The infosec, legal, and drug worlds were shocked today with the Department of Justice’s indictment of Ross William Ulbricht as the accused Dread Pirate Roberts, the administrator of the Silk Road. The Silk Road was a tor-based black market making available drugs, forgeries, hacking tools, and more its clients worldwide. Since its opening, it has been the site for approximately a billion dollars in sales via bitcoin.
Given its importance, and the money involved, one would think that Ulbricht would have a strong set of OPSEC. Reading the indictment itself, however, indicates how wrong this assumption is, especially at the beginning of the Silk Road. It reads like a how-not-to, including crossing identities, having incriminating evidence sent to an address under his name, and more.
At this point, it is worth a digression to talk about Operational Security, or OPSEC. OPSEC is the process by which one determines how information can be assembled to be used against them. In the case of someone running a site such as the Silk Road, the threats the face are monumental. This includes nation-states, with extensive surveillance capability as well as pressure to use such tools in targeting such a black-market administrator. Given this, extensive preparation and discipline is necessary to avoid exposing any information about false identities created for protection (for more in-depth information on hacker OPSEC, see the grugq’s presentation).
During the first days of the Silk Road, someone under the username “altoid” began spreading information about it. The same apparent user, with the same username, appears on bitcointalk a few days later and later looks for development help, posting his email address. This email address is used by Ulbricht for his LinkedIn profile contact. His full name is used in March 2012 asking for assistance with implementing certain php code over tor. This username and gmail connection is changed later, but the original tie-ins had been recorded. Even worse, the replacement email he used (email@example.com) is later seen in the ssh key needed to log in as the Silk Road administrator.
You can also see some spillover on his YouTube profile, where he links to videos about “How to Get Away with Stealing” and “The Market for Security”. It also contains videos from the Mises Institute, which is also cited in the Dread Pirate Robert’s Silk Road signature. While not directly incriminating, these add philosophical correlation with an interview that the Dread Pirate Roberts gave to Forbes. This interview adds an additional wrinkle to the story, where he claims that he was not the first to use the name Dread Pirate Roberts, just as the character did in the Princess Bride. No other evidence supports this claim, however, and it appears to be misdirection.
Canadian mail has broad authority (warning: PDF) to search packages crossing their border. This information was most likely enough to ask Canadian law enforcement to search for packages being sent to Ulbricht, or alternately he was just very unlucky. Regardless, a search of a package being sent to Ulbricht’s residence in San Francisco from Canada revealed several fake documents, apparently intended to purchase additional server access for the Silk Road’s growing resource needs.
Combined, this information gave investigators enough information to locate the physical address of the Silk Road server. They made a forensic copy of it on July 23 2013, and were then able to access its code base. Within it they found evidence of the only IP address by which administrative access was available, and showed access from the VPN located there granted to an internet cafe approximately 500ft from where Ulbricht lived. This address was also recorded in Google logs to be where Ulbricht had logged into his gmail from.
On July 26 2013, agents from Homeland Security Investigations confronted Ulbricht at the mailing address for the false identification. He not only admitted they were his, but that such documentation could be purchased from the Silk Road. This further implicated him and showed direct knowledge of the site.
By that point his trail is so well known by the investigators that I’m not sure how much it hurt. Regardless, he should have known to not say anything and demand a lawyer. Without the foundational work setting up and perfecting a process to protect himself, however, this appears to have been the likely outcome. This became more true with the growth of his success.