In October of 2013, an undercover FBI agent watched then-29-year-old Ross Ulbricht log out of the drug market Silk Road's administration tools, walk down the street to the library, and log back in. According to a former FBI agent who worked on cyber crime, the arrest of Ulbricht—now on trial for allegedly being the kingpin of the online black market—was a slam dunk.
"That's about as good as it gets as far as I'm concerned, where someone was watching as he was working on the site," Michael Panico, who worked on cyber cases with the FBI for 10 years, told me.
Panico was not specifically involved in the Silk Road case and is now a private security consultant who recently worked on the hacking movie Blackhat. He says he initially read the complaints and indictments associated with Ulbricht's arrest but has not been paying close attention to his ongoing trial.
Even in cyber cases, there's always a physical component
Establishing attribution in cyber cases is particularly hard, with anonymity tools such as Tor; encryption that law enforcement can't even crack; and things like virtual personal networks (VPNs), a type of connection that can make people appear as though they are in another geographic location than they actually are. It's one of the reasons why there's so much doubt surrounding the Sony hack.
From the FBI's perspective, it was absolutely imperative to "put [Ulbricht] behind the keyboard" before making an arrest. A forum post or an IP address are nice circumstantial evidence, but that sort of evidence is easy to be explained away in court. In this case, an undercover agent was chatting with Dread Pirate Roberts—the pseudonym of the Silk Road administrator—at the same time Ulbricht was being watched in real life.
The FBI has presented this as an open-and-shut case, and Ulbricht has admitted that he did run Silk Road for a while. But the defense has now suggested that Ulbricht created the site as an "economic experiment" and passed control of it, and the Dread Pirate Roberts name on to someone else. In other words, Ulbricht had no control of it when the site was at its most nefarious, and he's merely a fall guy for the real Dread Pirate Roberts, his defense team said.
Panico says that these sorts of arguments are extremely common in cyber cases, thanks to VPNs, anonymity tools, and the general problem of attribution based strictly on digital evidence.
You want to be able to 'flip' a coconspirator, just like you do with any criminal enterprise
So, in a lot of ways, cyber investigations have become much more similar to investigating, say, a drug ring or a murder case. Cyber cases are won thanks to insiders and informants, such as former LulzSec hacker Hector "Sabu" Monsegur, who cooperated with the FBI on a number of cases.
"It's not a sexy answer, but it's a true answer—you often have to get someone who knows the [hacking] world and specifically knows the people they're dealing with. That's what the FBI did with Anonymous," Panico said. "You want to be able to 'flip' a coconspirator, just like you do with any criminal enterprise."
That's not exactly what happened in Ulbricht's case—instead, a Homeland Security agent named Jared DerYeghiayan infiltrated Silk Road's staff and regularly worked with Ulbricht as someone named "Cirrus" on the site. DerYeghiayan was paid $1,000 a week in Bitcoin for moderating the site.
DerYeghiayan also monitored Ulbricht in person, which is why agents arrested him while he was allegedly logged in to the site from a San Francisco library. Panico said that this type of arrest, which was specifically done with the hope of confiscating his computer before he could encrypt it, was ideal.
"Even in cyber cases, especially in cyber cases, there's always a physical component. For that reason, my goal is to get you sitting on your computer in your house. I want to conduct a search and take the hard drives, take the things in your physical possession," he said.
"This one case I had, we looked on the [suspect's] desktop, and there was a folder titled 'revenge.' Inside, it had the IP addresses of the victims," he added. "It doesn't get any better than that. In a murder case, you look for a pistol that's the murder weapon. Well, a forensic review of your computer can give you what's known as 'digital evidence in a physical proximity' to the suspect. That's what you want."
There have already been a number of twists and turns in the Silk Road trial, and there are sure to be more. Last week, Ulbricht and his attorney, Joshua Dratel, put the prosecution on its back foot by suggesting that Mark Karpeles, the former CEO of the failed Bitcoin company Mt. Gox, may have been the real Dread Pirate Roberts, leading to a temporary adjournment in the trial.
But what might end up hurting Ulbricht is the fact that the FBI appears to have, as Panico said, physically watched him as he operated the site.
"If that's the case, that's as strong as an attribution as you're going to get," he said.