Federal prosecutors arrested Ross Ulbricht today, alleging that he was the shady character behind underground online drug marketplace Silk Road. But despite the security precautions taken around the site — like only being accessible through anonymous browsing service Tor — poor digital hygiene was the first thing that tipped off investigators that Ulbricht was involved with the illicit marketplace.
Investigators probing Silk Road's origins discovered two early mentions that looked like attempts at marketing in January 2011. Both came from a user going by the handle "altoid." One was in a posting on a shrooms blog, the other a comment on a forum about Bitcoins. Eight months later, the same "altoid" user posted in an unrelated thread that he was looking for an "IT pro in the Bitcoin community" to hire for "a venture backed Bitcoin startup." That post told interested parties to contact him at firstname.lastname@example.org — which appears to be his personal e-mail address.
Subscriber details from Google identified that account as tied to a Google+ account featuring photos of Ross. His Google+ page showed him sharing a number of videos from the Web site of the Mises Institute, a libertarian think tank that promotes the Austrian School of Economics. A user that matched the photo on Ulbricht's Google+ also was registered on the Mises Institute site.
And investigators knew that the Silk Road's owner, who went by "Dread Pirate Roberts," cited the Austrian School of economics as the philosophical underpinnings for the Silk Road in forum posts, and included a link to the Mises Institute in his signature.
Another digital trail linked Ulbricht to running a hidden Tor service like the Silk Road: Posts to the site programmer question and answer site Stack Overflow. On March 5, 2012, a user registered as Ross Ulbricht with his Gmail address. On the 16th, that account asked a coding question about connecting a Tor hidden service using the PHP programming language. Less than a minute after it posted, the user changed his name to "frosty." A few weeks later, the user changed the e-mail associated with the account a fake e-mail address "email@example.com."
When investigators eventually got their hands on a Silk Road server (the complaint doesn't seem to explain how they obtained it), forensic analysis showed that the server had code matching the code Ulbricht asked about on Stack Overflow. And as of July 23, 2013, it used frosty@frosty as the end of a public encryption key used to authenticate administrator access.
Ulbricht had allegedly been logging into the server from a specific virtual private network. Investigators subpoenaed the VPN provider, which gave them another clue to his physical location. While the contents of the VPN server were erased, the records reflected the IP address used for the last login. It was an Internet cafe in San Francisco 500 feet away from the where the IP address used to access Ulbricht's Gmail account showed he was living at the time.
Investigators finally caught Ulbricht after U.S. Customs and Border Protection intercepted a package of counterfeit identity documents featuring pictures of Ulbricht. It's not clear how CPB knew to examine that package; some have suggested this might be a case of parallel construction where intelligence agencies share secret information to build cases in alternative ways.
When Department of Homeland Security agents visited the address, they found Ulbricht, who had recently moved. He produced a driver's license bearing his real name. And while he refused to talk about the fake driver's licenses, he did volunteer that "hypothetically" anyone could go onto the Silk Road using Tor to purchase that kind of document.
And that's how one forum posting identifying Ulbricht's personal e-mail address led to authorities arresting him for running an underground online drug market that made $80 million in commissions.
Correction: This report initially stated the Silk Road made $80 million in a five-month period. However, that figure represented commissions from February 6th, 2011 through July 23rd, 2013. We regret the error.