Nearly one year later, after the FBI took down the the largest online black market known as the Silk Road, privacy activists and security experts have speculated theories on how the FBI may have been able to discover the geographic location of where the Silk Road servers were held. The Silk Road was supposed to be hidden by the Tor anonymity network, but as courts documents disclosed last Friday, that was not the case. It appears the Silk Road login page utilized CAPTCHA technology, commonly used to disperse spam registration, and the CAPTCHA leaked the Silk Roads physical location.
Tor is an anonymity network that people around the world use to mask their identity online and evade censorship by bouncing through a number of Tor nodes encrypting their traffic with every hop. The Silk Road, similar to many other digital black markets, relied on a feature of Tor known as “hidden services.” The feature allows anyone to host a website without revealing the identity of the sites IP address or similar.
That is the case if done correctly, which means not mixing content from the regular open Internet into deep web hidden websites protected by the Tor network. According the the FBI, Ross William Ulbricht, a.k.a. Dread Pirate Roberts, the 30-year-old man arrested last year for begin the alleged Silk Road founder and operator, made this very mistake.
As stated in the Tor how-to, in order for a computer to be fully hidden in the midst of Tor, applications and other services must be configured properly to run through the services as well. Otherwise, the IP address or other personally identifiable information may be leaked from traffic begin sent through the computer.
As quoted by the Federal Bureau of Investigation on how Silk Road servers were located:
“The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.”
“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”
Security experts are calling The Dread Pirate Roberts’ slip a “noob mistake”, which it may as well have been.
To see just how hard it is to be anonymous online, take a look at KrebsonSecurity. Brian Krebs is notorious for exposing cybercriminals online and shows just how hard it is to be anonymous on the Internet. From joining underground black markets and exposing the operators with information gathered throughout the website, Krebs shows one minor slip up can be costly.
A copy of the governments statements on how the Silk Road was located and servers confiscated can be read here.
Dread Pirate Roberts was sunk by a leaky CAPTCHA!