted proxy connection) any investigator listening in on the same cafe’s WLAN could gather the necessary identification to locate the TSR-WebServer.

There are other explanations on how the TSR-WebServer might have been discovered.

1.) Payment tools and ID forgeries that DPR might have acquired through TSR and used to set up the TSR-WebServer were discovered by the FBI in the data received through EMPLOYEE.

2.) DPR used identifiable information of his real identity (especially payment means) to procure the TSR-WebServer.

3.) The FBI hacked the TSR-Webserver which seems to have had no configuration to prevent the leaking of public IP addresses.

4.) Communication between DPR and the web host for the TSR-WebServer was revealed through the surveillance of the residence of DPR.

At this point it is impossible to say, but I do favor the theory that the server was identified by surveilling the cafe’s WLAN both digitally and physically, and that it was located around 2013-06-25. (It seems that DPR was also using a library’s WLAN for TSR work, the attack to locate the TSR-WebServer could just as easily have been conducted there.) Please note that for an operation at this location, no court orders would have been required. Using an open WLAN does not justify any expectation of privacy and is thus fair game for law enforcement.

With the location of the TSR-WebServer known, the police of the country in which it was located was contacted by the FBI under a Mutual Assistance Treaty. This in turn led to the web hosting company to be contacted and to pull an image from the TSR-WebServer. For this to be possible the server was either a VPS (Virtual Private Server) like the TSR-VPN server mentioned above, or the system was utilizing RAID (in which case one of the mirror disks was pulled and replaced with an empty one).

Also, it appears that no disk encryption was utilized. The contents of the disk then lead to the location of the TSR-WalletServer (used for financial transactions) and it revealed digital clues that linked the administrator of the TSR-WebServer to the Stack Overflow posting made by DPR. (The username contained in the SSH public key matched the name give on the Stack Overflow account.) After this critical operation had been concluded, without DPR’s notice, the last piece of confirmation was contributed by DHS visiting DPR’s residence and confronting him with the ID forgeries procured through undercover agent RAW.

At this point the last sensible reaction of DPR would have been the immediate wiping of his personal laptop contents. However, he didn’t.

When DPR went to a nearby library on 2013-10-02 to access TSR, the FBI was ready. Having staked out is movements and habits they had requested an arrest order and also planned the arrest. To minimize the risk of any data being made inaccessible (by disk encryption) they conducted the arrest in a location where they could separate DPR from his laptop quickly before he would be able to realize what was going on.

And that’s exactly what they did, getting access to all contents of DPR’s laptop when arresting him.

——

You will notice that I included a few assumptions on the timing of certain events (arrest of EMPLOYEE, when surveillance started, when TSR-WebServer was located). These are educated guesses based on how long it takes to get these operations moving and into place. These estimates however are based on third party observer experience from a different jurisdiction. US law enforcement might be a bit faster or slower.

Also, I have assumed that the statements made in the official documents are truthful. Sadly there is the risk that many of them are not. It might have been that much of the undercover action was more than just a sting but instead it was fully fabricated after the fact to protect sources and methods. All of that we don’t know, which is why I stand to above analysis for the time being (and until more data becomes available during the trial – if there ever is one… which is not terribly likely).

So, what was the thing that led to DPR’s fall, what were his crucial errors?

Many have pointed to his activities on Stack Overflow and the bitcoinforum. I disagree. While these actions sealed his identification POST-FACT, they did not substantially contribute to his ANTE-FACT identification.

Instead it was the vulnerability of the SilkRoad operation to undercover infiltration based on a lack of compartementalization and lack of tradecraft in exchanges that the TSR staff should have never gotten involved in. That is what broke open the organization and lead to an implant that was critical to identify DPR.

Also, the lack of precautions taken in accessing the TSR-WebServer for system administration tasks and the lack of disk encryption were fatal.

That communication on the platform was conducted without encryption and that deliveries were sent to true residence addresses added to the fall.

So, in reverse, the lessons to take are:

1.) Never have the operators of such a system partake in any deal.
2.) Never do exchanges at true residence addresses.
3.) Use proxies for exchanges.
4.) Always use anonymization for system administration access. Better use it all the time, always.
5.) Always use disk encryption even on servers.
6.) Learn digital forensics to protect against it.
7.) Use random locations for physical operations to prevent geographic profiling.
8.) Use separate laptops and fully developed covers for all activity.
9.) Compartmentalize organizations deeply. Limit the damage that can be done by operators.

For reference, the official timeline: http://shadowlife.cc/wp-content/uploads/2013/10/SR-Timeline.html

Comments are closed.