Forensics Casefile: Cracking the Silk Road

Search For Schools

The story of busting the Silk Road, once the world’s largest illegal marketplace, has two main characters: Ross Ulbricht and the Dread Pirate Roberts (also known as DPR).

The Dread Pirate Roberts was the kingpin of the darknet’s Silk Road—a site that allowed the sale of almost anything, including drugs and stolen data. He earned some $80 million in Bitcoin through illicit commissions and generated over $1.2 billion in turnover. A fanatical proponent of libertarian economic theory, DPR posted manifestos about giving people “a first-hand experience of what it would be like to live in a world without the systemic use of force.” During his brief reign, he was one of the most wanted men on the planet.

Ross Ulbricht was an Eagle Scout. He had a master’s degree in materials engineering, specializing in crystallography. After graduating, he opened an online used book store, Good Wagon Books. He paid $1,000 a month to rent a bedroom in a three-person San Francisco flat. Spending most of his time in cafes on his laptop, people weren’t likely to cast him a second glance.

Finding the trail that connected those two characters—and revealing them to be the same person—took two-and-a-half years, multiple government agencies, and the coordination of both digital and physical forensics.

How Did the Darknet Silk Road Work?

The Silk Road was a black market Amazon, a place you could buy practically anything and it came as a natural extension of two pieces of emerging tech: Bitcoin and Tor. By tumbling Bitcoin through a series of quick dummy transactions, cryptocurrency transactions between parties could be rendered anonymous. And through the Tor browsing protocol, encrypted internet traffic could be funneled through a series of intermediary servers that were impossible to trace. In concert, they offered a purely anonymous marketplace, one outside the arm of regulation.

By the time awareness of the site reached the mainstream world, the Silk Road was already processing hundreds of thousands of transactions. Several agencies launched investigations. The IRS set about trying to track down the flow of money. The FBI dug into the Tor protocol for leaks. The DEA and DHS tried to intercept drug shipments through the mail. But despite having the power of the US government behind them, investigators found themselves woefully out of their depth.

How Did Investigators Connect the Silk Road to Ross Ulbricht?

Ulbricht’s name came up early in the investigation in 2011, when an IRS agent began an extensive search of the internet for early mentions of the Silk Road, hoping to trace back to its origins. After an enormous amount of sifting, they discovered that only four days after the first Silk Road blog went up, a user named Altoid posted about it in a small-time discussion forum. Following the trail of that online handle, investigators found him looking to recruit an IT and Bitcoin specialist, and referring people to a Gmail address that included the name Ross Ulbricht. That Gmail address was connected to a Google Plus account which hosted videos that exposed Ulbricht’s economic views as precisely in line with DPR’s. It was the first and only lead, but Ulbricht didn’t even have a background in computer science. Nothing linked Ulbricht to the management—let alone creation—of the Silk Road.

Ulbricht’s name didn’t come up again until July 2013, when Homeland Security intercepted a package mailed from Canada to Ulbricht’s San Francisco address. Inside, they found several counterfeit IDs that all had pictures of Ulbricht. When DHS agents confronted Ulbricht in person, they had no idea what the Silk Road was—disconnected from the larger investigation, they simply asked him a few questions and left. What they didn’t know was that they’d just met the Dread Pirate Roberts and those IDs had been part of his plan to escape for good.

On the digital front, the FBI’s cybercrime squad was hard at work, trying to analyze and crack the Silk Road’s natural defenses. When Ulbricht made a coding error and the IP address of the Silk Road server was exposed for mere minutes, the FBI was watching. Armed with this information, the IP address was traced to Iceland. The Icelandic authorities agreed to cooperate, and sent the FBI a thumb drive with the cloned contents of the server. All the folders were encrypted, but the FBI cracked the password: trytocrackthisNSA.

From there, digital forensics experts were able to mirror the Silk Road servers and pour through the internal data. They found employee names, accounting data, and something even more sinister: buried in the chat records, they found that when DPR had been threatened with exposure, he’d casually agreed to pay for that person’s execution.

It wasn’t the first time.

How Did Investigators Catch the Dread Pirate Roberts (DPR) in San Francisco?

After one of DPR’s employees had been caught dealing with an undercover DEA agent earlier in 2013, DPR had taken up an offer to have the ex-employee tortured and killed. What DPR didn’t know was that this offer had come from the very same undercover agent. The agent doctored pictures of the supposed execution and DPR paid $80,000 for what he assumed to be a contract killing. And investigators realized they were dealing with something even more serious than drugs: they were dealing with possible murders. But despite having access to a copy of the Silk Road’s server, they were still no closer to uncovering who the DPR was.

Then they started talking to each other.

When the FBI, IRS, DEA, and DHS began sharing information in late July 2013, they got a much more complete picture than they’d initially realized. The IRS agent brought up his initial lead to one Ross Ulbricht and they ran the name through all their systems. They found Ulbricht had traveled to Dominica, a known tax-haven. They found the case of him purchasing counterfeit IDs. Furthermore, Ross Ulbricht and DPR had clear digital touchpoints: another early email account Ross had used matched the name of the Silk Road server: frosty. The FBI assigned physical surveillance to Ulbricht and they were able to match Ulbricht’s internet usage to DPR’s activity on the Silk Road: over the course of weeks, whenever Ulbricht opened his laptop, DPR signed into the Silk Road—and when Ulbricht closed his laptop, DPR signed out.

As the heat closed in, DPR reassured a potential employee that they could only be caught if they were caught red-handed, with their laptop open and their fingers on the keys and the Silk Road running on an admin account—an extremely unlikely occurrence. And also exactly what investigators were planning.

DPR had a kill switch on his laptop: a single key could erase all evidence in a moment’s notice. To arrest DPR in the act didn’t require a SWAT team and brute force; it required careful orchestration and a clever dose of finesse. Still, up until the very moment, the FBI argued internally about whether the brute force option or the finesse option was better. No agreement was ever reached: proponents of each side went forward with their own plans on the day of the arrest.

On an afternoon in October 2013, Ulbricht walked into the Glen Park Library and sat down at a table near the science fiction section. One of his new employees sent him a message asking him to log on and check a flagged post in the admin account. After Ulbricht opened his laptop and started typing away, a man and woman beside him broke out into an argument that quickly escalated to the point of physicality. When Ulbricht turned to look, another woman sitting across from him gracefully swooped up his open laptop and then passed it a man walking by, mid-stride. It all went down in a matter of seconds. By the time Ulbricht realized that everyone involved in this scene—the new employee, the arguing couple, the woman across from him, the man walking by—were all undercover agents, he was already in handcuffs. On his laptop’s screen, agents found him logged into the Silk Road as the head administrator. The FBI seized the Silk Road servers and served Ulbricht a warrant for Ross Ulbricht, alias Dread Pirate Roberts.

Finesse had won out.

What Happened After the Arrest of DPR?

Still at the scene, the FBI’s digital forensics experts backed up all the files on Ulbricht’s laptop, but many of the most sensitive file folders remained encrypted. Working nonstop, they were able to find the master password in the laptop’s RAM. And, with that, they had everything.

On Ulbricht’s day in court, his defense attorneys attacked the fragility of the matching online identities. They brought up the meaning of the name Dread Pirate Roberts, taken from a story where the name and duties of a person can be passed on seamlessly from one to another. They presented their own conspiracy theories in which Ulbricht was nothing but a fall guy and bet their case on the jury being unable to understand the coded world of darknet transactions.

But the digital forensics was cut and dry. On Ulbricht’s laptop, investigators had found:

  • Wallets with over 140,000 Bitcoins
  • A detailed accounting spreadsheet of Silk Road finances
  • A list of all the Silk Roads servers
  • Ulbricht’s personal diary entries detailing the construction and operation of the world’s largest illicit website

He’d been caught red-handed, and investigators had connected the digital and physical worlds, unmistakably linking Ulbricht, the Eagle Scout, to DPR, the underworld kingpin.

The trial concluded in only 13 days. The jury deliberated for a mere four hours. Ulbricht was found guilty of money laundering, computer hacking, and conspiracy to traffic narcotics. His sentence included two life terms, without the possibility of parole.

But the story didn’t end there. Investigators went after Silk Road’s other employees and users. In a sordid twist, it was discovered that the undercover DEA agent who’d negotiated the fake execution with Ulbricht had been involved in his own criminal dealings. New iterations of the Silk Road began popping up all over the darknet.

In the wake of the Silk Road case, the need for modern forensics investigators has only grown, and so has the complexity of their task. This isn’t just a fight against increasingly adept criminal class, but also one to master the modes and methods of the bleeding edge of technology.

Three Standout Programs in Modern Forensics & Cybersecurity

McAfee Institute (Certification)

The McAfee Institute is an accredited provider of professional training and certifications for law enforcement and investigations units with a specialization in cyber-related sectors. They offer the Certified Cryptocurrency Forensic Investigator (CCFI) designation through an advanced self-study program that culminates in board certification.

In order to be eligible, applicants must have a bachelor’s degree and four years of experience in digital forensics or cybersecurity. This is a comprehensive 40-hour course that includes topics such as anonymization networks; understanding encryption; cryptocurrency investigations; analysis of recovered addresses and wallets; seizing cryptocurrency coins; suspect identification; money laundering schemes; and high-tech case preparation; The program costs $4,997 and counts for 40 units of continuing education.

Cybrary (Short Course)

Cybrary is a workforce development program that focuses on emerging issues in cybersecurity and IT. Their course in computer hacking and forensics covers the foundations of modern digital forensics and teaches students how to legally gather evidence and investigate cyber events.

The five-hour program is divided into 14 topics: modern computer forensics; the computer forensics investigation process; hard disks and file systems; data acquisition; anti-forensics techniques; operating system forensics; network forensics; web attack investigation; database forensics; forensics with the cloud; malware; email investigation; mobile; and forensic reporting. Students who complete the course will earn a certificate of completion and ten continuing education units (CEUs). This course requires a monthly subscription of $99, which unlocks all of Cybrary’s course library.

edX/Rochester Institute of Technology (Short Course)

The Rochester Institute of Technology offers a MicroMasters program in cybersecurity that includes a course in computer forensics. One of five graduate-level courses, it promises to teach students court admissibility procedures as well as the technical fundamentals of investigation.

The seven-week class covers the following areas: digital forensics fundamentals; Unix/Linux fundamentals; Unix/Linux forensic investigation; Windows incident response; Windows fundamentals; Windows forensic investigation; and advanced artifacts. As a standalone course, it can be taken for free (or for $150, with a certificate of completion). Designed for professionals with a STEM degree and five years of professional experience, the entire MicroMasters course in cybersecurity costs $1,080.

Writer

Matt Zbrog

Matt Zbrog is a writer and freelancer who has been living abroad since 2016. His nonfiction has been published by Euromaidan Press, Cirrus Gallery, and Our Thursday. Both his writing and his experience abroad are shaped by seeking out alternative lifestyles and counterculture movements, especially in developing nations. You can follow his travels through Eastern Europe and Central Asia on Instagram at @weirdviewmirror. He’s recently finished his second novel, and is in no hurry to publish it.