I helped catch Silk Road boss Ross Ulbricht: Undercover agent tells all
From one little pill to impersonating a cat-owning site admin
Long read “How do you eat an elephant? Nibble at it, nibble at it, a lot of little bites.” That was how Special Agent Jared Der-Yeghiayan infiltrated notorious dark web market the Silk Road and helped unmask site operator Dread Pirate Roberts, aka Ross Ulbricht.
Der-Yeghiayan told an enthralled audience at France's FIC2019 infosec shindig last week how, as a US Department of Homeland Security Investigations agent, he took over the online chat and forum accounts of key players in the Silk Road's infrastructure – and headed off plans by hot-headed US law enforcement to blast the back wall off Ulbricht's San Francisco home and fast-rope from helicopters into his top-floor flat.
The Silk Road was a Tor marketplace, rather like eBay, where anonymous sellers traded drugs, firearms, illegal pornography and more with anyone who cared to pay – in tricky-to-trace cryptocurrency Bitcoin, naturally. It was shut down in 2013 after Ulbricht, who styled himself as Dread Pirate Roberts after the identity-switching "villain" in the 1987 movie The Princess Bride, was arrested in a San Francisco library. He was later convicted and sentenced to life in prison without parole. As well as being accused of ordering six murders-for-hire through the Silk Road (these specific charges were later dismissed), Ulbricht was also linked to six drug overdose deaths where the narcotics had been ordered from his website.
The Silk Road case was one of the highest profile clashes between what criminally minded libertarians saw as the internet's untouchability by real-world regulators and the determination of police forces to extend their writ, once and for all, into cyberspace. Though the events he described took place less than a decade ago, Der-Yeghiayan's account shed light on just how much social engineering was necessary to crack the illegal goods empire that Ulbricht had built.
It all began with a single pill of E
"I was an inspector at Chicago Airport," said Der-Yeghiayan, describing how the Homeland Security Investigations (HSI) case against Silk Road began, "and another inspector found some illegal drugs. He said 'I’ve found some ecstasy!' I said, 'How many thousands of pills do you have?' He said, 'I've got one.' One! Why would I be interested in one pill? He said 'It looks more commercialised, a website or something behind this'."
Further trawling through seized packages revealed amounts of amphetamines, powdered MDMA and LSD. Law enforcement went to the buyers' homes and, in then-trainee Der-Yeghiayan's words, introduced themselves by saying "we just want to talk" and "discuss" where they got the drugs from. This strategy paid off when one customer's flatmate, irked at investigators turning up in the perp's absence, merrily told the novice agent that his pal was ordering "weed, ecstasy, LSD, maybe some heroin" from "a website called Silk Road".
That’s silkroad.com right?
“I said, ‘yeah, we know that’,” recalled Der-Yeghiayan. “We didn’t know that! I played it cool and said ‘that’s silkroad.com right?’ The guy said ‘nah, dot-onion, Tor.’ I said ‘Yeah, I was just testing you!’ My training officer later said ‘good interview’.”
After some Google searches and investigation into the Bitcoin transactions to and from the Silk Road (“there was nothing we could subpoena or get a search warrant on”), HSI went back to basics and started analysing seized packages from their Chicago Airport office, trying to find identifying clues from the senders of the drugs. Seizures went from “10 a week” to more than 200 as investigators broadened their net.
Getting inside the Dread Pirate Roberts' head
While agents did the old-fashioned work of retrieving fingerprints from the reverse of address stickers and asked law enforcement bodies in the senders' countries to run them against local population databases, Der-Yeghiayan started thinking about alternative routes to crack the Silk Road. While reading the site's forums, he noticed that site admin Dread Pirate Roberts (DPR) had started a book club thread.
"He focused on libertarian beliefs that the free market enterprises, the Austrian school of economics, the principles of no government control over everything; that's what the Silk Road was meant to represent," said Der-Yeghiayan. "One of the things we focused on, though, was his signature [block]. We would see he would also put different comments there, things to read. The reading lists he had up there were websites on the regular internet."
Sure enough, on checking the economic philosophy sites that DPR kept referencing over and again, Der-Yeghiayan found people with "the same writing style, same thoughts, same type of discussion". The agent's thinking was simple: "If we knew what inspired [DPR] we could talk to him, even engage him in an undercover capacity. Maybe he might spell something incorrectly, say something more about himself."
Agents knew that the Silk Road had secret inner forums that only privileged, trusted vendors had access to. If they could infiltrate those and convincingly interact with the people using them, they stood a better chance of identifying and arresting the site’s operators.
'If you haven't done a search warrant with the Dutch, I recommend you do'
A breakthrough came when Der-Yeghiayan's colleagues made a test purchase from the Silk Road for small plastic baggies, with the initial intention of tracing the Bitcoins from the purchase to see where they ultimately ended up. Their vendor, unusually conscientiously, posted the baggies in a package that "actually had a tracking number on it. We didn't pay for tracking; we didn't want tracking. The baggies cost 30 cents. This person paid $4.60 for tracking!" marvelled Der-Yeghiayan.
But it was a way in. Tracing back the tracking number to the credit card and terminal used to pay for the tracking label, HSI investigators found a CCTV camera overlooking the terminal. "They mailed 30 other packages the same day," said Der-Yeghiayan, "that's probably our vendor. We did some investigation, we saw him dropping packages, a drug dog alerted on it… and he turned over his account."
While the account was a dead end as far as the forum was concerned, another tracking number from the vendor revealed a buyer in the Netherlands. HSI asked if they could execute a search warrant there and the Dutch police agreed. HSI went along – but things didn't quite go to plan.
"We're looking at the house," said Der-Yeghiayan, describing the scene. "As we're sitting there looking at it the police walked up and they knocked on the door and said, 'open up'. A guy sticks his head out the second floor window and he said something in Dutch. My translator said it meant, 'What do you want?' The police said 'Open the door'. Guy says 'No'. So the police then come back and say, 'Open the door now'. Guy says 'No'. This goes back and forth for a good five minutes… As they're going back and forth, the Dutch [police] say: 'This is your last chance, open the door now' and the guy says 'Just give me one reason why' and they say 'Because we're the police!'. He goes, 'Why didn’t you say so, I'm blind!' True story."
While the blind man wasn't their target, the vendor, who lived in the same house and ran his drug-dealing operation with his girlfriend, turned over his Silk Road vendor account to police – and it was another dead end.
Sponsored: Becoming a Pragmatic Security Leader