Search and capture of the owner of Silk Road. FBI Agent Report

Preface to the translation:
On October 2, an article was published on Habré with information about the detention of the owner of Silk Road, an online store in the Tor network, which allows anonymously buying and selling various substances prohibited for free circulation for bitcoin. In the discussion of the article, a reference was also made to the scan of the indictment (PDF, 3.3 MB) dated 09/27/2013, on 39 pages, in which the atrocities of the owner and administrator of Silk Road are picturesquely set out. In addition to the legal and technical side of describing the atrocities, the act contains an FBI agent report on how the identity of Ross’s owner William Ulbricht was revealed (pages 24–32, paragraphs 33–45). I decided that it would be nice to make it more accessible to the Russian-speaking community, and now, the translation of this part of the indictment is offered to your attention.


Identifying Ross William Ulbricht, known as “Dread Pirate Roberts,” accused.
')
33. As described in detail below, in the process of identifying the identity of DPR, it is established that this person is ROSS WILLIAM ULBRICHT, accused, also known as “Dread Pirate Roberts”, “DPR”, “Silk Road”. According to the profile of ULBRICHT on Linkedin.com, the website, which is a professional social network in which its members can post information about their professional experience and interests, ULBRICHT, 29 years old, graduated from the University of Texas, receiving a bachelor's degree in physical sciences in 2006 year In the period from 2006 to 2010, he attended the Higher School of the School of Materials Science and Engineering at the University of Pennsylvania. However, ULBRICHT reports on its LinkedIn profile that, after graduating from this high school, its “goals” subsequently “changed”. ULBRICHT makes it clear that since that time he has been concentrating on “creating an economic simulation,” designed to “give people direct experience of what would be like living in a world without a systemic use of power by organizations and governments.” Based on the evidence presented below, I believe that this “economic simulation” that ULBRICHT mentions is Silk Road.

34. At the beginning, I spoke with another agent involved in this investigation (Agent-1), who conducted a large-scale Internet survey to determine how and when the Silk Road website became known to Internet users. The earliest public mention found by Agent-1 is a message dated January 27, 2011, posted on the online forum at www.shroomery.org , an informational web site for fans of “magic mushrooms” (“Shroomery”). The message, entitled "Anonymous online market?", Was created by the user, which is known only to his nickname, "altoid". The message contained the following information:

I came across this website, which is called Silk Road. This is a hidden service Tor, he reports that allows you to anonymously buy and sell anything online. I am thinking about whether to buy something there, but I would like to know if there may be someone who has heard about it and can give some recommendations. I found it on silkroad420.wordpress.com, which, if you have a Tor browser, will redirect you to the real site tydgccykixpbu6uz.onion . Let me know what you think ...

It was the only altoid user post posted on the Shroomery forum, which indicates, as confirmed by my training and experience, that the sole purpose of registering on this form was to post this message.

35. In a message to Shroomery, “altoid” reported that he “learned” about Silk Road through “silkroad420.wordpress.com”, which states that Tor users can be redirected via Tor to Silk Road. The address “silkroad420.wordpress.com” is a blogging account known as Wordpress. According to the records received from Wordpress, the account “silkroad420” was registered on January 23, 2011 - just four days before the posting of “altoid” on the Shroomery blog. (The account was registered anonymously by a person who, judging by the IP address used, connected to the Internet using Tor.)

36. After the message appeared on Shroomery on 01/27/2011, the following mention of Silk Road on the Internet, found by Agent-1. is a post created two days later, on 01/29/2011, on bitcointalk.org, an online discussion forum dedicated to Bitcoin ("Bitcoin Talk"). This post was also posted by a person who used the altoid alias. The message appeared in a long thread of discussion initiated by other users of Bitcoin Talk regarding the possibility of the operation of a “heroin store” with calculations via Bitcoin. In this post, “altoid” writes:

Great discussion! Guys, you have great ideas. Has anyone seen Silk Road? This type is anonymous like amazon.com. It is unlikely that they have heroin, but they sell a lot of other interesting things. They simply use bitcoin and tor together for anonymous transactions. This is here - tydgccykixpbu6uz.onion . If anyone is not familiar with Tor, they can go to silkroad420.wordpress.com for instructions on how to access the .onion website.

Let me know what you guys think about it.

37. Based on my background and experience, the two messages created by “altoid” on Shroomery and Bitcoin Talk are attempts to generate interest in the site. The fact that altoid posted two similar messages about this site on two completely different discussion forums, with a difference of two days, indicates that altoid has attended various discussion forums during this time, which could potentially be users Silk Road is interesting in finding a way to promote a website among forum participants - which, based on my training and experience, is a standard marketing tactic for new websites. Moreover, the fact that “altoid” ends both messages with the phrase “Let the guys know what you think of this,” says that “altoid” was not only interested in sharing his experience of using Silk Road, but also wanted to get feedback from other users, again, in accordance with his intentions to promote and improve the site.

38. In the course of further study of the Bitcoin Talk forum, Agent-1 discovered another message left by “altoid” on the forum on October 11, 2011, approximately 8 months after the announcement of Silk Road. In this later post, posted in a separate and unrelated to the main subject branch, altoid reports that he is looking for an “IT pro in the Bitcoin community” to be hired in connection with “a single startup project using Bitcoin”. In the message, interested participants were invited to send their suggestions to the address “rossulbricht at gmail dot com” - indicating that “altoid” uses the email address “rossulbricht@gmail.com” (“Gmail Ulbricht Account”).

39. According to the user’s records obtained via Google, the Ulmail teller’s Gmail account is registered to Ross Ulbricht. Records indicate that Ulbricht has a Google+ account, a social networking service supported by Google. After exploring Ulbricht's publicly available profile on Google+, I found out that it contains his picture, which corresponds to the picture in Ross Ulbricht's profile on LinkedIn, as mentioned in paragraph 33.

40. Visiting Ulbricht’s Google+ page also provided information that it contains links to a specific website, which DPR regularly quoted in its forum posts. In particular:

a. Ulbricht's profile on Google+ contains a list of his favorite YouTube videos, which includes videos from mises.org, the site of an organization called the Mises Institute. According to her website, the "Mises Institute" considers itself to be "the world center of the Austrian School of Economics." The website allows visitors to register and create a profile. By researching a publicly available archived version of this site, I discovered on it the Ross Ulbricht user profile, which contained the user's image corresponding to the Ross Ulbricht image on Google+ and LinkedIn profiles.

b. Based on my familiarity with the DPR messages on the Silk Road forum, I know that the signature of a DPR user on this forum contains a link to the Mises Institute website (one of the two links included in its signature). Moreover, in separate posts on the forum, DPR quotes "Austrian economic theory" as well as the works of Ludwig von Mises and Murray Rothbard - economists who are dough-related to the Mises Institute, as those who lay down the philosophical justification for Silk Road.

41. The investigation also established confirmation of the fact that, at the beginning of June 2013, Ulbricht resided in San Francisco, California, near the Internet cafe from which the connection to the server used to administer Silk Road was established. In particular:

a. I have studied the records received from Google and containing in the logs the IP addresses from which the Ulbricht Account was entered into the Gmail from January 13, 2013 to June 20, 2013. The IP logs show that during this time the account was regularly accessed from specific IP address of Comcast. According to the records received from Comcast, this IP address at the specified access time was registered at a specific address on ul. Hickory, San Francisco, California. At this address, another person is registered who, as I know, is Ulbricht's friend in San Francisco (hereinafter referred to as “Friend”), who had Ulbricht stopped when he arrived in San Francisco tentatively in September 2012, as confirmed by a video posted on YouTube in which both friends are shot in circumstances confirming these considerations.

b. Based on my research on the private correspondence of DPR, restored from the Silk Road web server, I know that DPR regularly indicated the Pacific time zone when it operated on time. For example, in one private message dated 04.18.2013, DPR informs another user of Silk Road: “It is approximately 4 pm Pacific Standard time. I need to do some things. ” Based on my training and experience, I believe that this trend suggests that DPR is physically located in the Pacific Time Zone, in which, of course, San Francisco, California is located.

c. Further, based on the results of the forensic examination of the Silk Road web server, I know that the server contains code that was once used to restrict administrative access to the server, so that only a user with a specific IP address specified in this code could get access to it. Based on my training and experience, as well as understanding how in general cases access to the server is configured, I believe that this IP address belongs to the VPN server - in fact, a secure gateway through which the DPR could remotely connect to the Silk Road web server from your computer. The IP address of the VPN server belongs to the server, which is hosted by a specific hosting company, which, by a court decision, provided data regarding the specified VPN server. Records show that the contents of the VPN server were destroyed by the user renting it *. However, the records contained information about the IP address from which the user connected to the VPN server during the last communication session with the server on 03.06.2013. This IP address belongs to Comcast, whose records obtained by a court decision indicate the location - Internet Cafe on Laguna Str., San Francisco, California. This cafe is located less than 500 feet from the address of a friend on the street. Hickory, with whom Ulbricht regularly connected to his gmail account - including, several times on 03.06.2013, according to Google records.

* The code containing the IP address of the VPN server was “commented out” on the Silk Road web server, which means that it was inactive as of 07.23.2013 when the server image was taken. As a result of studying the private correspondence of DPR, recovered from the Silk Road web server, I know that on May 24, 2013, the user of Silk Road sent him a personal message warning that “there was a leak” of “some external IP address” from site, while it indicates the IP address of the VPN server. Based on my training and experience, I believe that in response to this message, DPR deactivated the code containing the IP address of the VPN server, then destroyed the contents of the VPN server, and then changed the way to access the Silk Road web server, which I later used .

d. Based on my training and experience, these testimonies confirm the stay of the Silk Road administrator, who is DPR, in approximately the same area where Ulbricht was located, at the same time.

42. The investigation also found that by July 2013, Ulbricht had moved to another address in San Francisco, to which a package containing several forged identity documents had been delivered to him, at the same time, as is known, DPR was searching for such documents on Silk Road. In particular:

a. From the results of a study of the investigative report received from the US Customs and Border Protection Service (TPN), I learned the following:

i. Approximately on July 10, 2013, within the framework of the standard border inspection procedure, the SCC delayed a package following from Canada. 9 fake IDs were found in the package. All the fake documents were written out on different surnames, although they all contained a photo of one person. The package was intended to the recipient at an address located on 15th Street San Francisco, California ("Address on 15th Street").

ii. On or about 07/26/2013, agents of the Directorate of Internal Security Investigations (DRVB) visited the Address on 15th Street for further investigation. In the living quarters at this address, the agents found ROSS WILLIAM ULBRICHT, also known as “Dread Pirate Roberts”, “DPR”, “Silk Road”, the defendant, the person depicted in the photos on the fake IDs in the package.

iii. Agents presented ULBRICHT with a photograph of one of the forged documents seized, which was a California state driver's license containing a photograph of ULBRICHT, the real date of birth, but the name of another person. ULBRICHT refused to answer questions regarding the purchase of this and other identity cards. Along with that. ULBRICHT, on his own initiative, said that “hypothetically” anyone could go to the Silk Road web site on the Tor network and buy any drugs or desired fake documents.

iv. ULBRICHT presented to agents his present state-issued driver's license of the state of Texas. He explained that he was renting a room at Address on 15th Street to sublet for $ 1,000 a month in cash. ULBRICHT reported that at this time two people lived in the same house with him who knew him under the assumed name “Josh”.

v. The agents also talked to one of Ulybrykhta’s neighbors about the house, who confirmed that Ulybricht, whom he knew as “Josh”, was always at home in his room at the computer.

b. From the results of a study of DPR's personal correspondence, restored from the Silk Road web server, I know that in June and July 2013, DPR repeatedly contacted other Silk Road users, expressing interest in acquiring fake IDs. For example:

i. In a single message exchange, dated 07/08/2013, DPR informs another Silk Road user that he “needs a fake identity card”, which he intended to use to “rent servers”, explaining that he is busy “creating his own cluster servers. Based on my training and experience, I know that server hosting companies often require clients to verify their identity in one form or another in order to identify them. Accordingly, I believe that DPR was searching for forged documents in order to lease servers under an assumed name.

ii. In another message exchange dated 06/01/2013, DPR and another Silk Road user, “redandwhite,” is the same user to whom DPR offered to carry out contract killing as mentioned above (approx. Lane - in the untranslated part of the original document) We agreed to chat at a certain time in an online chat, while DPR informs redandwhite: “I have something to discuss with you.” Four days later, on 05.06.2013, the DPR sent a message for redandwhite: “Hello, I want to clarify where did you go with your proposal for a fake ID”. Redandwhite replies: "This is my man and he is in the process."

43. Ultimately, during the investigation, evidence was obtained that Ulbricht managed Tor's hidden service, as well as confirmation of its connection with a specific software code and a specific encryption key found on the Silk Road web server. In particular:

a. Based on my background and experience, I know that “stackoverflow.com” (“Stack Overflow”) is a website used by programmers to post questions about programming problems and get suggestions for solutions from other programmers. According to the records received from Stack Overflow:

i. 03/05/2012 a certain user registered an account on Stack Overflow under the name “Ross Ulbricht”. Ulbricht provided the Gmail Ulbricht Account as an email address, as part of the information required during registration.

ii. 03/16/2012 at about 8:39 PM Pacific Day, Ulbricht posted a message on the site entitled “How can I connect to the hidden Tor service using curl in php?”. Based on my training and experience, I know that “PHP” means a programming language used for web servers, and “curl” means a set of software commands that can be used in this language. In the content of the message, Ulbricht lists 12 lines of code using “curl” commands, which he claims he used “to connect to the hidden Tor ... service using php”, but, as he reports, the code returned an error. Based on my training and experience, the message of Ulbricht says that I was writing custom software code intended for a Tor hidden web server, such as Silk Road.

iii. When a user posts a message on the Stack Overflow, his name appears next to that message. However, less than one minute after the publication of the message described in the previous paragraph, Ulbricht changed his user name from “Ross Ulbricht” to “frosty”. Based on my training and experience, I know that criminals often use pseudonyms in their quest to hide their identities online in order to make them difficult to identify. Thus, taking into account the time, I believe that Ulbricht changed his username to “frosty” in order to hide his connection with the message that he posted one minute ago, realizing that the message is publicly available to any Internet user and talks about his involvement in the use of hidden services Tor.

iv. A few weeks later, Ulbricht also changed his registration email address to Stack Overflow, “frosty@frosty.com” instead of Ulmailt’s Gmail Account. According to data from centralops.net, a publicly available email address search service, frosty@frosty.com is not a valid email address. Again, based on my training and experience, I know that criminals who seek to hide their identity often use fictitious e-mail addresses in online accounts. Thus, I believe that Ulbricht changed his email address to Stack Overflow to a fictitious address in order to completely eliminate any links between his real email address and the message indicating that he used Tor's hidden service.

b. Based on the forensic evidence of the Silk Road web server, I know that the code on the Silk Road web server contains a custom PHP script based on "curl", which is functionally very close to the code described in the Ulbricht message on Stack Overflow, and contains several lines of code identical to the code given in the message. Based on my training and experience, it seems to me that the code on the Silk Road web server is a modified version of the code described in the message of Ulbricht (the same one that Ulbricht tried to find a way to fix, because it generated an error).

c. Further, also based on the forensic evidence of the Silk Road web server, I know the following:

i. On July 23, 2013, the Silk Road web server was configured to allow the administrator, who was a DPR, to connect to the server without having to enter a password, provided that the administrator is connected from a trusted computer from the server's point of view.

ii. In particular, based on my training and experience, I know that this configuration involves the use of encryption keys with an SSH (Secure Shell) connection. To create such a configuration, the administrator must generate two encryption keys - a “public” key, which is stored on the server, and a “private” key, which is stored on the computer from which the connection to the server is made. Once these keys are created, the server can recognize the administrator's computer based on the connection between the administrator's private key and its corresponding public key stored on the server.

iii. Based on my training and experience, I know that encryption keys in SSH consist of long strings of text characters. Different SSH programs generate public keys in various ways, but they all generate public keys in a similar format, with a text string that always has an ending in the format "[user] @ [computer]". The computer in this substring is the name of the computer that generated the public key, and the user is the name of the user who created it. For example, if someone creates a pair of SSH keys using the MyComputer computer, the login is made by the user “John”, the resulting public key will end with the substring “John @ MyComputer”.

iv. I investigated the public SSH key stored on the Silk Road web server, which was used to authenticate the administrator when connecting to the server. The key has the ending “frosty @ frosty”. Based on my training and experience, this means that the Silk Road administrator uses a computer with the name “frosty”, which has a user account with the same name “frosty”, from which you entered the Silk Road web server. , , . , , , « » «DPR», , Stack Overflow «Ross Ulbicht», «frosty» frosty@frosty.com , DPR, Silk Road, - Silk Road «frosty», «frosty».

44. , «Dread Pirate Roberts», «DPR», «Silk Road», , , 26.07.2013 ., . , , Google+, « », LinkedIn, .

45. , , Silk Road , «Dread Pirate Roberts», «DPR», «Silk Road».

, , «Dread Pirate Roberts», «DPR», «Silk Road» , .