This is a short case study on how the FBI brought down Dread Pirate Roberts (DPR). DPR was the owner of Silk Road, the largest darknet underground dealer site for drugs, weapons and contract hits. Silk Road operated on Tor (Hidden Services) and was only reachable via Tor.
To put it in perspective, here are some facts about Silk Road (these numbers vary significantly depending on who is reporting):
- ~4000 vendor accounts
- Over 1 million transactions
- ~ 1 million user accounts
- $1.2B in revenue
- Dealing in drugs, hacked bank accounts, counterfeit bills, firearms, hitmen, pirated digital goods, forgeries, hacked social accounts, passports and SSN’s
“Tor is practically impossible to physically locate the computers hosting or accessing websites on the network.” – FBI affidavit from the Silk Road case.
No surprise, then, that the Drug Enforcement Administration, the Internal Revenue Service, Homeland Security Investigations, and the FBI all joined forces to track down Roberts and the largest sellers on his marketplace. In November 2011, after coming under pressure from Congress, the agencies began the hunt and quickly found that Roberts had been right—encryption, Tor, and “tumbled” Bitcoins were a potent combination to crack.
But investigations always have many threads to pull. The feds couldn’t initially follow the money to Roberts, nor could they find the physical location of his cloaked servers. In the absence of usual digital clues, the feds fell back on a low-tech approach: keep going back in time until you find the first guy to ever talk about the Silk Road. Find that guy and you probably have a person of interest, if not Roberts himself.
So Patriots, think about that, and about Tenet #0 (Security is rooted in behavior, not technology). For all the power of the FBI, DEA, DHS, IRS and related agencies, and the huge target of Silk Road, it ultimately wasn’t the tech that was cracked, it was OPSEC.
This is not a unique story. We’ll be presenting these case studies periodically, and you will see that most of the problem is personal discipline. Here is a short, well done 14 minute video.
Tenet #5 – Compartmentalize whenever possible. Separate your business and personal activity.
Tenet #12: “Shut The Fuck Up” – The Grugq (former hacker turned security consultant).
If you choose not to watch it, here are the highlights of how Dread Pirate Roberts screwed up. This is the order of events as near as I can tell from the video:
- Silk Road created in 2011.
- January 2011: User “altoid” posted on a website (shroomery.org) asking whether anyone had heard of a site called “Silk Road” and what they thought of it, because he’s thinking of buying something from it. He also gives the address to get to Silk Road, and signs off with “Let me know what you think…”. This was the only post by this user, so it seems that it was a self-promotion post.
- 3 days later, a user called “altoid” posts on bitcointalk.org forum, asking essentially the same question and again giving the Silk Road address. He signs off with “Let me know what you guys think…”
- June 2011: Silk Road business has taken off. The Site Administrator posts on the Silk Road site forum that he is only known as Silk Road, SR Admin, and says he needs a name.
- 10/11/11: A user “altoid” posted on a tech site looking for a programmer who could help him connect to Tor hidden services. He left personal contact information in post as firstname.lastname@example.org.
- Feb 2012: The Silk Road site admin announces that his name is Dread Pirate Roberts.
- March 2012: A user created an account on stackoverflow.com with username “Ross Ulbrict” asking about technical details of Tor Hidden Services. Hours later he realizes this mistake, and changes his username to “frosty”. Several weeks later, he also changes the email to email@example.com.
- As Ulbricht evolves Silk Road and his identity over many months, he begins to post as Dread Pirate Roberts.
- The FBI begins to investigate whether DPR is Ross Ulbricht.
- DPR’s posts on Silk Road message boards have links to Ludwig Von Mises Youtube videos.
- Ross Ulbricht’s Google+ account had links to the exact same site. At this point, the FBI begin to crawl all over everthing Ulbricht is doing.
- In July 2013, Customs intercepts a package inbound from Canada as part of a routine search. A package containing 9 Identifications, all counterfeit, all different names, and all with Ulbricht’s pictures on them. When questioned by DHS, Ulbricht said “Hypothetically, anyone could have purchased these documents on a website called Silk Road.”
Bad move. Now DHS has evidence he at least knew about Silk Road
Tenet #12 – STFU – Never ever miss the chance to STFU, NEVER!
- 7/23/13: The FBI located “some” of the Silk Road servers, and the computer used to host the website. They were able to obtain an image of the server. (Not in this video, but it is now presumed that these servers were identified by “Captcha” leaks used on the Silk Road website. Captcha was configured to go out to the public internet for images…a misconfiguration error)
- The FBI uncovers records of someone logging into Silk Road servers from a San Francisco internet cafe. There are records of Ulbricht regularly logging into his own Google account less than 500 feet from the cafe. (Obtained from google subpoena)
- As the FBI digs further into the Silk Road server image they have, they find public encryption keys that had substring of firstname.lastname@example.org (they did not break encryption, the email is a visible field in a public key).
- The FBI now feel they have enough evidence to link DPR to Ross Ulbricht. He is arrested on October 1, 2013.
– used his real name during business activity (Tenets 0, 3, 5, 6, 7, 8, 12)
– did not compartmentalize (names, identities, physical location of activity) (Tenets 0, 5,7)
– did not understand a weakness in his tech (using Captcha) (Tenets 3, 4)
– didn’t shut up, was arrogant (Tenets 0, 3, 4, 7, 8 , 12)
– The Feds caught at least one or two lucky breaks (Tenets 1, 5, 8)
No one cracked encryption here, no one broke Tor.
Ross was a dumbass who blew his OPSEC and didn’t STFU.
OPSEC, OPSEC, OPSEC
STFU, STFU, STFU
- Tenet #0 – Security is rooted in Behavior, not Technology. Technology is not as important as Awareness or Self-Discipline.
- Tenet #1 – There is no such thing as perfect security, either in the digital world or the physical, operational world.
- Tenet #2 – Something is better than nothing, as long as you don’t forget Tenet #3.
- Tenet #3 – Do not get lulled into a false sense of security in either behavior or technology. You are not bulletproof and neither is Tech.
- Tenet #4 – Don’t worry about the big things if you are not doing the little things right and with consistent, freakish discipline.
- Tenet #5 – Compartmentalize whenever possible. Separate business and personal activity.
- Tenet #6 – Sam Culper’s Intel SPACE analysis is a useful tool to evaluate your own security posture and weaknesses.
- Tenet #7 – Do not divulge any more than is necessary for the role you are playing. When not playing that role, increase your security posture.
- Tenet #8 – Most hackers get caught by poor OPSEC, good HUMINT, arrogance or hubris, not broken technology.
- Tenet #9 – Digital Security is necessary for true Operations Security.
- Tenet #10 – There is no single “best” technology. You need concentric rings of defense and layered security, just like in the physical world.
- Tenet #11 – There is always a tradeoff between Speed / Effect and Security, just like the operational world.
- Tenet #12 – STFU. – The Grugq, Hacker, Security Consultant