How Silk Road's Founder Could Have Avoided Getting Busted
​​Jean-Pierre Dalbéra

FYI.

This story is over 5 years old.

Tech

How Silk Road's Founder Could Have Avoided Getting Busted

The trial of Ross Ulbricht has been a lesson in what not to do when building an internet drug market.

Since the downfall of underground online market Silk Road and the subsequent arrest of Ross Ulbricht, the alleged mastermind behind it, new anonymized drug markets have popped up in the site's place. But will they learn from his mistakes?

Ulbricht has already admitted he created the site, but argues he passed it along to other operators after just a few months and was later lured back in to take the fall. In the wake of Silk Road's shutdown, successors like Silk Road 2.0 (which was also busted due to its operator's sloppiness) and Silk Road Reloaded have emerged as alternatives.

Advertisement

The trial is still ongoing and Ulbricht has not been convicted of anything yet. But the case so far has consisted of prosecutors trotting out what looks like a host of missteps, including the use of his personal email to promote the site, storing thousands of chat logs on his personal laptop, keeping millions of dollars in Bitcoin that could be easily traced to Silk Road on his laptop, and sharing his secrets with several people who knew him in real life.

Most of Ulbricht's mistakes seem pretty avoidable

Most of Ulbricht's mistakes seem pretty avoidable, which raises the question: is it possible, with current technology, to build an underground website that the feds couldn't bust? Maybe, but first you'd have to follow these steps.

1. Keep your identities separate.

According to information security consultant Nik Cubrilovic, Ulbricht's arrest all came down to poor compartmentalization, meaning he didn't separate himself sufficiently from the criminal identity.

"If you are going to establish an anonymous handle online, it should be completely isolated from your real identity," Cubrilovic said.

This means using a separate IP address, a completely different computer, and certainly a separate email when operating as the anonymous online handle, which in this case was Dread Pirate Roberts or DPR, the pseudonymous owner of Silk Road.

"Ross didn't separate his alias and real identity at all," he said. "Because he was using the same computer and browser for both, his identities are completely tied. It was only a matter of time before those links started getting exposed."

Advertisement

Not only did Ulbricht use the same computer for both identities, he logged the purchase of the computer he was using at the time of his arrest, a Samsung 700z, in a spreadsheet of Silk Road assets saved to that computer, making the connection hard to deny.

The computer was not Ulbricht's only failure to compartmentalize the two identities. One of the first things used to trace Silk Road to Ross Ulbricht was a simple Google search. In Silk Road's early days, Ulbricht had posted in a Bitcoin forum promoting the site under his real email, rossulbricht@gmail.com.

The Grugq, an information security researcher, said this shows how simply using separate accounts would have been a sufficient way for Ulbricht to cover his tracks.

"The problem isn't that he used Gmail, the problem is that he used his Gmail," The Grugq told Motherboard in an email. "He used a personal account, which meant that there was a link to his real identity as soon as that email was found. If he used Gmail over Tor [the network that anonymizes web browsing] with a dedicated account only for DPR, it would've been fine. Not ideal, but nowhere near as bad as having his real identity linked to his criminal activities."

Nicolas Christin, an assistant research professor in computer engineering at Carnegie Mellon University, said Ulbricht should have used a separate account at the very least, and perhaps used an encrypted email service like riseup.net.

Advertisement

"He probably could have used throw-away email accounts, e.g. in jurisdictions that are not known to be friendly to Western law enforcement agencies," he told Motherboard in an email. "But even things like Tormail have been shown to be problematic, when the server that hosts them gets seized."

Because of this, Cubrilovic said its best to go a step further and use email hosted on a server you control, or not to use email at all.

"If you can avoid email, you should."

"The lesson here is that email is really difficult to secure," he said. "If you can avoid email, you should. Even when using PGP [shorthand for a commonly-used encryption protocol], it only secures the content of the email, but email still leaves a huge trail of metadata."

Cubrilovic said using Extensible Messaging and Presence Protocol (XMPP) chat services would be preferable for that reason. XMPP is an open-source instant messaging protocol that can be adapted for various clients and can be encrypted. Off-the-Record Messaging (OTR) is one such encryption protocol that is supported by most XMPP clients.

Ulbricht did use Pidgin Instant Messenger, an off-the-record XMPP client, but he inexplicably opted to save the history of the chats, the records of which have become central evidence in the case.

2. Know your tech, and if you don't, delegate.

Cubrilovic said Ulbricht's tech ignorance, which has been made apparent throughout the trial, was also a major component of his downfall. A programming question he posted on StackExchange was presented as evidence, and Richard Bates, a college buddy of Ulbricht who had a computer science degree and helped him with the site, testified against him.

The feds' (arguably dubious) explanation for finding Silk Road was that they discovered it through a misconfiguration of the site's CAPTCHA, a program that distinguishes humans accessing a site from bots. The site was also known to frequently have bugs exposing sensitive information. The list of rookie mistakes Ulbricht made is long.

Advertisement

"There was trial and error on his part setting up Silk Road," Cubrilovic said. "You not only have to be a good developer but really good with the security and anonymity concepts. If he had hired someone from the outset with a bit more programming experience, security experience, he would have avoided that StackExchange question, the leaks on the server that lead to his IP address being found."

Nicholas Weaver, a researcher at the International Computer Science Institute, similarly said Ulbricht's lack of expertise was a major issue. He added that Ulbricht should have sold the site earlier, saying "his biggest mistake was not retiring and going to live like a king in Patagonia."

"You can't learn OPSEC [operational security] on the fly," Weaver said, in an email. "Early on, he was going to make mistakes because he was learning on the fly. And that's why not leaving was his biggest one. If he actually did sell and walk away, those mistakes would probably be erased."

So why didn't Ulbricht enlist extra help? Cubrilovic said it's possible he simply underestimated the level of skill required to set up the site. Alternatively he may have overestimated the security of Tor, the anonymizing network users had to use in order to access the site. Tor is a service that obscures the IP addresses and locations of its users by rerouting their traffic through alternative relays in its network, so that a user in Texas might appear to be in China.

Advertisement

"A lot of admins believe if you set up Tor, nothing can go wrong, when actually it only anonymizes the IP address," Cubrilovic said, meaning it only obscures the address of your particular computer. "It's only going to secure your communication, not your server, not the application."

The Google search that led law enforcement to Ross Ulbricht. 

Perhaps with this in mind, Silk Road successor Silk Road Reloaded runs on Invisible Internet Project (I2P), an anonymous peer-to-peer computer network that some argue is more secure than Tor. However, Nicolas Christin, an assistant research professor in computer engineering at Carnegie Mellon University, warned this may not be the case.

"I2P is exotic, and has not been tested as well as Tor has," he said. "It doesn't mean it's more or less secure; the fact is, it so far has less users than Tor, which in turn makes it potentially harder to provide stronger anonymity guarantees."

3. Hide your money trail.

Some of the most damning evidence against Ulbricht presented in the case was the more than $13.4 million in Bitcoin found on his computer that could be traced directly back to Silk Road, showing that the cryptocurrency is not automatically as anonymous as many make it out to be.

"The lesson from the evidence in the case is that if you want to remain anonymous with Bitcoin, you have to use one of the anonymizing services," Cubrilovic said.

Anonymizing services, like Bitcoin Fog, "wash" your bitcoins by withdrawing bitcoin amounts in tiny, less traceable payouts. Services like these were advertised on Silk Road itself before it was busted. "There are services online where you can wash or launder your bitcoins, and he didn't utilize any of that," Cubrilovic said. "He directly transferred the funds so they could obviously be linked back to him."

Advertisement

However, Weaver said the sheer size of Bitcoin transactions would have made it difficult for Ulbricht to hide unless he did it extremely carefully.

"You can obscure stuff from pure public analysis by creating a ton of small transactions and other routines, but that doesn't work against an analyst who has your wallet.dat files, especially in the volumes of Bitcoins we are discussing with Silk Road," he said, referring to the wallet file on Ulbricht's computer where the bitcoins were stored.

4. Trust no one.

Running a drug empire is a solitary career path, but don't give into the loneliness and share your secrets with friends, lovers, or perfect strangers at bars like Ulbricht and his friends did.

 "Everyone knows too much. Dammit."

One journal entry found on Ulbricht's computer showed his struggle to keep the secret from those close to him:

"I then went out with Jessica. Our conversation was somewhat deep. I felt compelled to reveal myself to her. It was terrible. I told her I have secrets. She already knows I work with bitcoin which is also terrible. I'm so stupid. Everyone knows I am working on a bitcoin exchange. I always thought honesty was the best policy and now I didn't know what to do. I should have just told everyone I am a freelance programmer or something, but I had to tell half truths. It felt wrong to lie completely so I tried to tell the truth without revealing the bad part, but now I am in a jam. Everyone knows too much. Dammit."

Advertisement

Richard Bates, a friend of Ulbricht's testified in the case that only he, Ulbricht and two other people knew "to his knowledge," but that he may have drunkenly told someone else at a bar.

Ulbricht's decision to tell Bates came back to bite him in a big way, as Bates chose to testify against him as part of a non-prosecution agreement.

Ulbricht also apparently told his ex-girlfriend Julia about Silk Road, and her friend later wrote about it on his Facebook wall, saying "something along the lines of I'm sure the authorities would be very interested in your drug-running site," according to Bates testimony. Furthermore, Ulbricht trusted someone to be an admin on Silk Road who ultimately turned out to be a cop and played a major role in his arrest.

The moral of the story is that when it comes to running a darknet drug empire, the fewer people who know, the better.

5. Don't keep physical records of anything.

Despite the hiccups with Tor, the traceable Bitcoin blockchains, and the wealth of technological mistakes Ulbricht made personally, the bulk of the evidence being used to indict him are personal details saved to his laptop, which was seized from him while open and unencrypted at the time of his arrest in a public library. Ulbricht's internet footprint was large, but the laptop is key evidence in the case.

"There was enough probable cause without the laptop to identify him as a suspect and issue an arrest warrant, but it is unclear it was enough to win a conviction," Christin said.

Advertisement

The damning evidence found on the computer includes thousands of pages of TorChats, an anonymous instant messaging service that runs on Tor; activity logs; and a diary allegedly detailing day-to-day life for Ulbricht as he ran the site. Cubrilovic said he is baffled that DPR chose to automatically save the TorChat logs.

"TorChat doesn't load by default, for security reasons," he said. "It's actually a bit of a process and it gives you a big warning, so I was really surprised when it turned out he'd been logging all of his TorChat messages."

"It is mind boggling trying to understand what made him keep this journal."

Similarly, The Grugq said the journal is the most significant evidence of all.

"If he didn't keep a detailed journal of everything that he did, he possibly could raise reasonable doubt," The Grugq said. "Instead he has a journal that exactly matches his known real life activities, along with a detailed list of criminal activities. It is mind boggling trying to understand what made him keep this journal."

TL;DR

Keep your criminal identity separate from your real identity and don't keep a diary on your criminal conspiracy.

The Silk Road trial will continue on Monday, when the defense will call its first witness. Motherboard will continue to cover the trial, so check back here for updates.

Lead image by Jean-Pierre Dalbéra/Flickr.