On 2 October, the Silk Road website, well known for illegal drug selling, was shut down by the FBI and Ross William Ulbricht, 29, was arrested on suspicion of creating and running the site, earning $80 million from it in less than three years.
Exisiting in the shadows of the 'dark web', and using the anonymous Bitcoin currency, Silk Road was thought to exist beyond the law, but as a 33-page document written by FBI special agent Christopher Tarbell shows, a number of apparent slip-ups and a routine border control check of post shipped from Canada led to the website being closed down.
Creation of Silk Road
On 23 January, 2011, Ulbricht registed the website silkroad420.wordpress.com on the free Wordpress blogging platform, and four days later he is believed to have created a user account named 'altoid' on the shroomery.org website - a site claiming to "demystifty" magic mushrooms. altoid's first post on the site promoted the new Silk Road website, posing as a curious potential user.
"I came across this website called Silk Road," altoid wrote, "It's a Tor hidden service that claims to allow you to buy and sell anything online anonymously. I'm thinking of buying off it, but wanted to see if anyone here had heard of it and could recommend it...let me know what you think."
The Tor web browser is used to access websites that cannot be viewed through regular browsers like Chrome and Firefox, and do not appear in search results from engines like Google and Bing. Accessing websites through Tor is anonymous and user browsing history cannot be easily traced.
Two days later, the FBI says Ulbricht created another 'altoid' user account on the Bitcointalk forum dedicated to the anonymous, virtual currency used to buy and sell goods on his Silk Road website, again looking to promote Silk Road, posing as an interested user.
Special Agent Tarbell, who was also involved in the arrest of LulzSec member Sabu, aka Hector Xavier Monsegur, describes these messages as "attempts to generate interest in the site...a common online marketing tactic for new websites."
Altoid was last seen on the Shroomery website on 7 February 2011 and it wasn't until 11 October that year when he reappeared, posting a job offer on the Bitcoin forums, looking for "the best and brightest IT pro in the bitcoin community [to] be the lead developer in a venture-backed bitcoin startup company."
The user asked potential candidates to contact him at email@example.com.
During the investigation leading to Ulbricht's arrest, an unidentified FBI operative simply known as 'Agent-1' linked the email to accounts on the Google+ social network and YouTube.
A YouTube account in Ulbricht's name was used to post a video of him trying to sell a pickup truck - leaving his now-disconnected phone number in the video description - and 'favourited' several clips from the Ludwig von Mises Institute, a renowned Austrian school of economics.
Claimed Silk Road owner Dread Pirate Roberts (DPR) would later make references to the Institute and its work.
On 9 April, 2012, Ulbricht posted on Google+, asking: "anybody know someone that works for UPS, FedEX, or DHL?" but received no replies.
During 2012 and 2013 an account was created on Stack Overflow, a question-and-answer website for programmers - where a user named Frosty asked questions about code that would later be used for Silk Road. Frosty's first post was initially posted under the name of Ross Ulbricht, before being changed less than a minute later.
Extortion and execution
On 13 March, 2013 a Silk Road seller called 'FriendlyChemist' contacted DPR, threatening to publish the real names and addresses of many Silk Road vendors and customers unless he received money to pay off a drug supplier who used the name eedandwhite on Silk Road.
DPR was able to sweet talk redandwhite and convinced them to execute FriendlyChemist for the fee of $150,000. DPR told the redandwhite: "In my eyes, FriendlyChemist is a liability and I wouldn't mind if he was executed."
DPR gave redandwhite a name for FriendlyChemist adding that he lived in White Rock, British Columbia, Canada, with "wife + 3 kids".
After again being threatened by FriendlyChemist, now demanding $500,000, DPR contacted redandwhite to say FriendlyChemist is "causing me problems," adding: "I would like to put a bounty on his head...what would be an adequate amount to motivate you to find him? Necessities like this do happen from time to time for a person in my position."
The two agreed on a fee of 1,760 bitcoins - approximately $150,000 at the time - and on 31 March 2013, redandwhite told PDR: "We know where he is. He'll be grabbed tonight. I'll update you."
The next day redandwhite told DPR: "Your problem has been taken care of...rest easy though, because he won't be blackmailing anyone again. Ever."
Tarbell writes: "Although I believe the foregoing exchange demonstrates DPR's intention to solicit a murder-for-hire...Canadian law enforcement authorities...[do not] have any record of a homicide occurring in White Rock, British Columbia on or about March 31, 2013."
A San Francisco internet cafe
Using the firstname.lastname@example.org email address, Tarbell issued a subpoena to Google, which revealed the user's name as Ross Ulbricht and locations where the account had been accessed, including a San Francisco address associated with someone who Tarbell knew to be a friend of Ulbricht "according to a video posted on YouTube in which they both appear and make statements to that effect."
Following "forensic analysis of the Silk Road Web Server," Agent-1 discovered that access was only possible from a particular IP address, via a VPN (virtual private network). The last login to the secure server was through a Comcast IP address. Agent-1 subpoenaed Comcast, which revealed that the IP address used to access Silk Road through the VPN server was an internet cafe less than 500 feet from the friend's house where Ulbricht regularly logged Gmail.
The Gmail account and the secure Silk Road VPN server were accessed several times on 3 June, 2013, Turbell reveals, explaining: "This evidence places the administrator of Silk Road, that is, DPR, in the same approximate geographic location, on the same day, as Ulbricht."
Fake IDs and a routine border control check
Further pinning the two to the same location, Agent-1 found that Ulbricht was sent a package containing multiple counterfeit identification documents at the same time that DPR is known to have been seeking such documents on SIlk Road.
In early July 2013, US Customs and Border Protection intercepted a package from Canada as part of a routine border search. It contained nine counterfeit ID documents, all in a different name, yet all with a photograph of the same person.
On 26 July, agents from Homeland Security Investigations visited the address the documents were sent to, where they encountered Ross William Ulbricht, who matched the photographs on the fake ID documents.
Tarbell concludes his report: "I believe that the owner and operator of Silk Road is Ross William Ulbricht, aka 'Dread Pirate Roberts,' aka 'DPR,' aka 'Silk Road,' the defendant...I respectfully request that an arrest warrant by issued for Ross William Ulbricht...and that he be arrested and imprisoned or bailed, as the case may be."