Silk Road forums
Discussion => Security => Topic started by: talawtam on September 05, 2013, 03:59 pm
-
http://www.forbes.com/sites/andygreenberg/2013/09/05/follow-the-bitcoins-how-we-got-busted-buying-drugs-on-silk-roads-black-market/
The crypto-currency Bitcoin has become the preferred payment method for much of the online underground, hailed by none other than the administrator of the booming Silk Road black market as the key to making his illicit business possible. But spending Bitcoins to anonymously score drugs online isn’t as simple as it’s often made out to be.
We at Forbes should know: We tried, and we got caught.
To be clear, we weren’t caught by law enforcement–so far at least, our experiment last month in ordering small amounts of marijuana from three different Bitcoin-based online black markets hasn’t resulted in anyone getting arrested. But a few weeks after those purchases, I asked Sarah Meiklejohn, a Bitcoin-focused computer science researcher at the University of California at San Diego, to put the privacy of our black market transactions to the test by tracing the digital breadcrumbs that Bitcoin leaves behind. The result of her analysis: On Silk Road, and possibly on smaller competitor markets, our online drug buys were visible to practically anyone who took the time to look. “There are ways of using Bitcoin privately,” says Meiklejohn. “But if you’re a casual Bitcoin user, you’re probably not hiding your activity very well.”
Bitcoin’s privacy properties are a kind of paradox: Every Bitcoin transaction that occurs in the entire payment network is recorded in the “blockchain,” Bitcoin’s decentralized mechanism for tracking who has what coins when, and preventing fraud and counterfeiting. But the transactions are recorded only as addresses, which aren’t necessarily tied to anyone’s identity–hence Bitcoin’s use for anonymous and often illegal applications.
But Meiklejohn and her colleagues at UCSD and George Mason University have found that a little snooping in the blockchain can often uncover who owns which of those Bitcoin addresses. In a paper they’re presenting at the Internet Measurement Conference in Barcelona next month, they showed that they could use “clustering” methods involving on how bitcoins are typically aggregated or split up to identify thousands of addresses based on just a few test transactions they performed. With the data from just 344 of their own transactions, they were able to label the owners of more than a million Bitcoin addresses. And by making just four deposits and seven withdrawals into accounts held on Silk Road, Meiklejohn says the researchers identified 295,435 addresses as belonging to that drug market.
When I asked Meiklejohn to try to trace Forbes’ transactions, I started by giving her the Bitcoin addresses associated with our account on the popular Bitcoin wallet service Coinbase–information could in theory be obtained by any investigating law enforcement agency that sends Coinbase a subpoena. With just that list of my public addresses, she was able to identify every transaction we had made, including deposits to the Silk Road, to competitor sites Atlantis and Black Market Reloaded, and even a transfer to the personal account of Forbes reporter Kashmir Hill. (Hill had revealed her Bitcoin address during her earlier experiment of living for a week on nothing by Bitcoin.)
To be fair, Meiklejohn had seen my story on our three experimental drug buys, which obviously informed her guesses. But her ability to identify the Silk Road transaction didn’t involve any such cheating. To spend bitcoins on sites like Silk Road, users must first deposit them in their account on the site. Meiklejohn was able to trace Forbes’ deposit to our Silk Road account by tying the deposit address to around 200 other addresses, several of which she had identified as associated with the Silk Road in her clustering analysis. After we sent .3 bitcoins to that Silk Road deposit address, the blockchain showed that our bitcoins and small amounts of bitcoins from all of those other addresses–including the known Silk Road addresses–were aggregated together in a 40 bitcoin account. That proves, Meiklejohn explains, that whoever had control of the deposit address we used also must have had control of Silk Road addresses, which means our earlier transaction could be identified as a Silk Road deposit. (See the diagram below.)
How Meiklejohn traced our Silk Road deposit: When our .3 bitcoins were aggregated into a much larger 40 bitcoin account, she was able to connect the address of our suspected deposit with hundreds of other addresses also making transfers to that account. Matching those addresses with ones she had identified as belong to Silk Road in an earlier "clustering" analysis revealed that Forbes' deposit address must have belonged to Silk Road, too. (Click to enlarge)
“Because we had such a big aggregation, we had hundreds of opportunities to have seen one of those addresses before,” says Meiklejohn. “If we could tag any of these addresses as belonging to Silk Road, your deposit address must have belonged to Silk Road as well…I had to do one query in the database to identify them as Silk Road.”
Meiklejohn’s identification of the Atlantis and Black Market Reloaded transactions, on the other hand, were based on more manual detective work and probably wouldn’t have been possible without some prior knowledge of what she was looking for. “If you hadn’t mentioned these services, just trying to guess would have been very difficult if not impossible,” she admits. But that’s only because Meiklejohn hadn’t had a chance to perform a prior analysis on Atlantis and Black Market Reloaded as she had from Silk Road, she says. “The manual inspection approach would not work in general, but if I’d had the ability to throw our whole analysis at this…who knows.”
Given how easily she traced the Silk Road transaction, I asked Meiklejohn a harder question: What if I hadn’t given her Forbes’ full list of Coinbase addresses? After all, some investigators might not be able to subpoena that data, as I assumed in our experiment. What if instead she only had the initial address Coinbase created for Forbes, an address that might be shared with anyone sending bitcoin payments to our account. Her answer: Even then, Meiklejohn would have been able to see that we’d transacted with the Silk Road, based on a withdrawal from a known Silk Road address to that single Coinbase address.
Despite what Meiklejohn was able to prove about Bitcoin’s traceability, the experiment also shows the limits of tracing those underground transactions. Once our bitcoins had been mixed up with other users’ bitcoins in the Silk Road’s 40 bitcoin account, it became impossible to track them further. So even though Meiklejohn could show that we had deposited bitcoins into a Silk Road account, she couldn’t see that those bitcoins were later paid to a drug dealer–in this case one who calls himself the “DOPE man” who mailed us a gram of marijuana.
That conclusion holds–at least in part–with the privacy claims of the Dread Pirate Roberts, the pseudonymous administrator of the Silk Road who I interviewed for a story published last month. “We employ an internal tumbler for when vendors withdraw their payments, and a more general mix for all deposits and withdrawals,” he told me when I asked about tracing Silk Road transactions in the blockchain. “This makes it impossible to link your deposits and withdrawals and makes it really hard to even tell that your withdrawals came from Silk Road.”
Though Meiklejohn may have offered evidence contradicting the last part of Roberts’ statement–she easily identified our withdrawal from the Silk Road–the site’s mixing of bitcoins may still offer some superficial protection to users. There may not be anything clearly illegal, after all, about merely storing bitcoins in a Silk Road account–The site does offer plenty of legal products as well as contraband. “Everything that happens internally on the Silk Road is completely opaque, and the coins you withdraw are fairly unrelated to the ones that come out,” she says.
And the final lesson of Meiklejohn’s experiment is that Bitcoin users seeking privacy should be careful about revealing their addresses in public or using a subpoenable Bitcoin service like Coinbase that might connect their Bitcoin addresses and real names. If we had taken the extra consideration of shuffling our bitcoin expenditures through other addresses created with desktop-based wallet software, or gone to the further effort of sending them through a bitcoin “laundry service” such as Bitlaundry, Bitmix or Bitcoinlaundry, tracing them would have become much harder or even impossible.
“There’s this tension between anonymity and usability with Bitcoin,” says Meiklejohn, pointing to desktop Bitcoin clients like MyWallet that are less convenient than Coinbase but offer greater privacy.”I you’re an amateur Bitcoin user and you don’t want to mess with complicated Bitcoin clients and just use an online service, your anonymity is quite a lot less than what you might imagine.”
-
So Sr's tumbler is useless ? :o
-
It is true that bitcoins are not private unless you use some tricks to make them private.
-
So Sr's tumbler is useless ? :o
it's useful for concealing whom you paid money to. It's not useful for concealing that you sent money to a Silk Road wallet. But that's already known since 2011 or so, if I remember correctly.
-
This is why you should always try to acquire bitcoin as anonymously as possible. And if your real name can be traced to your bitcoins in any way, then you should be using BitcoinFog
-
This is why you should always try to acquire bitcoin as anonymously as possible. And if your real name can be traced to your bitcoins in any way, then you should be using BitcoinFog
What about blockchain?
-
sub.
-
So Sr's tumbler is useless ? :o
it's useful for concealing whom you paid money to. It's not useful for concealing that you sent money to a Silk Road wallet. But that's already known since 2011 or so, if I remember correctly.
This is correct. Plenty of legal, or at least more legal but still not quite items are available on the silk road, often cheaper than you would find in real life.
Such as Moonshine!
-
This article makes me sad.
-
I'm a huge proponent of blockchains shared send and receive wallets. I think using that alone will cover your ass.
I've also made it a huge common practice to always use a new address for every transaction
My typical scenario goes like this.
1. Convert cash.
2.Create new wallet on blockchain.info
3. Create shared wallet address on blockchain.info. Make sure shared address goes to newly generated wallet.
4. Send BTC from exchange to that shared address
5. Login to SR and generate a new wallet address
6.Once the BTC is in your blockchain.info wallet, selected Shared Send
7. Send BTC to your newly generated SR wallet via Shared Send option. *NOTE* ALWAYS PAY THE FEES.
8. Once funds have hit your SR wallet, delete blockchain.info wallet and start from step 1 again for a new transaction.
-
This is why you should always try to acquire bitcoin as anonymously as possible. And if your real name can be traced to your bitcoins in any way, then you should be using BitcoinFog
What about blockchain?
I have read conflicting reports on whether blockchain's shared wallet is traceable or not. I use BitcoinFog for extra security. For a fee of 1%-3% its really worth the extra peace of mind for me
-
I'm a huge proponent of blockchains shared send and receive wallets. I think using that alone will cover your ass.
I haven't used that service in a long time, so it may have changed, but the way blockchain.info used to "anonymize" bitcoins was way too vulnerable to traffic analysis. First, they charged a flat fee of 1.5% (which I believe was reduced to 0.5%), and when you sent the coins to your anonymous address, the fee would be subtracted, and the rest would be deposited to your real bitcoin address in exactly two transactions, within about 10 minutes. So if someone identifies your SR address as belonging to SR and they see the deposit came from another address, which they suspect belongs to blockchain.info, because the coins in that address came from two transactions a few minutes apart, then they merely have to look in the block chain for a transaction that occurred about 10 minutes earlier and involved exactly 1.5% (or 0.5%) more BTC. Now they are on the other side of the mixer and they can follow the transaction chain back to the exchange and your identity.
There are much better mixing services that give you more options for how you deposit and withdraw your coins, along with charging variable rate fees, to defend against that kind of traffic analysis.
-
Well shit astor, now you got me rethinking my procedures.
-
I hope this doesn't spell trouble, I for instance buy my BTC from a little known site, I can go to any bank and pay in the amount required by the seller, plus a little fee, Any bank anywhere, I'm on camera of course. I then get back home mark my transaction as paid, and the seller releases the |BTC...Now when I was there today, the teller give her self away. She let me know the account was flagged. They are tracing the flow now, and the sooner bigger companies start using BTC as a payment method ( amazon accept) then the easier we can explain buying BTC. But this is what they want, to stigmatize the currency, and make us think we are committing an offence. This journo and her experiment can only be a detriment to us, you can guarantee the file has been passed to the feds anyway. And now they are finding more chinks in the armour. It's all very depressing, very depressing indeed.
-
So Sr's tumbler is useless ? :o
it's useful for concealing whom you paid money to. It's not useful for concealing that you sent money to a Silk Road wallet. But that's already known since 2011 or so, if I remember correctly.
This is correct. Plenty of legal, or at least more legal but still not quite items are available on the silk road, often cheaper than you would find in real life.
Such as Moonshine!
Classic bait-and-switch title, Forbes. Regarding large-scale buyers/vendors, I agree lack of BTC anonymity is cause for concern, but any such people should have already known this for years now and are probably taking appropriate measures. The rest of us casual users, while we should be using some of the methods described above, need not evacuate our bowels into our shorts. Three points I'd like to make:
1. One point I have been arguing over and over is that small time buyers of personal amounts need not really lose sleep over the safety of receiving drugs in the mail (with a few caveats), as we are MUCH more vulnerable on the BTC/tech end of things, e.g. the recent FH hack. Receiving stuff in the mail, even signing for it, doesn't hold up well for a conviction in court minus any evidence of a purchase or intent, as long as there is no self incrimination. I would be much more worried about recent Snowden revelations that the feds have poured lots of money into breaking commonly used internet cryptography (we must assume that TOR and PGP are included). It may be the NSA chasing terrorists now, but the know-how will eventually filter down to the FBI et al.
2. While it is possible for skilled experts to do traffic analysis on anyone using bitcoin carelessly, LE does not have the resources to do this on hundreds of thousands (eventually millions?) of SR users. They will go for the big fish. Not to mention there is no evidence AT ALL if you buy BTC for CASH and use an anonymous wallet/VPN/email etc! If you're still using an exchange, WTF? Localbitcoins/SR vendors or GTFO.
3. Even if the authorities can prove you sent funds to an SR wallet, what are they going to charge you with? Sending money to a website that among other things sells illegal drugs? They would still need to hack your SR account to obtain the details of your transactions, AND would most likely need to search your house/property for some evidence of said drugs to obtain a conviction (which requires a warrant in most jurisdictions). I'm talking about Western countries here, anywhere else they'll fuck you with any inkling of wrongdoing. But generally speaking, in developed countries the burden of proof is quite high, enough so that busting personal SR buyers is just too costly.
-
I don't think this is exactly news. What about users that don't have a semi-permanent wallet address or anything else linked to them?
If, say, someone buys coins from a dealer on localbitcoins and then sends them directly to SR while using tor the entire time, what's the point of finding the originating wallet? If your personal information and IP aren't tied to the account, it's useless to LE. They aren't going to pull surveillance tapes to catch people ordering weed online.
Who knows, they may copy the music industry and try to make an example of a few buyers, but even then their cases would be weak and even diehard conservatives would call it a joke. Getting caught just isn't likely unless there's a major screw up, or you happen to be very, very unlucky and win the fail lotto of "there's-always-that-chance".
-
So Sr's tumbler is useless ? :o
it's useful for concealing whom you paid money to. It's not useful for concealing that you sent money to a Silk Road wallet. But that's already known since 2011 or so, if I remember correctly.
This is correct. Plenty of legal, or at least more legal but still not quite items are available on the silk road, often cheaper than you would find in real life.
Such as Moonshine!
Classic bait-and-switch title, Forbes. Regarding large-scale buyers/vendors, I agree lack of BTC anonymity is cause for concern, but any such people should have already known this for years now and are probably taking appropriate measures. The rest of us casual users, while we should be using some of the methods described above, need not evacuate our bowels into our shorts. Three points I'd like to make:
1. One point I have been arguing over and over is that small time buyers of personal amounts need not really lose sleep over the safety of receiving drugs in the mail (with a few caveats), as we are MUCH more vulnerable on the BTC/tech end of things, e.g. the recent FH hack. Receiving stuff in the mail, even signing for it, doesn't hold up well for a conviction in court minus any evidence of a purchase or intent, as long as there is no self incrimination. I would be much more worried about recent Snowden revelations that the feds have poured lots of money into breaking commonly used internet cryptography (we must assume that TOR and PGP are included). It may be the NSA chasing terrorists now, but the know-how will eventually filter down to the FBI et al.
2. While it is possible for skilled experts to do traffic analysis on anyone using bitcoin carelessly, LE does not have the resources to do this on hundreds of thousands (eventually millions?) of SR users. They will go for the big fish. Not to mention there is no evidence AT ALL if you buy BTC for CASH and use an anonymous wallet/VPN/email etc! If you're still using an exchange, WTF? Localbitcoins/SR vendors or GTFO.
3. Even if the authorities can prove you sent funds to an SR wallet, what are they going to charge you with? Sending money to a website that among other things sells illegal drugs? They would still need to hack your SR account to obtain the details of your transactions, AND would most likely need to search your house/property for some evidence of said drugs to obtain a conviction (which requires a warrant in most jurisdictions). I'm talking about Western countries here, anywhere else they'll fuck you with any inkling of wrongdoing. But generally speaking, in developed countries the burden of proof is quite high, enough so that busting personal SR buyers is just too costly.
Excellent, sensible post +1 karma dude ! (or dudette !!!)
-
In this thread: People demonstrate how you can follow Bitcoins through their transactions thanks to how the blockchain works. Also, no one got "busted."
Nothing in this thread should be new if you're on SR and have some common sense. Except for maybe unbeknownst, giving some reassuring words to an otherwise gloomy thread.
-
What a bullshit paranoid thread.
The Obama administration is too busy committing war crimes to be concerned with us. In fact they want us drugged, which is why this site continues unabated.
What a bunch of paranoid motherfuckers.
So sad.
Would not want to party with the likes of you.
-
What's wrong with just using the Bitcoin Qt client and running it off your own Tor proxy (Settings->Options->Network)? That's the only way I roll. You do your cash for BTC trade off of Localbitcoins or whatever. Your coins are received in a temporary holding wallet. Right after that you transfer your coins to a newly created address in the Qt client wallet on your own computer. After enough confirmations you then transfer the same coins to your SR address. The transaction is done through Tor and can't ever be tied back to you.
Don't use those public wallets for SR business. You can keep some coins there to diversify your holdings. That's all. Nothing serious. If you want to transfer them to SR then get them to your own wallet on your own computer first. Remember it's connected by Tor and the wallet is encrypted by a strong passphrase. I recommend Qt because it's the most secure of all the client wallets.
-
If what the article says was in any way new or an epiphany for you, I'd suggest to RTFM before you use "anonymous" ways of doing something.
-
Can someone name some good anonymous wallets?
Cheers
-
YES. BITCOIN-QT OVER TOR!!!
-
Just read the bitcoin wiki on anonymity.
Summarized:
-don't mix inputs. always generate new addresses when receiving coins.
-use coincontrol https://bitcointalk.org/index.php?topic=144331.0
-move your coins around with a mixing service, tho technically SR escrow is a mixing service.
-don't use exchanges, cloud wallets, or other bullshit that wants ID scans. use localbitcoins or IRC p2p trade
Researcher would've just seen a bunch of coins moving around meaningless addresses if Forbes hadn't explicitly told her they deposited to SR.
-
Great thread. Lots of valuable info.
-
The only thing new hear is that it appears so easy to uncover wallet address associated with SR. This hardly has be quaking in my boots though.
-
I think its the clustering that needs to be rethought out.
A way of tumbling without linking addresses together.
The underlying paper was discussed in this topic
http://dkn255hz262ypmii.onion/index.php?topic=208162.msg1499209#msg1499209
-
What a bullshit paranoid thread.
The Obama administration is too busy committing war crimes to be concerned with us. In fact they want us drugged, which is why this site continues unabated.
What a bunch of paranoid motherfuckers.
So sad.
Would not want to party with the likes of you.
Agreed. +1, they are after bigger fish. My area's LE is understaffed, lazy, fat, and into easy busts. Teens with grams of weed, and they consider that busting criminals. Some protection doesn't hurt but if you are that paranoid the dope must be good.