/d/OpSec icon

/d/OpSec

16,149 subscribers

Must read: https://anonymousplanet-ng.org/

Discussion of OpSec, Threat Models, Protection, Assessment & Countermeasures.

Vendors, please use /d/vendor_handbook.

While the focus of this community's OpSec discussions may center around Dark Net (DN) activity, all members of this sub are encouraged to think about, discuss, and share ideas relating to OpSec that extend beyond the bounds of the DN.

[ARTICLE] [OPSEC] Lessons Taken From The Silk Road Takedown & DPR A.K.A Ross Ulbricht.

by /u/EvZen P · 7 votes · 1 month ago

===============

Introduction

===============

Generally, it appears that Ross Ulbricht was applying his economic and techno-libertarian philosophy to real life. As his project grew, his security posture improved – too late. The most serious mistakes that Ross Ulbricht made were made during the period Jan 2011 - Oct 2011. A full timeline of the events in the indictment is as follows;

=====================================

DPR / SilkRoad Timeline Of Events

=====================================

  • xx / xx / 2010 - linkedin “change of goals” post

  • 23 / 01 / 2011 - silkroad420.wordpress.com created

  • 27 / 01 / 2011 - shroomery.org user: “altoid” created. user profile (screenshot)

  • 27 / 01 / 2011 - shroomery.org advertising post, “altoid” shroomery post (screenshot)

  • 29 / 01 / 2011 - bitcointalk user: “altoid” created user profile

  • 29 / 01 / 2011 - bitcointalk advertising post, “altoid” bitcoin post archived

What an awesome thread! You guys have a ton of great ideas. Has anyone seen Silk Road yet? It's kind of like an anonymous amazon.com. I don't think they have heroin on there, but they are selling other stuff. They basically use bitcoin and tor to broker anonymous transactions. It's at [REDACTED ONION V2 URL] Those not familiar with Tor can go to silkroad420.wordpress.com for instructions on how to access the .onion site.

Let me know what you guys think

—Quote from: altoid on January 29, 2011

  • 01 / 07 / 2011 - shroomery.org abandoned by “altoid”

  • 11 / 10 / 2011 - bitcointalk job offering post, “altoid” -> rossulbricht@gmail . com the job offer screenshot

  • 05 / 03 / 2012 - stackoverflow account creation “Ross Ulbricht” -> rossulbricht@gmail . com

  • 13 / 03 / 2013 - start of the bizarre extortion attempt

  • 16 / 03 / 2013 - stackoverflow question “how to curl Tor hidden services w/ PHP?” the question

  • 16 / 03 / 2013 - stackoverflow account name change “frosty”

  • 04 / 04 / 2013 - stackoverflow question updated: “[URL unfurl="true"]http://kpvz7ki2v5agwt35.onion[/URL]” (The Hidden Wiki)–> “[URL unfurl="true"]http://jhiwjjlqpyawmpjx.onion[/URL]” (TorMail) revisions

  • xx / 04 / 2013 - stackoverflow email change to “frosty@frosty . org”

  • 05 / 04 / 2013 - end of the bizarre extortion episode

  • 01 / 06 / 2013 - DPR requests chat with redandwhite

  • 05 / 06 / 2013 - DPR asks redandwhite for update on “dummy IDs”

  • 08 / 07 / 2013 - DPR asks “someone” for fake ID

  • 10 / 07 / 2013 - CBP interdict forgeries

  • 23 / 07 / 2013 - Silk Road Server forensically imaged

  • 26 / 07 / 2013 - Homeland Security Investigations interview

  • 02 / 10 / 2013 - Arrest of The Dread Pirate Roberts

=====================================

NOTE: This is an abridged version of a longer post pulling out the lessons learned from the Silk Road Complaint/indictment of 27th September 2013. This post will only list the OPSEC errors, rather than explore them in detail.

=====================

The OPSEC Failures

=====================

The fundamental error is poor compartmentation. Ross Ulbricht, the real person and the online persona (Google+, LinkedIn, etc), and the Dread Pirate Roberts persona share ideological views and geographic locations. There is contamination between the two personas. Most of these seem to be due to the organic evolution of the Silk Road venture, where early naive Ulbricht makes mistakes that later smarter DPR wouldn’t. Unfortunately, the later DPR is more ideologically extreme and consequently less savvy about mainstream society. Here are the 4 errors i will be briefly discussing;

1. Poor Compartmentation 2. Profiling 3. Geographic Location 4. Isolation

==========================

Poor Compartmentation

==========================

Contamination: seriously fatal links created between personas

  • Silk Road + altoid: Shroomery, BitcoinTalk forums

  • altoid + rossulbricht@gmail . com: BitcoinTalk

  • Ross Ulbricht + frosty@frosty[.com]: StackOverflow

  • frosty@frosty + Silk Road: Silk Road server admin SSH key

The compartmentation failures are somewhat pervasive, in particular the ideological “Austrian School of Economics” and the mises.org site. However two particular contamination errors stand out:

1. Silk Road –> altoid –> rossulbricht@gmail . com link in 2011
2. Ross Ulbricht –> frosty@frosty . com –> Silk Road server link in 2013
The first of these failures happened because the altoid persona used to promoted Silk Road was poorly fleshed out (e.g. no email address). Ross did not put the plumbing in place to backstop his altoid cover. He then joined the BitcoinTalk community using this contaminated cover. His participation and search for social validation left him with his guard down. Consequently, he revealed a great deal of profiling information about his project and beliefs. Many of his posts are about Silk Road infrastructure or his mises.org influenced economic theories. After participating for 10 months he finally made the fatal OPSEC error of posting his personal email address. The second error was poor compartmentation of his online Ross Ulbricht persona, the tech savvy San Francisco based startup guy, and “frosty” the system admin of the server hosting the Silk Road site. His poor compartmentation, likely using the same computer for both personal and business use, and his limited backstopping of the DPR/altoid/frosty persona meant that any error would be fatal. These two errors combine to link Silk Road with Ross Ulbricht, and Ross Ulbricht with Silk Road.
“What do Ulbricht and DPR share?”

===============

Profiling

===============

>> Profiling: Ross Ulbricht talks and acts like Dread Pirate Roberts

>> LinkedIn profile

>> Timezone leakage: private messages, forum posting times

>> BitcoinTalk altoid posts about: economics (mises.org), security, programming

>> Silk Road Forum Dread Pirate Roberts -> Mises + “Austrian School of Economics”

>> Mises.org Ross Ulbricht account

Ross Ulbricht, the person, was an active participant in the mises.org website and the BitcoinTalk forums. In both cases he was deeply committed to the “Austrian School of Economics”, something the Dread Pirate Roberts was also a huge fan of. The altoid cover alias, linked directly to Ross Ulbricht, frequently talked about bitcoin security and PHP programming. He is, based on his posts, clearly involved in running some sort of PHP based bitcoin using venture that requires high security. Sort of like the Silk Road site.

=====================

Geographic Location

=====================

>> Silk Road web server administered over VPN from a server

>> VPN server IP stored in the Silk Road PHP source code

>> VPN server accessed from a location 15240 cm (500 ft) from a location that accessed the Ross Ulbricht GMail account.

The location of the Dread Pirate Roberts was something of an open secret. It is clear that he was based in the west coast of the US. Ulbricht was located in San Francisco at the same time as DPR, as proved by his large online footprint: Google+, YouTube, GMail.

Continue reading comment below . . .

Kind Regards.

-EvZen

Comments (23)
/u/EvZen P OP · 3 votes · 1 month ago (Pinned post) · Link

============

Isolation

============

  • Isolation without relief

  • Rented room under assumed name

  • No “mainstream” social circle to realign with social mores

  • No peers to talk to (generally speaking, aside from he's DPR hidden life), only Silk Road forum members and admins

After the altoid persona is retired from BitcoinTalk, Ulbricht migrates his social interaction to a he’s market forum community: the Silk Road forums. This appears to have been his “scene”, where he interacted with people and cultivated friends (including an impressive array of undercover law enforcement officials).

The underground life forced on Ulbricht as the Dread Pirate Roberts led to the major problem of isolation. Human beings are social animals. We require social interaction to maintain a healthy mental state. The strict security of DPR required isolation, leaving Ross Ulbricht living his social life on forums with niche ideological views, initially BitcointTalk (in 2011) and then the Silk Road forums. Isolation from mainstream society in this case led to ideological extremism as members of he’s niche community self-reinforce their ideological tendencies. Consequently, they are less able to understand mainstream society’s ideas, beliefs and morals. This proved dangerous. This isolation leads him to rationalize hiring online hitmen to preserve the Silk Road community by committing murder.

Apparently the only source of social validation and ego gratification that Ross had was a group of bitcoin libertarians at the time and undercover cops posing under various aliases. This is not a healthy social environment conducive to a balanced state of mental health.

========================

What have we learned?

========================

So, the Dread Pirate Roberts Indictment DOC / Complaint basically tells us nothing that hasn’t already been covered in previous articles inside /d/OpSec. If you haven’t already spend some time to read articles inside /post/caca0fb44c86e28bd83b by /u/HeadJanitor. However, there are some lessons learned which can be used to harden OPSEC practices going forward. The main things are still: strong compartmentation; use Tor all the time; avoid leaking profiling information, and it is prudent to regularly migrate to new cover personas.

EDIT: A complete timeline of events related to Silk Road, along with a very interesting investigation on the identity of The Employee DPR paid to have killed can be found here -> https://antilop.cc/sr/

Kind Regards.

-EvZen

/u/Witchman05 P · 2 votes · 1 month ago (Pinned post) · Link

https://antilop.cc/sr/

/u/HeadJanitor Moderator · 1 votes · 1 month ago · Link

Nice timeline. So much to sift through. So little time.

/u/EvZen P OP · 1 votes · 1 month ago · Link

Thanks /u/Witchman05 for pointing this out. I will add it inside the thread also. Much Appreciated!

Kind Regards.

-EvZen

/u/Witchman05 P · 1 votes · 1 month ago · Link

<3

Also, if you find that interesting, there's no shortage on other good sources of information. I particularly like Gwern.net, especially his archives of DNM arrests and takedowns, and the book American Kingpin, by Nick Bilton. The Darkest Web by Eileen Ormsby also has a bit of information, but like her other books, I myself find it a bit too... circlejerky.

/u/HeadJanitor, you got even more to read in even less time now. ;P

/u/EvZen P OP · 1 votes · 1 month ago · Link

They are great reads, especially Gwern.net. He's archives are spectacular.

Kind Regards.

-EvZen

/u/HeadJanitor Moderator · 1 votes · 1 month ago · Link

<3<3<3<3<3<3<3<3<3<3<3<3<3<3

/u/HeadJanitor Moderator · 2 votes · 1 month ago · Link

This was the best thing to wake up to. Thank you.

/u/EvZen P OP · 1 votes · 1 month ago · Link

Just trying to do my part :)

Would appreciate if you could also sticky the continued post comment, so it doesn't get lost within new comments!

Kind Regards.

-EvZen

/u/HeadJanitor Moderator · 1 votes · 1 month ago · Link

Will do. I'll have to place in in that Master Collection Post.

/u/EvZen P OP · 2 votes · 1 month ago · Link

Thank you!

P.S - BTW Your work in this sub-dread is amazing, i want to personally say that your continued service here to the community is very much appreciated. We need more like you!

Kind Regards.

-EvZen

/u/HeadJanitor Moderator · 1 votes · 1 month ago · Link

I sincerely thank you!

/u/Cartman22 · 1 votes · 1 month ago · Link

I love reading shit like this thanks bro!

/u/EvZen P OP · 1 votes · 1 month ago · Link

You're welcome bro!

Kind Regards.

-EvZen

/u/0xbeef · 1 votes · 1 month ago · Link

[removed]

/u/0xbeef · 1 votes · 1 month ago · Link

This is a good analysis. I'm thinking that maybe him taunting a US senator caused all kinds of departments to call in favours, leading to a needle in a haystack search + a tip off that allowed parallel reconstruction. He was arrogant and it was pre-Snowden, and there's a limited number of people on bitcointalk, NSA probably knows who most of them are. But it could have been old fashioned police work.

IfI were him I would have sold the project to someone outside the US as soon as Snowden's leaks showed that dragnet surveillance was a thing.

/u/ACVLife · 1 votes · 1 month ago · Link

05/04/2012 - Undercover agent (UC) buys 1g of cocaine via SR from edgarnumbers for 21.28 BTC

Fuck man, gone are the days. Can you imagine if we all saved our BTC from SR? Spinners dripping diamonds breh. That is what my Tesla mini van would have.

/u/EvZen P OP · 1 votes · 1 month ago · Link

Bitcoins boost and appreciation in value over the last couple of years was something truly remarkable to witness. ETH too. I believe XMR will also too flourish in the future, we'll have to wait and see.

P.S - Oh, and that 1g of cocaine (transaction) today would be worth over $600K. $625.055.05581 to be exact at the time of this comment. Who would've thought ? Definitely not that undercover cop or edgarnumbers for that matter.

Kind Regards.

-EvZen

/u/ACVLife · 1 votes · 1 month ago · Link

My son found a paper with words, allocated to BTC elecrum and voilal! Suddenly I can afford 5 day stay in LV.

Every year I have sucesfuly made $ at EDC Las Vegas. Last years ROI $5k.

This year?

PSE

We are all out loud camp bass.

/u/EvZen P OP · 1 votes · 1 month ago · Link

Good on you. Don't spend it all in one place.

Kind Regards.

-EvZen

/u/ACVLife · 1 votes · 1 month ago · Link

?, grab two?

Location

Chevron down

1 Cambridge, MA

69°F

/u/EvZen P OP · 2 votes · 1 month ago · Link

"Don't spend it all in one place" is just an expression or saying.

Kind Regards.

-EvZen

/u/ACVLife · 1 votes · 1 month ago · Link

Both.

Tok ToK kaT

<- i typed that so analytic will surface this thread via Google.

Eventually, everything we spray and spam will be on Google search engine.