Silk Road: How FBI closed in on

suspect Ross Ulbricht

By Dave LeeTechnology reporter, BBC News

A
lengthy investigation into internet communications led the FBI to their suspect

US authorities believe that 29-year-old Ross William Ulbricht, arrested on

Wednesday, is Dread Pirate Roberts (DPR) - the administrator of the
notorious Silk Road online marketplace.

It was an underground website where people from all over the world were able to
buy drugs.

In the months leading up to Mr Ulbricht's arrest, investigators undertook a

painstaking process of piecing together the suspect's digital footprint, going back
years into his history of communicating with others online.

The detail of how the FBI has built its case was outlined in a court complaint
document published on Wednesday.

The search started with work from Agent-1, the codename given to the expert cited
in the court documents, who undertook an "extensive search of the internet" that
sifted through pages dating back to January 2011.

The trail began with a post made on a web forum where users discussed the use of
magic mushrooms.
In a post titled "Anonymous market online?", a user nicknamed Altoid started
publicising the site.

"I came across this website called Silk Road," Altoid wrote. "Let me know what you
think."

The post contained a link to a site hosted by the popular blogging platform
Wordpress. This provided another link to the Silk Road's location on the so-called
"dark web".

Records obtained by Agent-1 from Wordpress discovered, unsurprisingly, that the

blog had been set up by an anonymous user who had hidden their location.

But then Altoid appeared in another place: a discussion site about virtual currency,
bitcointalk.org.

Altoid - who the FBI claimed is Mr Ulbricht - was using "common online marketing"
tactics. In other words, he was trying to make Silk Road go viral.

Months later, in October, Altoid appeared again - but made a slip-up, granting
investigators a major lead.

In a post asking seeking to find an IT expert with knowledge of Bitcoin, he asked

people to contact him via rossulbricht@gmail.com.

With a Gmail address to hand, Agent-1 linked this address to accounts on the
Google+ social network and YouTube video site. There he discovered some of Mr
Ulbricht's interests.

Among them, according to the viewing history, was economics. In particular, Mr

Ulbricht's account had "favourited" several clips from the Ludwig von Mises
Institute, a renowned Austrian school of economics.

Years later, on the Silk Road discussion forums, Dread Pirate Roberts would make
several references to the Mises Institute and its work.

Covering tracks
According to the court complaint document, it was the discovery of the
rossulbricht@gmail.com email address that gave investigators a major boost in
their search.

Through records "obtained from Google", details of IP addresses - and therefore

locations - used to log into Mr Ulbricht's account focused the search on San
Francisco, specifically an internet cafe on Laguna Street.
Furthermore, detailed analysis of Silk Road's source code highlighted a function
that restricted who was able to log in to control the site, locking it down to just one
IP address.

As would be expected, Dread Pirate Roberts was using a VPN - virtual private
network - to generate a "false" IP address, designed to cover his tracks.

Mr Ulbricht said to have been

running Silk Road from Hickory Street in San Francisco

However, the provider of the VPN was subpoenaed by the FBI.

While efforts had been made by DPR to delete data, the VPN server's records
showed a user logged in from an internet cafe just 500 yards from an address on
Hickory Street, known to be the home of a close friend of Mr Ulbricht's, and a
location that had also been used to log in to the Gmail account.

At this point in the investigation, these clues, investigators concluded, were enough
to suggest that Mr Ulbricht and DPR - if not the same person - were at the very
least in the same location at the same time.

Fake IDs
The court complaint went into detail about further leads that followed.

In July of this year, by coincidence, a routine border check of a package from

Canada discovered forged documents for several fake identities all containing
photographs of the same person.

It was headed to San Francisco's 15th Street. Homeland security visited the
address, and found the man in the photographs - Mr Ulbricht.

He told officers that the people he lived with knew him simply as Josh - one
housemate described him as being "always home in his room on the computer".
Around the same time, investigators working on the Silk Road case later
discovered, DPR had been communicating with users privately to ask for advice on
obtaining fake IDs - needed in order to purchase more servers.

Further activity attributed to Mr Ulbricht took place on Stack Overflow - a

question-and-answer website for programmers - where a user named Frosty asked
questions about intricate coding that later became part of the source code of Silk
Road.

In another apparent slip-up, one of Frosty's messages initially identified itself as

being written by Ross Ulbricht - before being quickly corrected.

"I believe that Ulbricht changed his username to 'frosty' in order to conceal his
association with the message he had posted one minute before," lead prosecutor
Christopher Tarbell wrote in court documents.

"The posting was accessible to anyone on the internet and implicated him in
operating a Tor hidden service."

Follow Dave Lee on Twitter @DaveLeeBBC

Bitcoin value drops after FBI shuts Silk
Road drugs site

Visitors trying to
access the Silk Road are now presented with a seizure notice

The value of bitcoins has dropped after the closure of the clandestine Silk Road online
marketplace.

The FBI seized bitcoins worth approximately $3.6m (2.2m) on Tuesday.

The price of a bitcoin, a virtual currency for use online, fell steeply after the arrest of suspected
website administrator Ross Ulbricht.

Investor confidence may have been shaken by the association of bitcoins with illegal activity,
according to a security expert.

"When there's a big bust, that's going to knock people's confidence in investing," said Rik
Ferguson, a senior researcher at security company Trend Micro.

"The more a currency is associated with illegal activity, the more people will be nervous about
using it," he said.

Silk Road, which allowed users to trade in illegal drugs, required transactions to be made using the
virtual currency.

Price drop
News of the closure was followed by a rapid drop in the price of bitcoins, according to figures from
the Mt. Gox bitcoin exchange.

The going rate for the virtual currency dropped from more than $140 (86) to around $110, before
climbing back up to $123 (75).
Investors may have been concerned about the FBI's ability to confiscate bitcoins, said Mr
Ferguson.

"Knowing that a currency could be seized or shut down could pressure people to look for
alternative investment vehicles," he said.

The FBI seized the virtual currency by getting hold of encryption keys for the bitcoins, according to
Jerry Brito, George Mason University's technology policy director.

The keys were made available through seized computer equipment, Mr Brito said in a blog post.

The FBI then transferred the bitcoins to an address controlled by the US government, according
to the seizure order (PDF).

What was the Silk Road?

Silk Road took its name from the historic trade routes spanning Europe, Asia and parts of Africa.

News reports and other internet chatter helped it become notorious. However, most users would not have
been able to stumble upon the site as the service could only be accessed through a service called Tor - a
facility that routes traffic through many separate encrypted layers of the net to hide data identifiers.

Tor was invented by the US Naval Research Laboratory and has subsequently been used by journalists and
free speech campaigners, among others, to safeguard people's anonymity.

But it has also been used as a means to hide illegal activities, leading it to be dubbed "the dark web".

Payments for goods on Silk Road were made with the virtual currency Bitcoin, which can be hard to monitor.

Court documents from the FBI said the site had just under a million registered users, but investigators said
they did not know how many were active.

Earlier this year Carnegie Mellon University estimated that over $1.22m (786,000) worth of trading took
place on the Silk Road every month.

How bitcoins work

Bitcoin is often referred to as a new kind of currency.

But it may be better to think of its units as being virtual tokens that have value because enough people
believe they do and there is a finite number of them.

Each of the 11 million Bitcoins currently in existence is represented by a unique online registration number.

These numbers are created through a process called "mining", which involves a computer solving a difficult
mathematical problem.

Each time a problem is solved the computer's owner is rewarded with 25 Bitcoins.

To receive a Bitcoin, a user must also have a Bitcoin address - a randomly generated string of 27 to 34
letters and numbers - which acts as a kind of virtual postbox to and from which the Bitcoins are sent.
Since there is no registry of these addresses, people can use them to protect their anonymity when making a
transaction.

These addresses are in turn stored in Bitcoin wallets, which are used to manage savings. They operate like
privately run bank accounts - with the proviso that if the data is lost, so are the Bitcoins contained.

HOW BITCOINS WORK

Bitcoin is often referred to as a new kind of currency.

But it may be better to think of its units as being virtual tokens that have value because enough people
believe they do and there is a finite number of them.

Each bitcoin is represented by a unique online registration number.

These numbers are created through a process called "mining", which involves a computer solving a difficult
mathematical problem with a 64-digit solution.

Each time a problem is solved the computer's owner is rewarded with bitcoins.

To receive a bitcoin, a user must also have a Bitcoin address - a randomly generated string of 27 to 34 letters
and numbers - which acts as a kind of virtual postbox to and from which the bitcoins are sent.

Since there is no registry of these addresses, people can use them to protect their anonymity when making a
transaction.

These addresses are in turn stored in Bitcoin wallets, which are used to manage savings. They operate like
privately run bank accounts - with the proviso that if the data is lost, so are the bitcoins contained.
22 April 2013 Last updated at 12:00 GMT

Japanese police target users of Tor

anonymous network

The hacker "Demon Killer" taunted police via remotely compromised computers

Japanese people who "abuse" the Tor anonymous browsing network could
be blocked from using it.
The recommendation was made in a report drawn up for the National Police
Agency (NPA) in Japan by a panel of technology experts.
The panel was formed to help decide how to tackle crimes committed with the aid
of the Tor network.
For months, Japanese police attempts to catch a hacker known as "Demon Killer"
were hampered by his use of Tor.
'The Onion Router'
The internet service provider (ISPs) industry would be asked to help site
administrators block the use of Tor if people were found to be abusing it, the
Mainichi Shimbun newspaper reports.
Tor (The Onion Router) is a way for people to use the web without surrendering the
identifying data that websites typically gather. As its name suggests, it sends data
traffic through a series of routers arranged in layers like in an onion to make it
difficult to find out who is browsing a site or is behind any particular web activity.
Tor has vexed several Japanese police investigations into cybercrime. In particular
it stifled attempts to find and arrest a hacker who used the "Demon Killer" alias.
Japanese police began investigating the hacker after he started threatening to
bomb schools and nurseries via messages posted to chat forums and discussion
boards. A reward of 3m yen (20,000) was offered for information leading to the
hacker's identification.
Police arrested four people for posting the threats but realised the hacker had
compromised the computers of these innocent victims and was abusing their
machines remotely via Tor.
Malicious program
The hacker continued to taunt police in emails that sent investigators all over the
country looking for him. In a bizarre twist the hacker directed investigators to
Enoshima, an island off Tokyo, and gave them information that led them to a cat
wearing a collar on which was a memory card.
The card held details of the code and malicious program he used to gain remote
control of victim's computers. Inadvertently, directing police to the cat helped them
catch the suspected hacker, Yusuke Katayama, 30, who was seen on CCTV
footage with the cat.
After Mr Katayama's arrest, the NPA sought guidance on how to handle similar
cases. The industry report drawn up for the NPA recommended considering a ban
on Tor and other anonymising networks as they had been found to be used in a
wide variety of crimes.
Japanese ISPs have not welcomed the recommendation.
"Communication privacy is our lifeline. We won't be able to accept such a request,"
an industry insider told the Mainichi Shimbun.
Secret net Tor asks users to sign up
to cloud services

The Onion Router is so named because it is multi-layered with no clear centre

People involved in a project to maintain a secret layer of the internet have

turned to Amazon to add bandwidth to the service.
The Tor Project offers a channel for people wanting to route their online
communications anonymously.
It has been used by activists to avoid censorship as well as those seeking
anonymity for more nefarious reasons.
Use of Amazon's cloud service will make it harder for governments to track, experts
say.
Onion router
Amazon's cloud service - dubbed EC2 (Elastic Compute Cloud) offers virtual
computer capacity.
The Tor developers are calling on people to sign up to the service in order to run a
bridge - a vital point of the secret network through which communications are
routed.
"By setting up a bridge, you donate bandwidth to the Tor network and help improve
the safety and speed at which users can access the internet," the Tor project
developers said in a blog.
"Setting up a Tor bridge on Amazon EC2 is simple and will only take you a couple of
minutes," it promised.
Users wishing to take part in the bridging project, need to be subscribed to the
Amazon service.
It normally costs $30 (19) a month. However, Amazon is currently offering a year's
worth of free storage as part of a promotion, which Tor developers believe their
users will qualify for.
Amachai Shulman, chief technology officer of data security firm Imperva believes
that cloud services could have a big impact on Tor.
"It creates more places and better places to hide," he said.
"With cloud services it will be easier to create a substantial number of bridges.
Amazon is hosting millions of applications and it will be difficult for governments to
distinguish between normal access to Amazon's cloud and Tor access," he said.
Tor is short for The Onion Router, so named because of the multi-layered nature of
the way it is run. It is also known as the dark net.
It has been in development since 2002 and works by separating the way
communications are routed via the internet from the person sending them.
Data is sent through a complex network of 'relays' or bridges run by volunteers
around the world. When someone receives data routed via Tor it appears to come
from the last person in the relay rather than from the original sender.
Internet addresses are encrypted to add to anonymity.
Ugly face
The Tor Project has been praised for offering people living in repressive regimes an
opportunity to communicate freely with others without fear of punishment. Activists
have used it in Iran and Egypt.
But it is also used to distribute copyrighted content.
The people behind the Newzbin 2 website are suggesting its members use the
network to continue sharing illegal downloads after BT blocked access to the site in
the UK.
Tor is also used by people wanting to share images of child abuse. Hacktivist group
Anonymous recently launched Operation Darknet which targets such abuse groups
operating via the network.
"There is an ugly face to Tor," said Mr Shulman. "Studies suggest that most of the
bandwidth is taken by pirated content."
While cloud services are unlikely to make Tor mainstream, the more bridges there
are, the more anonymous the network becomes.
Imperva research estimates that there are currently "a few thousand" exit nodes on
Tor - the points at which communications reveal themselves on the wider internet.
"There could be far more other nodes but it gives a sense of the size of the
community," said Mr Shulman.
Access to Tor is not limited to fixed line communications.
Android users can access it via an application called Orbot and earlier this week
Apple approved Covert Browser for iPad to be sold in its App Store, the first official
iOS app that allows users to route their online communications through Tor.