Silk Road allegedly taken down by leaky Captcha

The United States Federal Bureau of Investigation used a leaky Captcha prompt to take down the servers of the Silk Road anonymous marketplace, according to claims in court documents filed late last week.

Former FBI agent Christopher Tarbell has claimed that the agency tracked down the servers of anonymous online marketplace Silk Road by employing an IP leak caused by a Captcha prompt on the site's login page.

The anonymous online marketplace, popular as a black market trading bazaar, was taken down in October last year, with its owner and operator the Dread Pirate Roberts, aka Ross William Ulbricht, arrested at San Francisco airport.

Silk Road employed the anonymous Tor internet privacy network in order to keep its true IP address and web server location secret, but, according to Tarbell's declaration (PDF) for the United States of America v. Ross Ulbricht case being heard at the Southern District New York District Court, the FBI tracked down the Silk Road server by allegedly using the leaky Captcha prompt.

"During the course of the FBI's investigation of the Silk Road website, the SR Server was located by myself and another member of the CY-2 squad of the FBI New York Field Office as a result of such a leak," said Tarbell, who is a former computer forensic examiner with the FBI's global forensic team, and also served as a lead case agent in the Silk Road investigation while part of the FBI's CY-2 cybercrime squad.

"The IP address leak we discovered came from the Silk Road user login interface," said Tarbell in his declaration. "Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the 'Subject IP Address') was the only non-Tor source IP address reflected in the traffic we examined.

"The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.

"When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the Captcha prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was 'leaking' from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor," he said.

Former Washington Post writer Brian Krebs, who posted segments of Tarbell's declaration on his Krebs on Security site over the weekend, said that although Ulbricht's alleged accidental mixing of open internet content with the fabric of the Silk Road site could be considered a "noob mistake", staying anonymous online could be a tricky task, even for "hardened cybercroocks".

In October last year, after the Silk Road site had been shut down, prosecutors said they seized approximately $3.6 million worth of bitcoins in the largest ever seizure of the digital currency.

"The Silk Road website has served as a sprawling black market bazaar where illegal drugs and other illicit goods and services have been regularly bought and sold by the site's users," said Tarbell in a criminal complaint filed at the time.