3 Oct 2013

A lesson from the Silk Road – nothing dies online

As more details emerge of how the FBI snared their suspect in the Silk Road case, there are some chilling lessons to be learned in just how difficult it is to stay anonymous online.

Pre News refresh player


On the surface, the criminals behind Silk Road were masters of the game – refusing to meet in person, using special software to access their website, and attempting at every turn to throw law enforcement off the scent.

But the simple truth is that no fact ever dies online – every move you make is recorded, and that makes it astoundingly difficult even for advanced cyber criminals not to give away vital details.

‘Breadcrumb trail’

The FBI used OSINT – Open Source Intelligence – or to you and me, “advanced Googling”. They went back in time to find the first-ever mention of Silk Road.

They found it on 27 January 2011, when a person calling themselves “altoid” posted about the site on a drug user forum – altoid had never posted before nor since.

His posting pointed to a blog about Silk Road, which had been set up a few days previously.

The FBI reasoned that altoid was actually a cover name for someone close to Silk Road, and that this was an early publicity campaign. So they looks for other postings by the same ID.

03_crumbs_g_w

On 11 October, the name popped up again asking, ironically, for IT help. This time the posting featured and email address: rossulbricht@gmail.com.

Now the FBI had a name, and turned to the kind of social media sites we use every day. They found pictures of a Ross Ulbricht on LinkedIn and Google + mentioning an obscure economics institute that had also been referenced by Dread Pirate Roberts – the self-declared owner of Silk Road.

The FBI went to Google to ask for the logs of IP addresses (unique locations on the internet) which had been used to log into the Ulbricht Gmail account. The logs showed regular access from an internet cafe in Hickory Street in San Fransisco.

Meanwhile, the FBI had gained new evidence thanks to something way more advanced than Google. Through a series of “mystery shopper” style transactions, they had found out the location (not revealed in the FBI documents) of the computer server hosting Silk Road.

They requested a copy of the server’s contents under the Mutual Legal Assistance Treaty, and gained a treasure trove of information.

The owner of Silk Road had been careful to log in to the server using a Virtual Private Network – a system that promises to hide a user’s true location. But the FBI simply subpoenaed the VPN company and discovered (even though the Silk Road owner had tried to delete them) records showing a login from Laguna Street – 500 feet away from Hickory Street.

The net was closing in on the FBI’s suspect.

‘Final piece’

But the final piece of the jigsaw was, as the cops are fond of saying “down to good, solid police work”. On around July 10 this year, US Customs seized a package inbound from Canada containing fake ID documents.

The recipient was one Ross Ulbricht. His address was now firmly on the radar and he was visited by Homeland Security Investigations agents on July 26th.

There was one last piece of evidence that shows how easy it is to slip up online. Back in March 2012, a user named Ross Ulbricht logged in to a forum asking for help using a TOR site (a type of hidden website).

Within a minute he had changed his username to “frosty”. Yet that single minute of exposure was recorded on the site, and trapped for ever in the internet’s amber. Nothing dies online.

Of course, the FBI still have much to prove in their case against Ulbricht – despite the reams of computer evidence, they still do not have the cliched smoking gun. But if someone suspected of running a billion-dollar internet black market can’t stay hidden, what chance do the rest of us stand?

 Follow Geoff White on Twitter.