Silk Road: suspicions grow that server was hacked ahead of arrests

How do you find a site that's hosted on the Tor system? In theory, you can't - which is why there are questions over how the FBI could image it and take it down last week


  • theguardian.com,

  • Silk Road seizure
    Silk Road website now shows seizure notice from the FBI, IRS and DEA. But how did they manage to find it? Photograph: /PR

    There's a new theory about how the FBI And CIA tracked down the physical location of the Silk Road servers, and it has nothing to do with the man accused of being the site's operator, Ross Ulbricht, or queries he might have made on StackExchange.

    Instead, the rumour in hacker circles is that the CIA - with or without the help of the National Security Agency - accessed the server via Tor, and somehow ran an exploit on it which meant that they could locate it over the "normal" internet.

    Having done that, they then got in touch with the company hosting the server itself (which may be in Iceland, as we'll explain) and then managed to take an image of the server. They may also have planted tracking systems on the server which allowed them to trace those who logged in to Silk Road - which would certainly help to explain how the British police last week arrested four men on suspicion of supplying controlled substances through Silk Road.

    That was the suggestion last week from Nicholas Weaver, when the news broke.

    Weaver, who is based at the International Computer Science Institute, commented on a piece about the initial arrest that

    the biggest weakness of the complaint (which is not something that really needs to be answered here, but will need to be answered in court) is how the Silk Road server was discovered.

    I would suspect that, since it was imaged without being noticed that what happened is the FBI (with a warrant) hacked the site sufficient to discover the site's IP by generating a non-Tor phone-home, and then contacted the country of the hosting provider which then got the server imaged.

    Yet since the server imaging didn't involve taking the server down or disrupting service sufficient to spook Mr DPR into taking his bitcoins and running, I suspect that this was some virtual-machine hosting provider.

    Now, that's not how it was done according to the affidavit filed last week by FBI agent Christopher Tarbell. That points to Ulbricht's LinkedIn profile, his use of a real photograph in a package of fake IDs (which it is claimed led Homeland Security to Ulbricht's address), his queries on StackExchange under his own name (which he then changed) about connecting to Tor via PHP, his seeking out of courier firms, and paying someone to murder someone else.

    It also describes how agents tracked back to early promotion for the Silk Road site and found messages posted on drug discussion forums and Wordpress blogs by a user called "altoid", which was found to be linked to a Gmail address, apparently registered to Ulbricht.

    Ulbricht faces charges of money laundering, narcotis trafficking, computer hacking and soliciting a murder. A lawyer for Ulbricht last week said "We deny all charges".

    But Tarbell's description doesn't contain the chain of evidence that one would expect for an arrest - and a breakthrough - of this magnitude. Putting together the fragments of evidence contained in the affidavits, one doesn't get a picture of someone who is self-evidently the "Dread Pirate Roberts" who operated Silk Road.

    One other matter that isn't widely known: the initial affidavit doesn't have to describe how the FBI actually built its case. It only has to describe how it could have built its case, and persuade a judge to sign an arrest warrant.

    That is why suspicion is growing that the Silk Road servers were actually quietly hacked, and were exploited to reveal details about their users.

    Those suspicions won't have been eased by the comments of the director general of the UK's new National Crime Agency, Keith Bristow, who said of the arrest of the four Britons that "the hidden internet isn't hidden and your anonymous activity isn't anonymous. We know where you are, what you are doing and we will catch you."

    Some internet sleuthing, meanwhile, suggests that the Silk Road server itself may have been hosted in Iceland: Runa Sandvik, who works on the Tor Project, notes that there's an Icelandic server at https://193.107.86.49/ which has a self-signed certificate, and redirects to silkroadvb5piz3r.onion - the Silk Road website.

    But, Sandvik points out, the FBI affidavit says that the server was imaged (ie copied) as part of a Mutual Legal Assistance Treaty request - and Iceland doesn't appear to be a signatory to a MLAT with the US. "That leaves us with Latvia and Romania, Sandvik comments.

    So we're left with uncertainty which might not be answered until the FBI brings its full charges to the courtroom. Did a US agency use an exploit - perhaps even a zero-day one (ie, not previously notified) to hack the Silk Road server, and so gain access to details about who was accessing the server - and then follow the trail back to its alleged owner and users? Or was the takedown of Silk Road the result of painstaking piece-by-piece detective work? This is a trial which will be watched with great interest.

    How can the FBI seize Bitcoins from Silk Road?

     

    © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

    http://www.theguardian.com/technology/2013/oct/08/silk-road-hack-suspicion-fbi-server