Former FBI agent Christopher Tarbell has claimed that the agency tracked down the servers of anonymous online marketplace Silk Road by employing an IP leak caused by a Captcha prompt on the site’s login page.
The anonymous online marketplace, popular as a black market trading bazaar, was taken down in October last year, with its owner and operator the Dread Pirate Roberts, aka Ross William Ulbricht, arrested at San Francisco airport.
Silk Road employed the anonymous internet privacy network in order to keep its true IP address and web server location secret, however, according to Tarbell’s declaration (PDF) for the United States of America v. Ross Ulbricht case being heard at the Southern District New York District Court, the FBI tracked down the Silk Road server by allegedly using the leaky Captcha prompt.
During the FBI’s investigation of the Silk Road website, the SR Server was located by Tarbell and another member of the CY-2 squad of the FBI New York Field Office. who is a former computer forensic examiner with the FBI’s global forensic team, and also served as a lead case agent in the Silk Road investigation while part of the FBI’s CY-2 cybercrime squad.
Tarbell says “The IP address leak we discovered came from the Silk Road user login interface. When examining the individual packets of data being sent back from the website, they noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the ‘Subject IP Address’) was the only non-Tor source IP address reflected in the traffic we examined.
“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.
When Tarbell typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the Captcha prompt) appeared. Based on his training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.
After the Silk Road shutdown in October of 2013, 3.6 million bitcoins were seized.