I helped catch Silk Road boss Ross Ulbricht: Undercover agent tells all
From one little pill to impersonating a cat-owning site admin
The trusted seller of small plastic skulls and the cat-owning moderator
US law enforcement made another breakthrough when someone who used the handle Nomad Bloodbath was arrested. When agents got their hands on his Silk Road vendor account, they discovered it did have access to the hidden forums on the site, and Der-Yeghiayan was drafted in to operate the account undercover.
"He sold plastic skulls, toys and trinkets. Everyone loved them," said Der-Yeghiayan. "What they cared about was not the items themselves but they came from Nomad Bloodbath. They wanted to buy anything from him. He would make these skulls at home, there was nothing illegal about them."
Sure enough, by pretending to be flouncing off the Silk Road and liquidating Nomad Bloodbath's stock of skulls, Der-Yeghiayan was able to collect more vendors' real-world names and addresses while the skulls were posted out. A bigger prize came when Der-Yeghiayan realised that the Nomad Bloodbath account came with a verifiable "legend" – convincing social proof that the account's operator was "one of us" among the Silk Road's inner circle.
"If you took a username, or someone [the inner circle] didn't know, they wouldn’t respond. You couldn't get a lot of info. But what I noticed was, using the Nomad account I was getting a lot of info from these admins. In particular, one called Scout."
Nomad Bloodbath, said Der-Yeghiayan, was one of Scout's trusted confidantes. Unaware that she was talking to a law enforcement agent instead of her friend, cat-loving Scout poured out her heart to Nomad Bloodbath – and in return, Der-Yeghiayan offered to send her one of the skulls for free. Having got her home address, he then went along with the raid ("We protected the cat, the cat did not get harmed!") and, in the spy-thriller vernacular, Scout agreed to turn for the HSI: "All Scout had to do was hang around the website, be our eyes and ears."
As one of DPR's trusted lieutenants, Scout already had moderator privileges on the Silk Road’s forum. DPR offered to upgrade her to admin status, along with $1,000 per week for her time. That new admin account went straight into Der-Yeghiayan's control, along with OTR secure chat directly with DPR himself. The agent was getting closer to his prize.
"What did it take to become this account?" Der-Yeghiayan asked rhetorically. "We had to read through over 3,000 chats. We had to know all the individual chats, communications, who they spoke to, when they spoke to them. We don't have the luxury in the middle of a live chat of saying 'gimme a sec'."
His previous reading on free market economics came into its own. As well as applying the dry academic theory he had had to learn in order to immerse himself in the criminal marketplace, Der-Yeghiayan also had to absorb Scout's "writer's voice, syntax, diction, punctuations, sentence structure, slang, curse words, acronyms". He recalled: "She would capitalise words, 'you will NOT do this'." I did this over and over again; I even found myself telling my supervisor the same things I'm writing, 'I will NOT do this today!'"
Using Scout's admin access, Der-Yeghiayan found the Silk Road's servers and pinpointed them in Iceland. Icelandic police copied it and sent a copy to the US. While investigators didn't expect much information about DPR's identity, knowing that his command and control was done through private and secure chat, "what we did find was that the actual server itself showed the admin was logging into the actual Silk Road from an internet cafe in San Francisco."
Closing the net on DPR
Der-Yeghiayan noticed something else. He used the Pidgin (v2.10.3, now long out of date) unified communications app for the Silk Road's internal secure chat – and noticed that every time he spoke to DPR, the admin's timezone "would change from UTC to Pacific. What happened was something was misconfigured. What it was showing was the timezone on his computer. His local timezone was Pacific Time."
This is the same timezone that covers San Francisco. Investigators were getting closer and closer to the elusive DPR.
Separately, another agent doing some Google searching found old internet forum posts dating back to January 2011 saying "hey have you seen the Silk Road yet"? These were significant because the forum was only launched in February 2011. Agents reckoned that anyone posting about the Silk Road forum before that date had to have inside knowledge of it.
On those posts was an email address belonging to Ross Ulbricht. Further searches on that email address revealed Ulbricht was also asking for help with Bitcoin development – and how to connect to Tor over CURL in PHP. Put together, these were increasingly pointing to DPR and Ulbricht being one and the same.
Even more convincingly, when law enforcement searched for Ulbricht's name on national databases, they discovered that a package containing nine fake ID cards had been intercepted and hand-delivered by police wanting to identify and shut down the source. On being questioned about where he got the cards, Ulbricht himself told the officers he "might have bought them from Silk Road".
Ross Ulbricht also used the handle "frosty" on Stack Overflow, Der-Yeghiayan found. "And the FBI agent I was working with, guy called Chris, falls over in his chair… He said that Frosty name was also the name of the computer logging into the Silk Road server. What's the odds of that?"
On looking at Ulbricht's Linkedin page, Der-Yeghiayan found "a lot of things similar to DPR", which raised further suspicion:
“We also found him on that same forum where DPR was posting his reading literature. He had an account there,” said Der-Yeghiayan. “We then put a pen register on his Gmail account. We’re watching every time he logged in and logged out. I spent a week undercover mapping online, every time DPR signed in on the forum, the marketplace or staff chat, and DPR would sign onto the forum. Then Chris looking at the Gmail register would say, that’s funny, DPR just signed on the forum. About an hour later DPR just signed off, few mins later, Ulbricht would sign off Gmail.”
The decision was made to go in.
Police located Ulbricht’s home, a top-floor flat. Der-Yeghiayan recalled: “The FBI is saying, this is a high profile arrest, we’re going to use our SWAT team, go in hot and heavy, get the laptop and everything. Chris and me both don’t like this. We need the laptop; he’s on the upper floor; we don’t think you can get there in time. There’s this thing called a big metal gate that says no."
If Ulbricht was alerted to a police raid, HSI agents feared he would simply wipe or smash his laptop before they could seize it.
Not to be thwarted, the FBI’s best minds came back with a bonkers alternative plan, which Der-Yeghiayan summarised for the audience’s amusement: "We’re going to get a helicopter, blow out the back wall, ninja roll in, kick the laptop out of Ulbricht’s hands and grab it!"
"It was insane," he laughed. "You guys are insane; no, you’re not going to ninja roll in, you’re going to crash your helicopter and we’re going to lose everything."
Law enforcement agents agreed that they would carry out a direct surveillance operation on Ulbricht in San Francisco. Having flown to the city and set up in the Bello Coffee and Tea cafe, waiting for other agents to tell him Ulbricht was on his way, Der-Yeghiayan was surprised when Chris walked in and said: "Jared, our friend is coming down the street."
Nonplussed, he replied: "I don’t have a friend in San Francisco." Chris looked at him hard. "No. Our. Friend. Is. Coming."
Der-Yeghiayan twigged what he meant and left the cafe with Chris, sitting across the road. Ulbricht himself duly "stood within 10 feet of us, waiting for the light to turn". He crossed and entered the cafe. The agents paused, debating whether to storm in and get their man there and then.
"No, don’t follow him in, there’s no seats!" said Der-Yeghiayan. Sure enough, Ulbricht exited and walked down the road to the Glen Park Branch Library, sitting down "in the sci-fi section" to use the free public Wi-Fi.
"From my point of view," said Der-Yeghiayan, "I’m across the street, me and Chris looking at laptops. As [Ulbricht] signs in, I start a chat and ask [DPR] to go to the [forum's] staff interface and look at flagged messages. He logs in, as we're doing that he asked me another question about Bitcoin exchanges, he says OK which post, he’s online, he’s looking at that admin panel."
Der-Yeghiayan and Chris gave the nod to the arrest team. Acting on the pre-arranged signal, they faked a fight behind Ulbricht as a distraction. When their target turned around, "a surveillance team member comes over, grabs the laptop, pulls out a power cord and plugs it in. How did he know what power cord? We found his Amazon account and found what laptop he had."
As Ulbricht lunged for his laptop, one of the arrest team bear-hugged him from behind and whispered in his ear: "You know what you did, don't fight."
"As soon as we had him secure, we look at the laptop," said Der-Yeghiayan. "Sure enough, the laptop [that seizing arrest team member] TK had has the matching, corresponding chat. Do not pass go, do not collect $200. The name of the laptop was Frosty."
Ulbricht had 50,000 Bitcoins circulating through the Silk Road’s marketplace. 144,000 Bitcoins were in "cold storage" and 25,000 packages from vendors to customers were in transit.
"On the laptop we found an enormous amount of evidence," said Der-Yeghiayan. "It was hard to decide what to produce at court. Detailed notes and journals of everything he did... Ransoms. Spreadsheets detailing every server, where they were at, admin logins, everything."
And the aftermath
Ulbricht was subsequently proved to be the owner/operator of the Silk Road and was jailed for life without parole. All of his legal appeals so far have been thrown out.
In a Twitter feed operated by proxy through friends outside prison, Ulbricht, once the master of an intercontinental outlaws’ marketplace and holder of $80m in Bitcoin, kingpin of an illegal empire that thought it was above the law, now tells the world about his apple tree seedling and his prison exercise routine while begging people to sign his clemency petition to US president Donald Trump.
Der-Yeghiayan was last seen on El Reg in 2015 when the trial judge halted courtroom questioning of him about his early theory that another dodgy Bitcoin bod, Mark Karpeles, operator of real-cash-to-cryptocurrency exchange Mt. Gox, was in fact the operator of the Silk Road.
In fact what happened, as he acknowledged at the end of his talk in Lille, was that Karpeles' VPN hosting company had acted as a legitimate middleman for Ulbricht and registered some web domains for him. Without the full evidence, Der-Yeghiayan had drawn the wrong conclusion from the limited information he had. "It was just coincidence for him. You follow every little lead you get, sometimes it doesn't pan out." ®
Sponsored: Becoming a Pragmatic Security Leader