OpSec on the Silk Road: Learning from Pirates

OpSec on the Silk Road

Learning from Pirates

Stefan Friedli
by Stefan Friedli
time to read: 7 minutes

Only a couple of weeks ago, Dread Pirate Roberts (DPR) was arrested for his extensive involvement in Silk Road, an online platform only reachable via Tor offering more than ten-thousand sales listings for controlled substances. The variety of the products offered was immense: LSD, cocaine, methamphetamine, heroin, ecstasy – if you can name it, it was most likely for sale on Silk Road. You could have considered Silk Road something like eBay for illegal drug trafficking. You could find almost everything and even leave a seller feedback once the transaction was done and over. But not only drugs were sold on Silk Road: Hacked accounts for social networks, weapons, and various services ranging from digital petty theft to more extreme things, contract killers being just one of the more unsettling examples. Ross William Ulbricht, DPR’s real name, allegedly made millions with his website. The actual amount is disputed, but it is to be assumed that it was worth the trouble.

Not the original Dread Pirate Roberts

The Original and much beloved Dread Pirate Roberts

Silk Road’s performance depended massively on the fact that it was hosted anonymously and was only accessible via Tor. Tor is an important tool to provide users with anonymity, leaving it up to them how they use this privilege. People that are threatened and violated by oppressive governments can use Tor to communicate their dissent. Sokwanele for example, is a Zimbabwean website promoting democracy, illustrating the atrocities of the regime under Robert Mugabe. The content, while horrific in its nature, is important and puts the creators at great risk of being in harm’s way for publishing it. Tor is providing an amount of anonymity that makes it easier to stay moderately safe, no matter if this anonymity is required to exercise free speech or to buy drugs on Silk Road. Silk Road was incredibly popular, especially considering the fact that it was never reachable outside of Tor. Contrary to popular opinion, it is not hard to access sites like these, even for less tech-savvy users. Easy installers are readily available, that will allow access to Tor within minutes without any configuration or the need for credentials. TorBrowser, for example, is a standalone, portable installation of Firefox that will automatically redirect all traffic via Tor. It is easier to install than the most recent versions of Microsoft Office.

Easy to Install: Tor Browser

Why are there so many steps!?

The question that the Silk Road bust raised almost instantly is clear: If this website was only accessible via Tor, how was Dread Pirate Roberts caught? Especially considering the fact that leaked documents recently confirmed that intelligence services were trying hard to get a handle on Tor, but were still failing? .

According to available sources, the key to Ulbricht’s downfall was not based on any intelligence agency’s skillful interception of encrypted communication. Tor, as far as we know today, remains a fairly anonymous way to use and offer services, whereas anonymous does not necessarily mean secure. Ulbricht, however, failed where most people do: When it comes to OpSec.

Considering that Ulbricht made a ton of money running a fairly smooth operation that enabled the sale of mostly illegal products and services for a surprisingly long time, the list of mistakes he made, concerning his operational security, that have now surfaced is surprising. For example, Ulbricht was looking for an IT professional for a bitcoin-backed venture in a forum, using his real email address to communicate with potential candidates. In a world where it is hard to determine if anyone you talk to on a computer is really what he claims to be, this seems like a really, really unfortunate idea. A similarly bad idea is the use of social networking to be vocal about ethical and ideological mindsets. That rings true for almost everyone, especially in a world after Snowden, but especially if you are currently building and running an international black market and try to stay somewhat in the shadows to avoid going away for a long, long time.

But it does not stop there. Dread Pirate Roberts also used various drug-related forums outside of the Tor-Protected Internet to market his product and get in touch with customers. He connected to his VPN server after logging into his Gmail account with the same IP address. He used his StackOverflow.com-alias frosty in the public SSH key stored on the Silk Road server. He also used his real name on StackOverflow. The list does not stop there, but it illustrates how many mistakes he made down the road that ultimately led to his arrest.

There are a couple of things that are interesting about all of this. First of all: Most OpSec mistakes seem not too bad as long as you look at them as a trail leading from you to a certain incident. But it is often forgotten that the trail works the other way too. Often, an investigation will start at the scene of the crime, search for the cookie crumbs and then follow them back to the jar they came from. Ulbricht’s post about an anarchistic vision of economic simulation he posted on LinkedIn in early 2012 would most likely not have been suspicious, but once the investigators got him on their list, the statement made a lot more sense in the context of Silk Road. Bold statements on your world-views are risky in this time and age, even if you don’t run an international drug exchange. If you do, you might want to shut down your Facebook account before you do it or at least refrain from posting content related to your activity.

The other conclusion is much more concerning though: What if Dread Pirate Roberts did everything right? What if he did not make these mistakes or if somebody learns from his school-of-hard-knocks lesson on OpSec? If it takes that many mistakes to be taken down, we might just face the next Dread Pirate Roberts very soon.

About the Author

Stefan Friedli

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here