Last week the founder and main administrator of Silk Road, Ross Ulbricht, was finally convicted of setting up and managing the famous illegal online marketplace, Silk Road. Ulbricht, better known as Dread Pirate Roberts for his influential role at Silk Road, never expected this outcome – Silk Road was supposed to make him rich – not put him in prison for a minimum of 30 years, so what went wrong for this master of digital crime?
During the case, a number of weaknesses were discovered in the way that Ulbricht used technology to run Silk Road using Tor hidden services. Technologies that he assumed were keeping him safe by offering him anonymity or protection, in the end where the things that allowed prosecutors to convince a jury to convict him. So, what were these technologies and safeguards that he used, and what does their use in this particular instance, teach us about maintaining anonymity on the internet?
The first thing that let Ulbricht down were his trusted Bitcoins. Although the digital currency is supposedly as anonymous as real world cash, the truth is that Bitcoins are handled via a complex ledger system called the Block chain. The Block chain tracks the digital wallets that Bitcoins pass through, effectively telling a story in numbers of where they have been. During this case, the anonymity of Bitcoins was seriously brought into question, because law enforcement made light work of tracking down the wallets on either side of transactions, allowing them to easily trace the Bitcoins from online wallets to the wallets on Mr Ulbricht’s laptop. Having said that, Tor does offer the added protection of a service called ‘Tumbler’, which passes the Bitcoins though lots of extra intermediary wallets to obfuscate their path, in this case however, this was either completely ineffective, or Ulbricht simply didn’t bother to use the service.
The second technological tripping stone was a trusted method of communication called Torchat. Torchat is an encrypted communication software that allows two people to communicate privately via the Tor network. Although it appears that the Tor encryption service did provide an effective way of communicating anonymously, for unknown reasons Ulbricht decided to keep hard copies of his chat logs on his laptop. During the court case the prosecution brought up example after example of these communications between Ulbricht and his fellow Silk Road administrators, where the laptop user referred to himself time and time again as Dread Pirate Roberts. Communications which stopped sharply at the point of Ulbricht’s arrest, and whose alias never appeared online again.
Perhaps the reason that Ulbricht made this fatal mistake, and kept his chat logs, was because he never expected law enforcement to be able to read them on his laptop, which used full-disk encryption. Unfortunately for him, law enforcement knew that Ulbricht would be using encryption, and so also knew that if they were ever going to have a case against him they would need to catch him while he was still logged into his laptop. By this time, law enforcement agents had also managed to figure out that Ulbricht liked to make use of free local WiFi networks (in particular a San Francisco coffee shop) in order to try and keep himself even more anonymous and therefore safe.
On the day of his arrest, Ulbricht was caught logged on to Silk Road with his laptop open, in his local library. In an almost comedic part of this story, it is now known that Ulbricht encouraged other Silk Road operatives to also use public WiFi networks, but had previously warned them about the danger of doing so with their back to the room. If Ulbricht had managed to push his laptop closed, the encryption used on his laptop would have hidden everything from law enforcement, perhaps meaning that prosecuters would have been lacking the necessary evidence to convict. As it stands however, the prosecution got everything they needed – spreadsheets, chat logs and most importantly his private encryption keys, opening his entire operation up to scrutiny.
It might not come as a big surprise that even Facebook was used to help law enforcement link Ulbricht to his online persona, who at one point said in messages as Dread Pirate Roberts that he was going on holiday to Thailand, and days later started uploading images of his holiday to his Ross Ulbricht Facebook page. As inconsequential as this would have been had he managed to keep his online persona separate from his real life identity, as soon as law enforcement had made the connection between his two identities, these details all helped to secure his lengthy prison sentence.
Of course, some evidence in this case was circumstantial, as is the case with the photos of Ulbricht’s holiday in Thailand, and as is the case with Ulbricht having called his laptop ‘frosty’ when he used SHH connections to log his laptop on to the Silk Road servers. Even though Ulbricht’s defense lawyer was quick to point out to the jury that anyone could have called their laptop ‘frosty’, as is the case with any good puzzle, with enough evidence the picture becomes clear, and in this case all the pieces joined together to form a very clear picture of Ulbricht’s guilt – making it it easy for the jury to come to a guilty verdict in just 3 and a half hours.
Technology had a big part to play in allowing this criminal to create a hugely profitable illegal online marketplace, and a big part to play in his down fall. Unfortunately for Ulbricht, he did not properly use the infrastructure of technology available to him, to hide himself effectively – leaving a big enough digital footprint to be tracked down and prosecuted.
Ulbricht didn’t use good op-sec, if he had, the technology probably wouldn’t have let him down, and considering the consequences of the illegal activities he was involved in, and the vast sums of illegal money he was accumulating, it would have been wise for him to follow some of his own advice. If he had washed the Bitcoins properly, the Block chain wouldn’t have so easily led law enforcement to him. If he hadn’t kept his private communications on his laptop, the evidence against him, some of which was circumstantial, wouldn’t have been used against him. Finally, if as he warned others, he had kept a watchful eye on the room he was in on the day of his arrest, then perhaps he could have simply pushed his laptop closed, encrypting his data and keeping himself safe.
It is for this reason, that this case is an outright education in digital privacy, it teaches us that if we don’t manage our data and treat our own privacy as gold, any weaknesses in our habits can and will be used against us. Ulbricht thought he was doing everything he could, but in the end he simply made too many costly mistakes.