Four technologies that betrayed Silk Road's anonymity

Even technologies designed to preserve privacy can reveal identities when not used thoughtfully

Pro tip for any would-be online drug kingpins: Don't post vacation pictures on Facebook.

Ross Ulbricht was convicted in a Manhattan federal court last week for his role operating the Silk Road online marketplace. He could serve 30 years or more behind bars.

The market Ulbricht built was based on an expectation of anonymity: Silk Road servers operated within an anonymous Tor network. Transactions between buyers and sellers were conducted in bitcoin. Everything was supposedly untraceable. Yet prosecutors presented a wealth of digital evidence to convince the jury that Ulbricht was Dread Pirate Roberts, the handle used by the chief operator of the site.

How was Ulbricht nabbed? At least some of the blame can be placed on what now seems like misplaced trust in a handful of technologies Ulbricht thought would shield his identity. These are four that tripped him up:

1. Bitcoin: If you assume your bitcoins can't be traced back to you, think again. Like cash, bitcoins aren't tied to a person's identity. But unlike cash, a detailed public ledger called the blockchain keeps track of each wallet a bitcoin passes through. This case showed that all law enforcement needs to do is locate the wallets on each side of a transaction and follow the money.

In Silk Road's case, prosecutors found it relatively trivial to track profits from Silk Road as they were transferred from wallets used by the online market to wallets on Ulbricht's laptop. Silk Road offered a service, called a tumbler, that passed bitcoins through several intermediate wallets to obscure their origin and destination. Ulbricht either didn't use the tumbler, or if he did, it didn't help.

2. Chat logs: So much chatter. Thousands of pages of chat logs helped prosecutors trace the growth of Silk Road. Internal communication was carried out mostly through free software called TorChat. It provides an encrypted communication channel between two parties, using a Tor network to obscure the connection between them.

Although TorChat promises encrypted messaging, Ulbricht chose to save the logs in plain text on his computer, creating a trove of conversations with fellow Silk Road administrators. In example after example, the prosecution pointed to logs where the laptop user identified himself as Dread Pirate Roberts.

In TorChat, the user has to turn on the logging function for the chats to be saved in log files. Why Ulbricht chose this option is a mystery. Perhaps he thought law enforcement agents would never see the chats because they were on an encrypted hard drive.

3. Encryption: Encryption puts a digital padlock on information so it can't be viewed. But eventually the person with the keys has to unlock the information in order to see it. That's why law enforcement agents had to catch Ulbricht while he was logged into the SIlk Road's admin console.

Ulbricht occasionally took his laptop out in public to work. So agents staked out his San Francisco neighborhood until he showed up at the local library, set up his laptop and logged on. They arrested him before he could close the laptop lid, which would have logged him out and locked the contents. Ulbricht didn't do himself any favors by working that day with his back turned to the rest of the room -- something he had warned other Silk Road administrators not to do.

Because law enforcement agents snatched the laptop before Ulbricht had closed it, the contents of its hard drive were completely accessible to them, including the chat logs, a personal journal, Silk Road spreadsheets, and most importantly, Dread Pirate Roberts' private encryption keys.

In the end, encryption did as much to betray Dread Pirate Roberts' identity as to protect it.

Ulbricht had affixed Dread Pirate Roberts' public encryption key to an untold number of Silk Road-related emails and forum posts. A public key allows someone to verify that a message comes from the person who claims to have sent it. On Ulbricht's computer, in a folder marked "keys," were the private keys used to sign Dread Pirate Roberts' messages. Law enforcement had only to verify that the messages, many of them incriminating, came from Dread Pirate Roberts, by using the public key found on the laptop.

4. Facebook and other public websites: Ulbricht sowed the seeds of his demise the very first time he publicized the Silk Road. To get people interested in the the new site in January 2011, Ulbricht posted a message on the Bitcointalk.org forum, under the username Altoid, asking if anyone had tried the site.

Ulbricht (or someone else) later deleted the message, perhaps to cover his tracks. But another user had quoted Altoid's message in their own post, and that message was found by an IRS agent with a simple Google search.

Later in 2011, Altoid popped up on the forum again, posting a help-wanted ad for a bitcoin venture and leaving rossulbricht at gmail dot com as the contact address. That allowed the agent to connect Altoid to Ulbricht.

Ulbricht's Facebook account also helped prosecutors. To make their case that Ulbricht was Dread Pirate Roberts, prosectors looked for times when the actions of Dread Pirate Roberts correlated closely with those of Ulbricht himself. In a chat with a fellow administrator in February 2012, Dread Pirate Roberts boasted of enjoying a vacation in Thailand. At the same moment, Ulbricht posted vacation pictures on Facebook ... from Thailand.

5. Automated server log-ins: The Silk Road servers were maintained in large part through ssh (Secure Shell), a tool that allows administrators to log into remote machines in a way that the communication is encrypted. Users can set up ssh hosts such that trusted parties can log in automatically without providing a password. A list of trusted parties is kept in a file on the server, along with their encrypted passkeys.

In the case of the SIlk Road servers, only two accounts had full administrative privileges. One was for a remote user called "frosty" who was able to connect from a machine also named "frosty." As it happened, the laptop that law enforcement seized from Ulbricht at the time of his arrest was named "frosty" too. You get bonus points (though only a few) for guessing that Ulbricht was logged in as "frosty" on that laptop at the time of his arrest. In effect, his laptop had full administrative rights to the Silk Road operations.

Ulbricht's defense lawyer, Joshua Dratel, pointed out to the jury that any computer could be given the name "frosty," with a user account on it named "frosty." But like a lot of other evidence in the case, while not definitive proof, the ssh accounts were part of a bigger picture that were enough to convince a jury of his guilt.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags CriminalsecuritylegalDesktop securityencryptionsilk road

More about FacebookGoogleIDGIRSManhattanNewsRoberts

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place