FYI.

This story is over 5 years old.

Tech

Tracking Cirrus: Is This the Silk Road 2.0 Mole?

The second iteration of Silk Road came crashing down just as dramatically as the first, thanks to a mole in the site's inner circle.

The second iteration of Silk Road came crashing down just as dramatically as the first.

Blake Benthall, who admitted to mo​onlighting as the site's administrator, known as Defcon, made a similar mistake to Ross Ulbricht, the alleged owner of the original Silk Road. According to the FBI complaint against Benthall, he registered the black market bazaar's servers with the email address blake@benthall.net. This, among other evidence such as that gathered with physical surveillance, eventually led the FBI to arrest Benthall last month.

Advertisement

But the arrest of the Silk Road 2.0 leader and subsequent seizure of the site was also due to the presence of an undercover US Department of Homeland Security agent, simply referred to using the anonymous identifier "HSI-UC." This agent "successfully infiltrated the support staff involved in running the Silk Road 2.0 website," according to the FBI's complaint. From this position, the agent had access to confidential communications between Defcon and his staff, from day-to-day running of the site to casual chats and plans for the Silk Road's expansion.

Referencing multiple interviews, publicly available information, and parts of the moderator forum shared with me, it appears likely that the suspicions of many involved in Silk Road 2.0 are true: the undercover agent that infiltrated the site was a relatively quiet staff member known as Cirrus.

People were in a state of panic. Silk Road, the first deep web drug market to gather a mass public appeal, had been shut down by the FBI. Vendors had lost whatever currency they had stored in the site; customers were anxious about having any of their personal details found by police; and the staff wondered if they would be the next ones to be arrested.

Regardless of the danger, as headlines rocked around the world in October 2013, a group of Silk Road veterans, and some newer characters, quietly coordinated to bring back the most infamous digital drug bazaar ever made.

Advertisement

Cirrus's Silk Road profile shows it was created in July 2013.

But Silk Road 2.0 was infiltrated before the site even launched.

On October 7, the agent referred to as the HSI-UC was invited to join a forum to discuss the possibility of launching a new version of the marketplace, according to the FBI's complaint. This would soon become the Silk Road 2.0 forum, used by hundreds of thousands of people to communicate, ask for security advice, and trade reviews of drugs and other products they had bought on the site.

Roughly the next day, "on or around" October 8, "the persons operating the forum gave the HSI-UC moderator privileges, enabling the HSI-UC to access areas of the forum available only to forum staff." At this point, the "persons operating the forum" was most likely a user operating under the handle Dread Pirate Roberts, the same mystical pseudonym as the leader of the first site. This user also invited vendors from the original Silk Road to join up and provide their wares once again.

In all, nine users who were staff members, or who would later be promoted, made an account around the start of the Silk Road 2.0 forum. One of those was the HSI-UC, who was given moderator privileges from the beginning, and was embedded in the staff until at least September, according to details in the complaint.

Three people who were staffers of the original Silk Road—known as Inigo, SSBD and Libertas—were given moderator access straight away. We can count them out, however, because in December 2013 the men allegedly behind those accounts were arrested in the United States, Australia and Ireland, respectively.

Advertisement

Sarge quitting. Image: ​Antilop

In the ensuing panic, Sarge, another Silk Road 2.0 moderator, quit. On top of this, the Dread Pirate Roberts handed control of the site over to Defcon, according to information provided by the HSI-UC in the complaint. Neither stuck around the site long enough to be the HSI-UC, while three other moderators—DoctorClu, V, and ChemCat—did not receive moderator privileges until long after the HSI-UC already had access to the sensitive parts of the forum.

There is only one user account that was given moderator access around October 8th, survived the chaos of the December arrests, and remained active until at least September the following year. That user is Cirrus.

It is important to note that this observation does not conclusively prove that the account of the HSI-UC was Cirrus. Perhaps the undercover agent used multiple accounts on the site, switching to another when one of their aliases "quit." But based on all available information, Cirrus is the only user that fits with the series of events detailed in the FBI's complaint, and it is a suspicion held by other Silk Road 2.0 staff, some of whom suggested Cirrus is a woman, although we cannot confirm that detail.

"[She is] the only person who fits the profile in my opinion," Tang, another Silk Road 2.0 moderator who joined the site much later into its lifespan, told me. "[Cirrus wasn't] arrested with the rest of the SR1 staff, [was] involved from the start and [had] access to areas such as the support interface."

Advertisement

Cirrus had been a staff member on the original Silk Road since at least July 2013.

Hoff in a thread about the Silk Road mole.

Jack N Hoff, an established vendor from both the original Silk Road and its successor, raised his own suspicions on a popular deep web forum.

"I highly suspected Cirrus of being an 'undercover agent' ever since the arrests of the SR1 mods a year ago," Hoff, who is using an alias, posted in a forum thread regarding the mole's identity. "I knew Cirrus gave a scanned copy of her ID to DPR along with all of the other admins and mods."

"I liked [Cirrus], I used to speak to [her] quite a bit since our support interface had a Facebook-style chat feature," Tang continued. "There was a time where I went MIA for a couple of days and Cirrus sent me a message on the forum asking if everything was OK—[she] seemed like a nice person." Tang told me he hasn't spoken to Cirrus since Silk Road 2.0 was shut down, and doesn't know anyone else who has.

Cirrus is also suspected by members of the wider dark net community. An user operating under the alias Alfred, who runs The Hub, a sort of central meeting point for anybody interested in the dark net markets, provided me with a partial backup of the Silk Road 2.0 forums to show when each staff member created their account. He was also present around the time of Silk Road 2.0's seizure.

"I was there actively speaking to several of the mods the day that all of this went down," Alfred told me. "Knowing everything I know, it just couldn't be anyone else. Unless law enforcement is trying very hard to make it seem like Cirrus to point the blame away from them. But if that was the case then where is Cirrus? Why [hasn't she] turned up? No one I know has seen or spoken to her since all of this happened."

Advertisement

ChemCat, another of the Silk Road 2.0 staff, declined to be interviewed for this piece.

Despite being around for so long, Cirrus didn't say much on Silk Road 2.0. This is according to a partial archive of the moderator forum shared with me by DoctorClu, one of the Silk Road 2.0 users who was promoted to staff in December 2013.

In the "Staff Syncs," forum threads started by Defcon in order to for staff to voice any concerns, bring up issues, and generally to get everybody on the same page, Cirrus rarely posted.

When she did chime in on other threads, her suggestions were ostensibly helpful. One included a couple of pointers for speeding up efficiency when dealing with customers' inquiries. Another was a selection of detailed ideas on how to attract more vendors to Silk Road 2.0.

The moderators' responsibilities, including that of Cirrus, mainly revolved around customer support: responding to tickets, identifying scam vendor accounts, and dealing with disputes between buyers and sellers. Some staff went beyond this and utilized their various talents, be that hacking, DDoSing, or drafting announcements to be posted on the public forum.

some staff aren't even surprised that an undercover agent was able to infiltrate their ranks

According to Tang, for this work Cirrus would have earned around $1250 a week. The complaint states that the HSI-UC received payment from Defcon "amounting to approximately 83.39 Bitcoins (the equivalent of approximately $32,189 in United States currency based on current exchange rates)" since on or about January 23.

Advertisement

However, tracing these bitcoins is impossible. Referencing to the staff forums, whenever Defcon would pay his staff he would ask for a fresh set of bitcoin wallet addresses to be posted, encrypted, into the forum. This way, no staff member knew the addresses of any other staff, and according to Tang, Defcon would also send random "bonus" payments to staff, further obfuscating any attempt at following the money.

Even with those precautions, conversations on the moderator forums—about everything from staff payment; recruiting more drug vendors; how to deal with (or ignore) journalists; genuine messages of friendship; and even some discussions about law enforcement tactics—were being observed by an undercover agent with the intention of shutting down the site.

This includes private, one-on-one interactions that took place with the HSI-UC. For example, Defcon discussed with the HSI-UC how he planned to recover his customers' funds after a second devastating hack in September, according to the complaint.

But perhaps the thing that stings most after all of this is that some staff aren't even surprised that an undercover agent was able to infiltrate their ranks.

"It was quite worrisome but it didn't really surprise me as much as it should have," Tang said. "I know this is going to sound shitty but when I first joined the SR2 forum my sole intention was to obtain a staff position—not for the money but for the experience. I kept thinking that if I could 'infiltrate' SR2 then anyone could (including law enforcement)."

The FBI declined to comment on this story, because the case is still in the judicial process. Blake Benthall, the self-admitted leader of Silk Road 2.0, has a court appearance on the 22nd December.