As Silk Road’s Ross Ulbricht (aka Dread Pirate Roberts) heads to trial, prosecutor case filings reveal how the FBI determined Silk Road’s server location – and according to prosecutors, they didn’t have to break tor to find it. According to the FBI, Silk Road’s login page leaked the servers IP address through a misconfigured anti-abuse CAPTCHA control (many users remember Silk Road’s high-quality CAPTCHA images – obviously not generated locally on the server itself).
As the FBI worked to hack the login page, they noticed an IP address that was not associated with any known tor nodes. They hand-entered the IP address into a browser hooked into the normal-Internet and Silk Road’s CAPTCHA popped up.
The FBI revelation seems pretty convenient given that Ulbricht’s defense seems to rest on the allegation that the FBI used an “illegal search” to gain access to his server. If it’s found that Silk Road’s IP was revealed through a noob admin mistake, a CAPTCHA control that pulled content from the open Internet, this defense might go out the window. This still doesn’t explain the odd traffic spike that occurred on tor the month before however. Many believe the NSA bombarded the TOR network with their own nodes specially to allow collection of Tor data.
Here’s a large snippet of the testimony filed with the United States District Court (New York) that explains in detail how the FBI determined Ulbricht was the operator of Silk Road. It has been slightly edited for clarity (e.g. removed legalese).
As explained in the complaint filed against defendant Ross Ulbricht, the server that hosted the Silk Road website operated on the Tor network. The Tor network is a special network of computers on the Internet, known as Tor “nodes,” designed to conceal the IP addresses of the computers operating on it – including servers hosting websites on Tor, such as Silk Road, known as “hidden services.”
In order for the IP address of a computer to be fully hidden on Tor, however, the applications running on the computer must be properly configured for that purpose. Otherwise, the computer’s IP address may “leak” through the traffic sent from the computer. (“Tor does not protect all of your computer’s Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor.”). During the course of the FBI’s investigation of the Silk Road website, the SR Server was located by myself and another member of the CY-2 squad of the FBI New York Field Office as a result of such a leak.
The IP address leak we discovered came from the Silk Road user login interface. Any Internet user could access the Silk Road website using free, publicly available “Tor browser” software. Upon typing in the address of the site (known as a “.onion” address) into the browser, the user would be directed to Silk Road’s user login interface, which consisted of a black screen containing a prompt for a username and password, as well as a “CAPTCHA” prompt, requiring the user to type in certain letters and numbers displayed in a distorted manner on the screen, in order to prove that the user was a human and not an automated computer script.
In or about early June 2013, another member of CY-2 and I closely examined the traffic data being sent from the Silk Road website when we entered responses to the prompts contained in the Silk Road login interface. This did not involve accessing any administrative area or “back door” of the site. We simply were interacting with the website’s user login interface, which was fully accessible to the public, by typing in miscellaneous entries into the username, password, and CAPTCHA fields contained in the interface. When we did so, the website sent back data to the computer we were using – specifically, the Silk Road homepage, when we used valid login credentials for undercover accounts we had on the site, or an error message, when we used any username, password, or CAPTCHA entry that was invalid. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address was the only non-Tor source IP address reflected in the traffic we examined. The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the Silk Road Server, and that it was “leaking” from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor. Based on publicly available information, I subsequently learned that the Subject IP Address was assigned to a server housed at an overseas data center operated by a foreign company in Iceland.
Accordingly, on June 12, 2013, an official request was made to Icelandic authorities to: (1) obtain subscriber information associated with the Subject Server; (2) collect routing information for communications sent to and from the Subject Server, including historical routing data from the prior 90 days; and (3) covertly image the contents of the Subject Server.
The June 12 Request was subsequently executed by the Reykjavik Metropolitan Police (the “RMP”). The RMP obtained subscriber information for the Subject Server first, which reflected that the server was leased by the Data Center to a non-U.S.-based webhosting provider. Based on my training and experience, I believed at the time that the Webhosting Provider, in turn, leased the Subject Server to the administrator of Silk Road. After Ulbricht’s arrest, data was subsequently recovered from his computer reflecting that he in fact had leased several servers, including the Subject Server, from the Web Hosting Provider. Notably, the operation of Silk Road on the Subject Server was in violation of the Webhosting Provider’s terms of service, which prohibited the illegal use of its systems and warned that its “systems may be monitored for all lawful purposes, including to ensure that use is authorized.”
After obtaining subscriber information for the Subject Server, the RMP next obtained traffic data (not including contenAfter Ulbricht’s arrest, evidence was discovered on his computer reflecting that IP address leaks were a recurring problem for him. In a file containing a log Ulbricht kept of his actions in administering the Silk Road website, there are multiple entries discussing various leaks of IP addresses of servers involved in running the Silk Road website and the steps he took to remedy them. For example, a March 25, 2013 entry states that the server had been “ddosd” – i.e., subjected to a distributed denial of service attack, involving flooding the server with traffic – which, Ulbricht concluded, meant “someone knew the real IP.” The entry further notes that it appeared someone had “discovered the IP via a leak” and that Ulbricht “migrated to a new server” as a result. A May 3, 2013 entry similarly states: “Leaked IP of webserver to public and had to redeploy/shred [the server].” Another entry, from May 26, 2013, states that, as a result of changes he made to the Silk Road discussion forum, he “leaked [the] ip [address of the forum server] twice” and had to change servers.t) for the Subject Server, which showed a very large volume of Tor traffic flowing to the server. Based on my training and experience, this traffic strongly evidenced that the Subject Server was being used as a Tor hidden service and corroborated the information we already had indicating that the Subject Server was being used to host Silk Road.
Given this corroboration, we asked the RMP, which coordinated with the FBI on the timing of the search of the Subject Server, to proceed with covertly imaging the server. After obtaining the necessary court order under Icelandic law, the RMP imaged the Subject Server on July 23, 2013. The FBI was not involved in obtaining that court order or ever given a copy of it. Nor was the FBI present for or otherwise involved in the imaging of the server, other than consulting with the RMP as to when the imaging should be done. At no time did the FBI possess any authority to direct or control the RMP’s actions. The RMP decided independently that imaging the Subject Server was feasible and appropriate under Icelandic law and they ultimately decided precisely when and how to do it.
The RMP provided a copy of the image of the Subject Server to the FBI on or about July 29, 2013. Forensic examination of the server by CY-2 was conducted immediately thereafter and fully confirmed that the Subject Server was in fact the server hosting the Silk Road website, i.e., that it was in fact the SR Server. The server contained, among other things, databases reflecting Silk Road vendor postings, records of Silk Road sales, private messages between Silk Road users, and other forms of Silk Road user activity. The server also contained the computer code used to operate the website.
On September 26, 2013, in anticipation of the arrest of Ulbricht and the takedown of the Silk Road website, which occurred on October 1 and 2, 2013, respectively, a supplemental request was issued to Iceland, asking Icelandic authorities to seize the SR Server at a time to be chosen in consultation with the FBI and to re-image its contents, in order to ensure collection of any data added or modified since the initial imaging of the server in July 2013. See Ex. D. The RMP again obtained the necessary judicial process and executed the seizure and re-imaging.
From examining the computer code and other data on the SR Server, I learned of IP addresses of additional servers that appeared to be used in connection with operating the website. (These ancillary servers were unknown to us before reviewing the data from the SR Server.) Based on their IP addresses, some of these servers were determined to be maintained by U.S.-based providers and some by foreign providers. The Government obtained the contents of the former through search warrants and obtained the contents of the latter through official requests to the corresponding foreign countries.
One of the servers discovered in this manner was a server whose IP address was referenced in a computer script on the SR Server, which appeared to be used to back up the contents of the SR Server periodically. The FBI obtained a search warrant for this backup server on September 9, 2013.
A search of the computer code on the Primary Backup Server revealed the IP address of an additional server that appeared to be used to back up the contents of the Primary Backup Server. The FBI obtained a search warrant for the Secondary Backup Server on October 1, 2013, which also authorized a successive search of the Primary Backup Server, in order to ensure collection of any added or modified data since the initial search. By mid-September 2013, Ulbricht was the FBI’s lead suspect as the owner and operator of Silk Road, known on the site as “Dread Pirate Roberts,” or “DPR.”
During the period from September 17 to September 20, 2013, the FBI obtained several judicially authorized pen registers for the purpose of confirming the identity of Ulbricht as “DPR”. The Pen Registers authorized the FBI to collect routing data from the Internet service provider account associated with Ulbricht’s residence, the wireless router associated with that account, and certain hardware devices that were determined to be regularly connecting to the router (based on the results of the former two pen registers). The Pen Registers did not collect the contents of any communications. They collected only routing information, such as the IP addresses being contacted using the account, router, and devices, the ports being accessed, and the MAC addresses of the devices involved.
We used the Pen Registers to track when Ulbricht was connected to the Internet and what IP addresses and ports he was connecting to. By monitoring when Ulbricht appeared to be online, and comparing it to the times when “DPR” appeared to be logged in to Silk Road (as reflected by his activity on the Silk Road discussion forum), additional evidence was collected corroborating that Ulbricht was in fact “DPR.”
Here’s another snippet that reveals Ulbricht has problems with leaky IP addresses in the past (why he didn’t shutter the site after he found the true IP address leaked is unknown).
After Ulbricht’s arrest, evidence was discovered on his computer reflecting that IP address leaks were a recurring problem for him. In a file containing a log Ulbricht kept of his actions in administering the Silk Road website, there are multiple entries discussing various leaks of IP addresses of servers involved in running the Silk Road website and the steps he took to remedy them. For example, a March 25, 2013 entry states that the server had been “ddosd” – i.e., subjected to a distributed denial of service attack, involving flooding the server with traffic – which, Ulbricht concluded, meant “someone knew the real IP.” The entry further notes that it appeared someone had “discovered the IP via a leak” and that Ulbricht “migrated to a new server” as a result. A May 3, 2013 entry similarly states: “Leaked IP of webserver to public and had to redeploy/shred [the server].” Another entry, from May 26, 2013, states that, as a result of changes he made to the Silk Road discussion forum, he “leaked [the] ip [address of the forum server] twice” and had to change servers.