Silk Road: How FBI closed in on suspect Ross Ulbricht

  • Published
FBI
Image caption,

A lengthy investigation into internet communications led the FBI to their suspect

US authorities believe that 29-year-old Ross William Ulbricht, arrested on Wednesday, is Dread Pirate Roberts (DPR) - the administrator of the notorious Silk Road online marketplace.

It was an underground website where people from all over the world were able to buy drugs.

In the months leading up to Mr Ulbricht's arrest, investigators undertook a painstaking process of piecing together the suspect's digital footprint, going back years into his history of communicating with others online.

The detail of how the FBI has built its case was outlined in a court complaint document published on Wednesday.

The search started with work from Agent-1, the codename given to the expert cited in the court documents, who undertook an "extensive search of the internet" that sifted through pages dating back to January 2011.

The trail began with a post made on a web forum where users discussed the use of magic mushrooms.

In a post titled "Anonymous market online?", a user nicknamed Altoid started publicising the site.

"I came across this website called Silk Road," Altoid wrote. "Let me know what you think."

The post contained a link to a site hosted by the popular blogging platform Wordpress. This provided another link to the Silk Road's location on the so-called "dark web".

Records obtained by Agent-1 from Wordpress discovered, unsurprisingly, that the blog had been set up by an anonymous user who had hidden their location.

But then Altoid appeared in another place: a discussion site about virtual currency, bitcointalk.org.

Altoid - who the FBI claimed is Mr Ulbricht - was using "common online marketing" tactics. In other words, he was trying to make Silk Road go viral.

Months later, in October, Altoid appeared again - but made a slip-up, granting investigators a major lead.

In a post asking seeking to find an IT expert with knowledge of Bitcoin, he asked people to contact him via rossulbricht@gmail.com.

With a Gmail address to hand, Agent-1 linked this address to accounts on the Google+ social network and YouTube video site. There he discovered some of Mr Ulbricht's interests.

Among them, according to the viewing history, was economics. In particular, Mr Ulbricht's account had "favourited" several clips from the Ludwig von Mises Institute, a renowned Austrian school of economics.

Years later, on the Silk Road discussion forums, Dread Pirate Roberts would make several references to the Mises Institute and its work.

Covering tracks

According to the court complaint document, it was the discovery of the rossulbricht@gmail.com email address that gave investigators a major boost in their search.

Through records "obtained from Google", details of IP addresses - and therefore locations - used to log into Mr Ulbricht's account focused the search on San Francisco, specifically an internet cafe on Laguna Street.

Furthermore, detailed analysis of Silk Road's source code highlighted a function that restricted who was able to log in to control the site, locking it down to just one IP address.

As would be expected, Dread Pirate Roberts was using a VPN - virtual private network - to generate a "false" IP address, designed to cover his tracks.

Image caption,

Mr Ulbricht said to have been running Silk Road from Hickory Street in San Francisco

However, the provider of the VPN was subpoenaed by the FBI.

While efforts had been made by DPR to delete data, the VPN server's records showed a user logged in from an internet cafe just 500 yards from an address on Hickory Street, known to be the home of a close friend of Mr Ulbricht's, and a location that had also been used to log in to the Gmail account.

At this point in the investigation, these clues, investigators concluded, were enough to suggest that Mr Ulbricht and DPR - if not the same person - were at the very least in the same location at the same time.

Fake IDs

The court complaint went into detail about further leads that followed.

In July of this year, by coincidence, a routine border check of a package from Canada discovered forged documents for several fake identities all containing photographs of the same person.

It was headed to San Francisco's 15th Street. Homeland security visited the address, and found the man in the photographs - Mr Ulbricht.

He told officers that the people he lived with knew him simply as Josh - one housemate described him as being "always home in his room on the computer".

Around the same time, investigators working on the Silk Road case later discovered, DPR had been communicating with users privately to ask for advice on obtaining fake IDs - needed in order to purchase more servers.

Further activity attributed to Mr Ulbricht took place on Stack Overflow - a question-and-answer website for programmers - where a user named Frosty asked questions about intricate coding that later became part of the source code of Silk Road.

In another apparent slip-up, one of Frosty's messages initially identified itself as being written by Ross Ulbricht - before being quickly corrected.

"I believe that Ulbricht changed his username to 'frosty' in order to conceal his association with the message he had posted one minute before," lead prosecutor Christopher Tarbell wrote in court documents.

"The posting was accessible to anyone on the internet and implicated him in operating a Tor hidden service."

Follow Dave Lee on Twitter @DaveLeeBBC, external