If you find this page useful feel free to drop some coins 1BdvhDp78d3ez2cV7xkHPy5JqD8f2cJV9W
Last update: February 2, 2019 - The trojan skull.
You will find below information related to the Silk Road websites and forums.
Since the original work some of the hyperlinks are dead due to the original Silk Road forum shut down. However, the screenshots are still valid and should hopefully provide enough understanding of the context and accurate information.
01/03/2011 - Silk Road Marketplace thread created on bitcointalk.org by silkroad advertising www.silkroadmarket.org and Silk Road Hidden Service http://ianxz6zefk72ulzz.onion. M
XX/06/2011 - HSI Chicago started monitoring unusual drugs seizures from the Mail Branch related to the Silk Road. CHI
05/06/2011 - Two U.S. senators, Sens. Charles Schumer of New York and Joe Manchin of West Virginia, asked the Justice Department and Drug Enforcement Administration to shut down and investigate Silk Road. M
07/06/2011 - Hector Xavier Monsegur aka Sabu silently arrested by federal agents and agreed to become an informant for the FBI. M
13/10/2011 - Homeland Security Agent Jared Der-Yeghiayan starts investigating Silk Road following the seizure of several letters containing drug at O'Hare Chicago airport. HSI Chicago opened case Operation Dime Store to document the findings of the seizures coming into the mail branch. CHI
XX/11/2011 - Law Enforcement in Baltimore starts investigating Silk Road where agents from US Immigration and Customs Enforcement's Homeland Security Investigations formed the "Marco Polo" task force to target Silk Road and its administrators and will eventually make over 100 individual undercover purchases from Silk Road vendors. M
XX/11/2011 - Agents with Homeland Security Investigation conducted several interview with a source in Maryland (CS-1). CS-1 had been selling drug on Silk Road and ultimately turns over his or her seller's account and records of buyers' information. "Agents assumed the online identity of CS-1, including" the user account. Does not specify if limited to only the user account. MI
27/11/2011 - Oldest link of altoid job offer on bitcointalk crawled by the way back machine. Mention of email address (screenshot). M
01/12/2011 - Silk Road .onion address updated to http://silkroadvb5piz3r.onion. F
26/12/2011 - Vendor googleyed1 registered on Silk Road forum. F
29/12/2011 - chatted with VJ again today. Him coming onto the scene has re inspired me and given me
direction on the SR project. DJ
01/01/2012 - I need to get DigitalAlch set up handling the resolutions, and it just seems like Variety Jones gives my broad sweeping tasks on a daily basis. DJ
03/01/2012 - HSI Baltimore SA Gregory Miller opened investigation BA13CR12BA0016 and stated in ROI 001 that on December 29, 2011, their CI began telling them some details about the Silk Road website. MI
09/01/2012 - DPR posted a message titled, "State of the Road Address‚" in which he announced‚ among other things‚ a change to Silk Road’s commission rate. NY
10/01/2012 - Vendor tony76 registers an account on Silk Road forum F
13/01/2012 - HSI Chicago has over 19 reports, 200 seizures, identified multiple vendors/targets, coordinated POE's and case information with multiple HSI attaché offices, signed up a CI and had met with the AUSA's office to prosecute the case. CHI
01/02/2012 - Meeting between HSI Chicago and Marco Polo Task Force (Baltimore) in order to solve differences about how to proceed with the Silk Road investigation. During that meeting Baltimore said it was shutting down Silk road soon.
02/02/2012 - Nomad bloodbath, Global Administrator of SR, comes back after almost 2 months of absence. He posts a message on SR forum to apologies. F
03/02/2012 - TrustInJones account registered on the forum. F
05/02/2012 - Account Silk Road changed to Dread Pirate Roberts. F
11/02/2012 - StExo registers an account on the forum. F
13/02/2012 - Digitalink last active on Silk Road forum. F
26/02/2012 - Opening of the Armory Hidden Service at ayjkg6ombrsahbx2.onion. F
05/03/2012 - “Ross Ulbricht” creates the account "frosty" on Stack Overflow allegedly with the email address rossulbricht@gmail.com. (screenshot)
06/03/2012 - Hector Xavier Monsegur is revelead to be Sabu. M
13/03/2012 - Opening of the Vendor Roundtable, a part of the forum accessible only by SR vendors. F
13/03/2012 - Last post of Variety Jones for the next 8 month. F
27/03/2012 - HSI SA Miller informs HSI SA Der-Yeghiayan that he had been pulled from the investigation and the investigation was reassigned to SA McFarland because they needed to transform their case by using a certified undercover agent. MI
27/03/2012 - SA McFarland opens case BA02CR12BA0026 and started by sending multiple collaterals to other offices to conduct surveillance on multiple targets associated to the account they took over from their once informant (SR vendor Digitalink). McFarland also creates an unofficial task force comprised of multiple agencies to include DEA, Postal Inspectors, IRS and Secret Service. MI
30/03/2012 - Limetless registers an account on Silk Road forum. F
xx/04/2012 - Undercover (UC) Agent started communicating with Dread Pirate Roberts (DPR). The UC claimed to be a drug smuggler who specialised in moving large quantity of drugs. MI
xx/04/2012 - Undercover (UC) DEA agent from the Marco Polo Task Force (Baltimore), Carl Mark Force IV (FORCE) starts communicating with Dread Pirate Roberts (DPR). SF
xx/04/2012 - Tony76, a vendor of heroin, stimulants and psychedelics from Canada scamsa lot of users on Silk Road. M
xx/04/2012 - HSI Chicago developed a new informant and informed HSI Baltimore of development. CHI
14/04/2012 - SquidShepard appointed moderator of the forum. (screenshot). F
19/06/2012 - First time DPR signs a message on the Silk Road forum using "GnuPG v1.4.11 (GNU/Linux)". (screenshot) F
28/06/2012 - Federal search warrant executed at Sheldon Kennedy's residence. He waives his Miranda rights, and acknowledges selling drugs/guns on Silk Road; turns over all records, shipping information and his financials. MI
12/07/2012 - User Scoutregisters an account on the forum. F
13/07/2012 - DigitalAlch is "done traveling the Road", resigns from his administrator position and quits Silk Road to settle down. The new forum admin is Indica|Sativa. F
16/07/2012 - Last connection to Silk Road forum of global moderator DigitalAlch. F
xx/11/2012 - DPR hired an individual who was paid a salary and is referred as "The Employee". "The employee"'s responsibilities included responding to questions and complaints from buyers and sellers, resolving disputes between buyers and sellers, and investigating possible LE activity on Silk Road. MI
01/11/2012 - Last post of DoctaFeelgood on the forum. F
03/11/2012 - User Flush registers on the SR Forum. F
11/11/2012 - User 0x404243 posts a message on SR forum containing the alleged hashed password of a user. He is threatening to leak Silk Road DB if DPR doesn't contact him at h0x404243@tormail.org with the corresponding username. (screenshot). F
12/11/2012 - chronicpain's last post on the forum (screenshot). F
12/11/2012 - DPR returns from 24 hours completely silent and explains the site is experiencing technical issues and he is the only one able to fix the problem. DPR wants to be sure there isn't any security breaches before bringing the site back up. Several updates of the situation follow (screenshot). F
12/11/2012 - UC DEA agent from the Marco Polo Task Force (Baltimore), Carl Mark Force IV (FORCE), obtains information from Homeland Security Investigations (HSI) about an individual (named "AA") being considered as a possible suspect for DPR. ("AA" stands for Anand Athavale).SF
14/11/2012 - Inigo says he is joining SR Support. F
15/11/2012 - Silk Road is down again and there are people claiming the responsability for the downtime and making threats (update 2254 UTC 11/15/2012). F
17/11/2012 - Some "OLD hats" complain about how the Silk Road downtime incident was handle and do not trust the "NEW DPR" (screenshot) F
19/11/2012 - Several users complain DPR's PGP signature keep failing upon verification (screenshot) F
20/11/2012 - astor registers an account on the forum. F
27/11/2012 - DoctaFeelgood last active on the forum. F
07/12/2012 - Undercover agent complains about Silk Road buyers wanting "very small amount" and "it really isn't worth it for him to do below 10kg". MI
07/12/2012 - DPR mandates "The employee" to solicit the top sellers on SR susceptible to move large quantities of drugs from UC. MI
08/12/2012 - DPR replies to the UC "Hey, I think we have a buyer for you. One of my staff is sending the details". MI
09/12/2012 - The Employee (using the support account SR Support) contacts the undercover agents saying he found a buyer who could purchase substantial quantities of drugs from the UC. The buyers is already established as a big seller on SR and plan to resell the drug on SR. MI
17/12/2012 - The SR buyer ("The Vendor") negotiates w/ Undercover Agent. MI
19/12/2012 - StExo’s last post on the forum for close to 5 months. (He also deletes all public posts from this date and prior. Next post is in public keys on May 7, 2013). F
19/12/2012 - Silk Road is hacked. Someone changed product images and added bitcoin addresses to the listings (screenshot) F
19/12/2012 - Some vendors complain about the lack of information after the incident and suggest to take the site down (screenshot). F
14/01/2013 - Undercover Agent tells DPR he won't ship through US Post. MI
15/01/2013 - Undercover Agent tells DPR "I'm sending my goons instead, ok?" MI
17/01/2013 - Feds acting as couriers deliver 1kg of coke to "The Employee". MI
17/01/2013 - Upon receiving confirmation of the delivery "The Vendor" sends Undercover Agent ~$27,000 worth of BTC. MI
17/01/2013 - Arrests of Curtis Clark Green for cocaine possession. M
17/01/2013 - Curtis Green turns over his Silk Road administrator account "flush" to members of the Baltimore Silk Road Task Force authorizing them to use and assume the "Flush" identity. SF
17/01/2013 - Force logs into the “Flush” account and changed the login password in order to secure the account for undercover purposes. NY
20/01/2013 - Concerned about flush's whereabouts DPR at some point cut off the "Flush" account's access, but through communications with DPR, Curtis Green is able to regain access to the account and pass that information onto the Baltimore Silk Road Task Force. SF
23/01/2013 - Vendor modziw is looking for buying wholesale/bulk cocaine. Some users mention a vendor going by the name "nob" has a kilo of cocaine listed (screenshot). F
23/01/2013 - Undercover DEA agent Carl M. FORCE IV transfers 60 bitcoins into a DEA-controlled account known as "TrustUsJones." SF
23/01/2013 - FORCE emails another member of the Baltimore Silk Road Task Force, US Secret Service agent Shaun BRIDGES, requesting that BRIDGES deposit bitcoins to replenish the "TrustUsJones" account. SF
23/01/2013 - 60 bitcoin transfered from Silk Road buyer account "Number13" into "TrustUsJones". SF
25/01/2013 - According to BRIDGES' report of the interview, Curtis Green debriefed by FORCE, BRIDGES, and other members of the Baltimore Silk Road Task Force, shows them Silk Road administrative functions. SF
25/01/2013 - US Secret Service agent BRIDGES leaves the proffer session. SF
25/01/2013 - Previously ordinary buyer account on Silk Road the account "Number13" is given vendor privileges. SF
25/01/2013 - The "Flush" account makes a transfer of approximately 900 bitcoins into the account "Number13". SF
25/01/2013 - Bitcoins starts being stolen from Silk Road and Silk Road vendors and deposited into bitcoins address 127B3qwztPyA67uq63LG8G5izwhFcJ7j4A. The first transaction into that Bitcoin address was a deposit by account "Number13". "The thefts were accomplished through a series of vendor password and pin resets, something that could be accomplished with the administrator access that C.G. had given to the Baltimore Silk Road Task Force. A total of 20,073 bitcoins is believed to have been stolen. SF
26/01/2013 - A co-conspirator employee ("CC-1") informs Dread Pirate roberts that he had determined "The Employee" had stolen the Bitcoins from various vendor accounts. CC-1 says to DPR "you always have me at your disposal if you locate him and need someone to go handle it". NY
26/01/2013 - Dread Pirate Roberts tells Undercover Agent "The Employee got busted! Also, he stole funds from Silk Road users. Beat him and get the money back, kthxbai". MI
26/01/2013 - DPR communicates to Nob (FORCE) that Silk Road had suffered thefts and that those thefts were associated with Curtis Green "Flush" account. Law enforcement questions Curtis Green about the theft, and Curtis Green denies that he had committed any theft. SF
26/01/2013 - Flush, Global Moderator last active connection on SR forum. F
26/01/2013 - Inigo informs DPR that he has successfully stopped the theft of Bitcoins by resetting Flush’s password, thereby locking "Flush" out of his account. NY
27/01/2013 - Dread Pirate Roberts informs another co-conspirator (“CC-2”) regarding the Bitcoin theft and says he has a copy of "The Employee" driving licence. Both discuss the possibility to "terminate The Employee". NY
27/01/2013 - Vendor googleyed1 says his account has been hacked and accuses one of Silk Road staff to have stolen all his coins and changed his password. According to googleyed1 the same incident happened to several "Top Vendors" (screenshot). F
27/01/2013 - Number13 complains to DPR that Bitcoin were stolen from his account. SF
27/01/2013 - Dread Pirate Roberts is afraid the employee will give up info as he was on the inside for a while, he knows too mutch. DPR asks the Undercover agent to kill the employee. MI
29/01/2013 - DPR agrees to pay $80,000. "Half down now and half after the job is done". MI
30/01/2013 - googleyed1 account is restored and "everything is smooth again, panic over" (screenshot). F
31/01/2013 - DPR asks for a status update and if the assassins can handle it. He's been told to send the $40,000. MI
04/02/2013 - DPR, via anonymous Technocash transfer, sends $40,000. MI
05/02/2013 - DPR says "pics or it didn't happen!" also "he knows waaay too much". MI
05/02/2013 - DPR tells "CC-2" that "nob" had captured "The Employee" and that they were interrogating him. Several hours later, DPR tells CC-2 that "Nob" had confirmed that the Employee had been executed. NY
06/02/2013 - User Silk Road deletes most of the content on the Silk road Wiki. (screenshot) F
07/02/2013 - Users scout and samesamebutdifferent are the only moderators left (screenshot). F
08/02/2013 - The UC states the assassins are in place ready to torture him and get the money but now waiting for the employee to be alone because the Employee lived with daughter and wife. MI
11/02/2013 - Last connection from SR Forum moderator chronicpain. F
11/02/2013 - TrustInJones last active on the forum. F
12/02/2013 - Undercover Agent tells DPR the "Employee is still alive but being tortured". MI
12/02/2013 - Googleyed1 posts an enigmatic message on the forum warning other vendors about a seller (screenshot). F
12/02/2013 - US Secret Service Agent BRIDGES registers a personal limited liability company called "Quantum International Investments, LLC," (Quantum). SF
16/02/2013 - Undercover Agent sends staged photographs of The Employee being tortured. MI
19/02/2013 - Undercover Agent tells DPR that the Employee died during the week end but that he is waiting for an update. MI
21/02/2013 - Undercover Agent tells DPR that The employee "died of asphyxiation/heart rupture" while being tortured and sends DPR a fake pic. MI
22/02/2013 - USSS Agent BRIDGES opened an account at Fidelity Investments (Fidelity) in the name of Quantum. SF
23/02/2013 - DPR tells "CC-1" he had successfully arranged the capture and execution of the Employee. NY
28/02/2013 - Undercover Agent tells DPR the Employee's
body was completely destroyed to eliminate evidence and asked to make sure the second $40,000 was sent. MI
28/02/2013 - FBI has a lead on the possible location of the Silk Road server (193.107.84.4) and sends an official request for assitance to Icelandic authorities to obtain subscriber information, collect routing information for communications sent to and from the server and image the content of the server (screenshot). NY
01/03/2013 - Dread Pirate Roberts sends $40k via anonymous Technocash transfer. MI
06/03/2013 - BRIDGES' Quantum Fidelity account in the United States receives nine wire transfers from Mt. Gox totaling approximately $820,000. SF
13/03/2013 - Silk Road vendor FriendlyChemist began sending threats to DPR through Silk Road's private message system. FriendlyChemist stated he had a list of real names and addresses of Silk Road vendors and customers. FriendlyChemist threatened to publish the information on the Internet unless DPR gave him $500.000, which FriendlyChemist indicated he needed to pay off his narcotics suppliers. NY
14/03/2013 - FriendlyChemist further threats to leak vendors and customers info. NY
15/03/2013 - FriendlyChemist provides DPR a sample of usernames, addresses and order information he wants to leak. He also sends DPR the username/password of a vendor he claimed to have hacked and obtained the data from. NY
16/03/2013 - RealLucyDrop says he is the "real" Lucydrop and warned vendors not to buy from the Lucydrop accounts. The "real" lucydrop has apparently spent some time in prison (between 2 and 7 months) and was fucked over by his partner who left with his work computer (screenshot). F
25/03/2013 - ddosd. someone knew the real IP. discovered the IP via a leak. migrated to a new server.DJ
25/03/2013 - redandwhite contacts DPR and introduces himself as one of the people FriendlyChemist owes money to. NY
26/03/2013 - A Reddit user claims to have discover Silk Road real IP address while the site was on maintenance. M
26/03/2013 - DPR responds, "I don’t owe FriendlyChemist any money" and propose redandwhite to become a vendor on Silk Road. NY
26/03/2013 - Redandwhite hints at future lucrative business. NY
27/03/2013 - The Reddit user claims about the IP address leak are confirmed to be false.M
27/03/2013 - DPR offers up FriendlyChemist's dox and mentions a possible execution. NY
28/03/2013 - being blackmailed with user info. talking with large distributor (hell's angels).DJ
29/03/2013 - FriendlyChemist (quiet 9 days after 3 days of threats?) delivers 72hr ultimatem before releasing the info, "5000 users details and about 2 dozens vendors identities". NY
29/03/2013 - DPR contacts redandwhite offering a bounty for FriendlyChemist. NY
29/03/2013 - commissioned hit on blackmailer with angels.DJ
30/03/2013 - redandwhite asks how he can help. NY
30/03/2013 - DPR asks for pricing and availability. NY
30/03/2013 - redandwhite pitches high "$150k - $300k". NY
31/03/2013 - DPR haggles over pricing "Don't want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80K". NY
xx/04/2013 - Stackoverflow email change to "frosty@frosty.org". NY
01/04/2013 - Last posts of Nomad Bloodbath on the public forum. F
01/04/2013 - redandwhite states "Your problem has been taken care of... Rest easy though, because he won't be blackmailing anyone again. Ever". NY
01/04/2013 - got word that blackmailer was excuted.DJ
01/04/2013 - UC FORCE creates a fictitious persona on the Silk Road website named "DeathFromAbove" that he will use to solicite a $250,000 payment from DPR and provided DPR the AA name and personal identifying details. SF
02/04/2013 - got death threat from someone (DeathFromAbove).DJ
03/04/2013 - DPR informs CC-2 that he had been blackmailed by “tony76" and paid a member of the Hell's Angel's "to hunt down the blackmailer". NY
03/04/2013 - got pidgin chat working with inigo and mg.DJ
04/04/2013 - Stackoverflow question updated from: "http://kpvz7ki2v5agwt35.onion" (Hidden Wiki) to "http://jhiwjjlqpyawmpjx.onion" (Tor Mail) (screenshot). M
04/04/2013 - At DPR's request redandwhite sent DPR a picture of the victim after the job was done, with random number written on a piece of paper next to the victim that DPR had supplied. NY
04/04/2013 - received visual confirmation of blackmailers executionDJ
05/04/2013 - a distributor of googleyed is publishing buyer info. DJ
05/04/2013 - gave angels access to chat server. DJ
05/04/2013 - DPR wrote redandwhite "I've received the picture and deleted it. Thank you again for your swift action". NY
05/04/2013 - redandwhite informs DPR that Tony76 worked with FriendlyChemist to blackmailed him. NY
05/04/2013 - DPR says he "would like to go after Tony76" to question him and and recovered lost assets. NY
06/04/2013 - redandwhite tells DPR Tony76 is a drug dealer from the Surrey area in British Columbia, Canada, who “works/lives with 3 other people and they all sell product together. NY
06/04/2013 - DeathFromAbove writes to DPR, "It's not that easy [AA]. I'm legit. Green Beret. Friend of [C.G.]. I have access to TS/SCI files that FBI, DEA, AFP, SOCA would kill for. In fact, that is what I do ... kill. The only thing that I do . . . Don't worry DoD has no interest in you and your little website. North Korea and Iran are a lot more important. In fact, as far as the Army and Navy are concerned you are a nobody. Petty drug dealer. But, [C.G.] was somebody.SF
06/04/2013 - DPR orders a hit on Tony76 only. NY
06/04/2013 - gave angels go ahead to find tony76DJ
08/04/2013 - redanwhite prefers to hit all 4 at the same time for a total amount of $500k, and split the recovered assets 50/50 with DPR.
08/04/2013 - DPR pays (3,000 @ $166/btc) $500K to a Bitcoin address designated by readandwhite. NY
08/04/2013 - sent payment to angels for hit on tony76 and his 3 associatesDJ
09/04/2013 - ssbd considering joining my staff. DJ
10/04/2013 - "DeathFromAbove" (FORCE) writes to DPR again, this time giving DPR details concerning AA including full name, date of birth, citizenship, address, and other personal identifying details". "Is that enough to get your attention? After watching you, there is no way you could have killed [C. G.]. But I think you had something to do with it. So, $250,000 in U.S. cash/bank transfer and I won't give your identity to law enforcement. Consider it punitive damages. Death From Above. " SF
11/04/2013 - guy blackmailing saying he has my id is bogus. DJ
11/04/2013 - cimon told me of a possible ddos attack through tor and how to mitigate against it. DJ
12/04/2013 - Payment of 2,555 BTC to redanwhite Bitcoin address. This payment is not linked to any Silk Road event at the moment. BC
15/04/2013 - redandwhite informs DPR that "That problem was dealt with". NY
25/04/2013 - Nomad bloodbath posts on the vendor forum that he is taking a vacation break but before he is offering to ship his artwork skull to vendors before to open the sale to the rest of the community. F
25/04/2013 - Nomad bloodbath creates a new PGP key. F
28/04/2013 - Silk Road site and forum victim of a DDOS attack (screenshot). F
2X/04/2013 - market and forums under sever DoS attack. Gave 10k btc ransom but attack continued. DJ
30/04/2013 - Gave smed server access. Switched to nginx on web/db server, added nginx reverse proxy running tor hs. reconfiged everything and eventually was able to absorb attack. DJ
30/04/2013 - Inlightof becomes Administrator of the SR Forum. F
30/04/2013 - Reddit users posts vendors email addresses on Reddit as Silk Road is down. The post will eventually be removed. A back up is posted on silk Road forum. (screenshot) F
01/05/2013 - Dread Pirate Roberts indicted in the district of Maryland under the placeholder name John Doe. The charges include "conspiracy to distribute a controlled substance", "attempted witness murder", "use of interstate facilities in commission of murder-for-hire". MI
01/05/2013 - Symm starts working support today. Scout takes over forum support. DJ
XX/05/2013 - FBI receives the server data requested in February 2013 from the Icelandic authorities. However, little activity is observed to/from the server indicating that it is no longer hosting a website. (As a result, the FBI did not request that Icelandic authorities proceed with imaging the server). NY
XX/05/2013 - Chicago HSI agent Jared Der-Yeghiayan issued a subpoena to Dwolla, a payments system company, for information regarding Karpeles and his holding company, Mutum Sigillum, LLC. CHI
01/05/2013 - LE agents in Baltimore and New York starts working together on the Silk Road investigation. "Everyone had that little piece of the puzzle, then it was time to sit at the table and put it together". M
02/05/2013 - Attack continues. No word from attacker. Site is open, but occasionally tor crashes and has to be restarted. DJ
02/05/2013 - Libertas registers an account on the forum and becomes Global Administrator. F
03/05/2013 - Silk Road IP address is once again reported to have leaked on Reddit /r/silkroad. M
03/05/2013 - helping smed fight off attacker. site is mostly down. I'm sick. Leaked IP of webserver to public and had to redeploy/shredpromoted gramgreen to mod, now named libertasDJ
04/05/2013 - End of the DDOS attack - "The site is back up. I'm not going to say we are out of the woods yet, but unless something unexpected happens, we should remain up for the foreseeable future" (screenshot). F
04/05/2013 - attacker agreed to stop if I give him the first $100k of revenue and $50k per week thereafter. He stopped, but there appears to be another DoS attack still persisting. DJ
05/05/2013 - Attack is fully stopped. regrouping and prioritizing next actions. DJ
06/05/2013 - working with smed to put up more defenses against attack. DJ
07/05/2013 - paid $100k to attacker. DJ
07/05/2013 - StExo’s first public post in close to 5 months; He posts two new PGP public keys. He has visibly edited as "< removed >" 37 prior pages of posts. F
08/05/2013 - Curtis Clark Green case filed in Salt Lake County (screenshot). M
09/05/2013 - US Secret Service Agent BRIDGES serves as the affiant on a multi-million dollar seizure warrant for Mt. Gox and its owner's bank accounts. SF
14/05/2013 - The Department of Homeland Security and U.S. District Court for the District of Maryland issued a Seizure Warrant for the funds associated with a Dwolla account belonging to Mt.Gox. M
18/05/2013 - Undercover HSI agent "mr.wonderful" creates an account on the forum. F
26/05/2013 - tried moving forum to multi .onion config, but leaked ip twice. Had to change servers, forum was down for a couple of day.. DJ
29/05/2013 - StExo announces his “scraping the Road” project, hosted on FreedomHosting, explains this is an archive of all vendor pages so that buyers can still access vendors in the event of emergency. F
29/05/2013 - Chicago HSI Agent Jared Der-Yeghiayan, sought a search warrant for Karpeles’s e-mail account, swearing in a draft affidavit that he suspected Karpeles of being the Dread Pirate Roberts. CHI
29/05/2013 - paid attacker $50k weekly ransom. DJ
29/05/2013 - $2M was stolen from my mtgox account by DEA. DJ
29/05/2013 - added smed to payroll. DJ
30/05/2013 - Last post of grahamgreene on the forum. F
30/05/2013 - spoke to nob about getting a cutout in Dominican Republic. said he knew a general that could help. DJ
XX/06/2013 - DPR pays 400 bitcoins ($40,000) for fraudulent identification documents that Nob was supposed to provide to DPR. SF
XX/06/2013 - tried to get a fake passport from nob, but gave fake pic and fucked the whole thing up. nob got spooked and is barely communicating. said his informant isn't communicating with him either.. DJ
01/06/2013 - someone claiming to be LE trying to infiltrate forum mods. DJ
01/06/2013 - DPR requests chat with redandwhite. NY
01/06/2013 - IRS Agent Gary Alford found a post by "altoid" who asked for some programming help and gave his email address: rossulbricht@gmail.com. Alford took his findings to his supervisors and failed to generate any interest. M
02/06/2013 - loaning $500k to r&w to start vending on SR. DJ
03/06/2013 - put cimon in charge of LE counter intel. DJ
03/06/2013 - "Someone" logged into a server used to administer the Silk Road website from an Internet Cafe located near Ulbricht's residence. NY
05/06/2013 - DPR asks redandwhite for update on "dummy IDs". NY
05/06/2013 - Arrest of Casey Jones/truckin/Hughes a Silk Road buyer and seller. M
05/06/2013 - DPR tells SSBD in a private message "I’m going to move you back to being the primary mod on the forums. I’m going to keep paying you $1k/wk though....How does that sound? Be my forum mod?". NY
06/06/2013 - Icelandic authorities image the server 193.107.84.4. NY
06/06/2013 - German hosting provider Hetzner reports an unusually sophisticated attack on their system which resulted in their client database compromised. M
10/06/2013 - User account "shefoundme" send a message on the Silk Road messaging system to Silk Road vendor KingOfClubs requesting high quality IDs. shefoundme will eventually order for $1,650 of fake documents.NY
11/06/2013 - FBI New York Field Office discovers an apparent misconfiguration of the Silk Road hidden service user login interface revealing the IP address, 193.107.86.49, of the server (access logs supposedly showing law enforcement access to the .49 server from a non-Tor IP address). NY
12/06/2013 - The FBI issues a request to Iceland for Icelandic authorities to take investigative measures with respect to the recently discovered (leaked IP) alleged Silk Road server 193.107.86.49 (screenshot). NY
14/06/2013 - User Inigo removes administrative rights on the Wiki from Flush and Chronicpain (screenshot). F
19/06/2013 - Joint Search Warrant conducted by HSI Chicago (SA Der-Yeghiayan) and HSI Baltimore (SA McFarland) based on a new target developed by HSI Chicago. CHI
21/06/2013 - Last known vendors pages backup taken from Silk Road before the server migration (archive available in the download section). F
05/07/2013 - "KingOfClubs" confirms to shefoundme that he sent the fraudulent documents. NY
08/07/2013 - DPR tells another Silk Road user that he "needed fake ID" that he intended to use to "rent servers" explaining that he was "building up [his] stock of servers". NY
10/07/2013 - U.S Custom and Border Protection intercepted a package from Canada as part of a routine border search. The package contained nine counterfeit identification documents. All with different name but with the photograph of the same person, Ross Ulbricht. NY
11/07/2013 - Cirrus registers an account on the forum and becomes global moderator. F
12/07/2013 - Coordination meeting with HSI Chicago, HSI Baltimore, FBI New York and multiple Department of Justice attorneys and CCSIP attorneys. At that coordination meeting, HSI Chicago mentioned Karpeles as their main target. CHI
18/07/2013 - KingofClubs provided shefoundme with the USPS tracking number as the package didn't arrive yet. The check on USPS website indicated that the package was “inbound out of customs on the 10th,” the date on which the counterfeit identification documents were seized by CBP. NY
22/07/2013 - French hosting provider OVH is victim of an "advanced" security incident which allowed the attacker(s) to access their European customers database. M
22/07/2013 - DPR is approached on the SR forum by a user using the alias "notwonderful", who allegedly offered DPR information about the current LE investigation into Silk Road. M
23/07/2013 - Silk Road Server, 193.107.86.49, forensically imaged by Law Enforcement. NY
25/07/2013 - StExo archives Silk Road vendor pages. F
26/07/2013 - Homeland Security Investigations interview Ross Ulbricht about the intercepted package containing fake IDs. NY
29/07/2013 - The Reykjavik Metropolitan Police (RMP) shares the results of the Silk Road server image with the FBI. NY
29/07/2013 - French hosting provider OVH changes its TOS and bans the use of anonymity tools like Tor on their dedicated servers due to an increase of legal requisitions including but not limited to peadopornography. M
29/07/2013 - US authorities issued an extradition warrant for Eric Eoin Marques. He is charged with distributing, conspiring to distribute, and advertising child pornography. M
01/08/2013 - Arrest of Eric Eoin Marques., alleged administrator of Freedom Hosting. M
01/08/2013 - "Nob" as DEA agent (FORCE) memorialized "Kevin", a corrupt Department of Justice case agent on the government's Silk Road investigation and simultaneously on Nob's payroll, as a cover story in a DEA-6. SF
01/08/2013 - Dread Pirate Roberts discussed a payment to "Nob" (FORCE) for 525 bitcoin, worth approximately $50,000 at the time, in exchange of "Kevin's" law enforcement information. SF
04/08/2013 - Freedom Hosting Hidden Service shut down M
04/08/2013 - DPR pays "Nob" (FORCE) the 525 bitcoin for "Kevin's" inside law enforcement information. SF
05/08/2013 - ~shabang~ last active on Silk Road forum. F
14/08/2013 - Someone provides Dread Pirate Roberts with a copy of its ID. The name is however redacted so we can't see who provided it. NY
15/08/2013 - Last communication between DPR and "notwonderful" on Silk Road forum private messaging system. M
16/08/2013 - DPR grants administrative rights over the Wiki to Cirrus. CHI
22/08/2013 - DPR seems to have changed PGP software as the version doesn't appear anymore. F
26/08/2013 - "French Maid" (FORCE) writes to DPR: "I have received important information that you need to know asap. Please provide me with your public key for PGP. Carl". Few hours later "French Maid" writes to DPR "I am sorry about that. My name is Carla Sophia and I have many boyfriends and girlfriends on the market place. DPR will want to hear what I have to say ;) xoxoxo". SF
27/08/2013 - Vendor SuperTrips arrested at the Miami International Airport where he arrived on a flight from Europe. M
09/09/2013 - FBI obtains 2 warrants to search the content of servers maintained on behalf of JTAN.com by Windstream Communications Conshohocken Data Center (Pennsylvania). The search and seizure warrants are issued by the Eastern District of Pennsylvania, to search the content of servers assigned IP address 207.106.6.25 and 207.106.6.X. The IP addresses appear to be a Silk Road back up server and was discovered following the forensic analysis of the Silk Road image taken in July 2013. NY
10/09/2013 - HSI Agent Jared Der-Yeghiayan is being told for the first time the name Ross Ulbricht, by Internal Revenue Service agent Gary Alford, as a suspect in the Silk Road investigation. CHI
12/09/2013 - Plea agreement between the prosecutor and Curtis Clark Green. M
12/09/2013 - Got a tip from oldamsterdam that supertrips has been busted. contacted alpacino to confirm. DJ
13/09/2013 - The FBI admits being behind the malicious Java Script code that was served on Freedom Hosting and having taken over the servers. M
13/09/2013 - french maid claims that mark karpeles had given my name to DHLS. I offered him $100K for the name. DJ
13/09/2013 - PGP encrypted message between DPR and "French Maid" (FORCE) including the subject line "Hope you like." SF
15/09/2013 - DPR makes a payment of 770 bitcoin to "French Maid" (FORCE), worth approximately $98,000. SF
16/09/2013 - Curtis Clark Green case is terminated and flagged as CLOSED (screenshot). M
1X/09/2013 - FBI applied and obtained an Order directing Comcast to install a trap and trace device and a pen register to determine the destination IP addresses of any communication originating from several IP addresses allegedly used by Ross Ulbricht, as well as the date, time, duration and port of transmission of such communications. NY
19/09/2013 - red pinged me and asked for meeting tomorrow.DJ
19/09/2013 - red got in a jam and needed $500k to get out. ultimately he convinced me to give it to him, but I got his ID first and had cimon send harry, his new soldier of fortune, to vancouver to get $800k in cash to cover it. red has been mainly out of communication, but i haven't lost hope. DJ
20/09/2013 - Atlantis shut down. DJ
25/09/2013 - was messaged by one of their team who said they shut down because of an FBI doc leaked to them detailing vulnerabilities in Tor. DJ
27/09/2013 - FORCE learns that DPR is about to be apprehended as part of the separate New York investigation into the Silk Road. In response to learning this information, FORCE wrote to the prosecutor with whom he was working inquiring as to the true name and identifying information of DPR. FORCE is not provided with that information in response to his inquiry. SF
27/09/2013 - Nob (FORCE) deposits the 525 bitcoins paid by DPR for "Kevin's" inside law enforcement information to his own personal account at CampBX. SF
30/09/2013 - HSI agent Der-Yeghiayan arrives in San Francisco in preparation of Ross Ulbricht arrest. CHI
XX/10/2013 - Contents of server housing private key used to control the Silk Road .onion address (62.75.246.20, the document contains a typo) is imaged by the Republic of France pursuant to a Mutual Legal Assistance Treaety request. NY
02/10/2013 - Screenshot of Cirrus computer taken by LE while chatting with DPR. NY
02/10/2013 - FORCE attempts to create an account with Bitstamp using identification documents in the name of his DEA-issued undercover identity (Nob). Bitstamp's verification process rejected these documents as not genuine. FORCE there after provided Bitstamp with his own personal identification documents. SF
03/10/2013 - Bitcoin talk is hacked again, apparently because of a backdoor from the 2011 hack (screenshot). M
04/12/2013 - In a narcotics related case, the US federal government applied for a search warrant to obtain the contents of emails and other details from a user account hosted by Microsoft. NY
20/12/2013 - Alleged girlfriend of a moderator/administrator of Silk Road posted a message on Reddit saying her boyfriend just got arrested. M
20/12/2013 - A post from Dread Pirate Roberts on the "journalist" subforum of Silk Road reveals Inigo, Libertas and samesamebutdifferent (SSBD) have provided their real identity upon requet of the original DPR before taking their administrators position. The post also seems to confirm SSBD was also a Silk Road 2 administrator under the name Synergy. F
20/12/2013 - DPR says to his staff that he has "no reason to be offline for any period greater than 24 hours" and that "If such time elapses (24 hours)" where he doesn't appear online everything associated with him should be considered compromised. F
21/12/2013 - Following the recent arrests, Silk Road moderator Sarge is quiting as he doesn't "wish to be a person of interest any longer" (screenshot). F
23/12/2013 - Silk Road marketplace closes for the Christmas period few hours after the expected time (screenshot). F
28/12/2013 - Forum member Tang joins the moderators team as "Newbie Guide" and a long time forum member joins the Silk Road staff under the alias Stealth. F
28/12/2013 - Silk Road marketplace reopens after the Christmas break. F
21/01/2014 - In a criminal complaint against Sean Roberson, the FBI admits having "obtained a copy of a computer server located in France via a Mutual Legal Assistance Treaty request to France, which contained data and information from the Tormail email server, including the content of Tormail e-mail accounts". M
09/03/2014 - Mt.Gox CEO Mark Karpeles’ blog is defaced and an anonymised data dump of Mt.Gox's customers transactions, transfer and balance is uploaded. M
01/04/2014 - Ulbricht's Defense lawyer Joshua Dratel asked the court to dismiss all four charges in Ulbricht’s New York indictment, including a money laundering charge that he says doesn’t apply because the currency used for the alleged crime — Bitcoin — does not qualify as a “money instrument” under the law. M
24/04/2014 - Bitcoin exchange Bitstamp, inquires why FORCE accessed his account through TOR and FORCE responded via the support ticket: "I utilize TOR for privacy. Don't particularly want NSA looking over my shoulder :)", resulting in FORCE account beeing frozen. SF
29/04/2014 - Bitstamp's General Counsel advises BRIDGES by telephone that Bitstamp suspects FORCE of wrongdoing. SF
01/05/2014 - Bitstamp formally brings to the attention of law enforcement via a Bank Secrecy Act filing its suspicion of FORCE activity. SF
02/05/2014 - FORCE emailed Bitstamp to request that they delete all transaction history associated with his account. SF
02/05/2014 - The U.S. Attorney's Office for the Northern District of California opens an official investigation into FORCE concerning his activities with his Bitstamp account and bitcoin holdings. SF
04/05/2014 - Carl Mark FORCE IV resigns from DEA. SF
08/05/2014 - FTI Consulting appoints former FBI Special Agent Christopher W. Tarbell managing director and member of the Global Risk & Investigations Practice (GRIP) in the Forensic & Litigation Consulting segment. M
29/06/2014 - Oracle, presenting himself/herself as a former Silk Road consultant/friend, publishes its "memoirs". M
01/08/2014 - Ross Ulbricht's lawyers filed a pre-trial motion to dismiss all charges in the case based on Ulbricht’s fourth amendment protections against warrantless searches of his digital property. Ulbricht argues that law enforcement violated his constitutional right to privacy. M
22/08/2014 - In a new indictment against Ross Ulbricht, US prosecutors add new charges of narcotics trafficking, distribution of narcotics by means of the internet, and conspiracy to traffic in fraudulent identification documents. M
05/09/2014 - Jacob Theodore George IV a/k/a Digitalink gets 6 years prison. M
05/09/2014 - Former FBI Agent Christopher Tarbell describes how he and another FBI agent located the Silk Road server in June 2013. NY
01/10/2014 - Ross Ulbricht's defense attorney realised a "Forensic Analysis" of the image of the Silk Road web server provided by the FBI refuting the leaky captcha theory explained by FBI Agent Christopher Tarbell as the way the FBI located the server. NY
15/10/2014 - Ulbricht trial moved from Nov. 10, 214 to Jan. 5th, 2015. NY
05/11/2014 - Blake "Defcon" Benthall, alleged administrator of Silk Road 2.0, apartment is raided by the FBI. Law enforcements found $100,000 cash in the apartment and an unencrypted PC. M
07/11/2014 - Complaint filed in the Southern District of New York against "Any and all assets of the following darknet market": Silk Road 2.0, Alpaca, Black Market, Blue Sky, Bungee54, Cannabis UK, Cloud Nine, Cstore, Dedope, Executive outcomes, Fake ID, Fake Real Plastic, Farmer1, Fast Cash!, Hackintosh, Hydra, Pablo Escobar Drugstore, Pandora, Pay Pal Center, Real Cards Team, REPAAA's Hidden Empire, Smokeables, SOL's unified USD conterfeit's, Super Notes Counter, The Green Machine, Tor Bazaar, Zero Squad. NY
01/12/2014 - Federal prosecutors in New York notify Ross Ulbricht's defense of the investigation of former Baltimore SA Force. NY
12/12/2014 - Federal prosecutors in New York seeks to use evidences of the "murder-for-hire" plots against Ulbricht, despite Ulbricht not being formelly charged in the the government’s indictment. NY
04/02/2015 - After three hours of deliberation, the jury found Ross Ulbricht guilty on all seven felony charges he faced, including drug trafficking, continuing a criminal enterprise, hacking, money laundering, and fraud with identification documents. M
04/02/2015 - Sealed Document as to John Doe signed by Magistrate Judge Ronald L. Ellis filed in Blake Benthall case related to Silk Road 2. NY
18/03/2015 - Shaun Bridges resigns from his postion at the Secret Service's Electronic Crimes Task Force. SF
25/03/2015 - Criminal complaint filed in San Francisco against Two feds who investigated Silk Road, DEA agent Carl Mark Force IV and US Secret Service agent Shaun Bridges. They are charged with wire fraud and money laundering. Force is also charged with stealing government property and "conflict of interest". SF
25/03/2015 - DEA agent Carl Mark Force IV is revealed to be the undercover agent who operated the account "nob" involved in Curtis Green arrest and fake assassination. Under the alias "Death From Above", Force allegedly extort DPR and under the alias "French Maid" he allegedly worked as an informant providing DPR with DEA intel. M
25/03/2015 - U.S Secrest Service Agent Shaun Bridges, is accused of stealing money from Silk Road vendors using the account "Number13". SF
21/04/2015 - Sealed complaint filed against Roger Thomas Clark a/k/a "Variety Jones" a/k/a "VJ" a/k/a "Cimon" a/k/a "Plural of Mongoose". NY
04/05/2015 - US Embassy in Thailand request the provisional arrest for the purpose of extradition of Roger Thomas Clark frorm Thailand. Clark is believed to be currently residing on Koh Chang Island, Thailand.
29/05/2015 - Ross Ulbricht sentenced to life in prison. M
16/06/2015 - Criminal information filed against Shaun Bridges a/k/a "Number13". SF
22/06/2015 - Criminal information filed against Carl M. Force IV a/k/a "French Maid". SF
01/07/2015 - Former Silk Road Task Force Agent, Carl M Force IV, pleads guilty to a three-count information charging him with money laundering related to his theft of over $700,000 in digital currency while acting as an undercover agent on the Task Force. SF
31/08/2015 - Former Silk road Task Force Agent, Shaun BRIDGES, pleads guilty to money laundering and obstruction, admitting stealing $820,000 worth of Bitcoin. SF
29/09/2015 - After years unheard of, Roger Thomas Clark a/k/a "Plural of Mongoose" starts a serie of posts, on the cannabis enthusiast board MyPlanetGanja, claiming that a rogue FBI agent approached him under an online pseudonym and provided inside information on federal investigations before they were made public. M
03/12/2015 - Roger Thomas Clark, a 54-year-old Canadian, is arrested in Thailand through a joint operation of the FBI, the Department of Homeland Security, the Drug Enforcement Administration and local Thai police. NY
04/12/2015 - US Justice Department unsealed a criminal complaint against Roger Thomas Clark a/k/a "Variety Jones" a/k/a "VJ" a/k/a "Cimon" a/k/a "Plural of Mongoose". NY
07/12/2015 - Former Secret Service agent Shaun Bridges a/k/a Number13 was sentenced to 71 months in prison after he stole money from Silk Road dealers while investigating the site. M
17/12/2015 - New criminal complaint against Roger Thomas Clark a/k/a "Variety Jones" a/k/a "VJ" a/k/a "Cimon" a/k/a "Plural of Mongoose" ammended with extra charges. NY
12/01/2016 - Ross Ulbricht's defense filed a Brief on Appeal for a new trial describing misconducts and abuses in Ulbricht’s investigation and trial. M
22/02/2016 - In a response to Bridges's motion to unseal the search warrant used in his most recent arrest, prosecutors refused claiming it would aid Bridges and "his co-conspirators (still at large)in covering up the full extent of their crimes [...] that
took place both before and after the date of the entry of his guilty pleas". M
22/06/2016 - The International Business Times reported that the suspect regarding the December 4th, 2013, US warrant for Microsoft email stored in Dublin, Ireland is alleged Silk Road Administrator Gary Davis a/k/a Libertas. M
02/08/2016 - The defense team for Ross Ulbricht has filed a new reply brief in the 2nd Circuit Court of Appeals in their appeal of his conviction and sentence. Ulbricht's lawyer argues that abundant evidence of corruption in the investigation of Ulbricht that was not properly considered by the trial judge leads to his conclusion that Ulbricht's "convictions should be reversed, and a new trial ordered, and/or that certain evidence be suppressed, and/or that the case be remanded for re-sentencing before a different district judge."NY
12/08/2016 - Irish High Court ordered the extradition to the United States of alleged Silk Road administrator Gary Davis a/k/a Libertas. M
29/11/2016 - Ross Ulbricht defense team filed a letter with the US attorney’s office in Maryland saying it had found evidence that a still-unidentified rogue government agent using the alias "alpacino" a/k/a "notwonderful" may have sold information about the Silk Road investigation to DPR and may have later deleted evidence of the arrangement. M
28/02/2017 - Gary Davis' appeal to be extradited to the US is refused by the Irish Court of Appeal and he has been put into custody ahead of his extradition to the United States. M
31/05/2017 - A Second Circuit appellate court rejected the appeal of Ross Ulbricht. M
Based on the Silk Road Maryland indictment, in April 2012 an Undercover (UC) Agent started communicating
with Dread Pirate Roberts (DPR). The UC claimed to be a drug smuggler who specialised in moving large quantity of drugs.
During the following weeks DPR and the UC will stay in touch.
The 7th of December 2012, the UC complained about Silk Road buyers wanting "very small amount" and "it really isn't worth it for him to do below 10kg".
DPR offers to look around to find a buyer for a large quantity of drug.
He mandates someone known as "The employee" in the indictment to solicit Silk Road's top sellers to find someone who could
move large quantity of drugs from the UC. In the indictment the employee seems to have been hired sometime in November 2012
and is paid to respond questions and complaints from buyers and sellers, resolve disputes between buyers and sellers, and investigate possible law enforcement activity on Silk Road.
In May 2012, the following users have high privileges on Silk Road forum and are able to carry administrative tasks:
DigitalAlch - Administrator.
Chronicpain - Global Moderator and Wiki administrator
Nomad bloodbath - Global Moderator.
Limetless - Global Moderator.
squidShephar - Global Administrator.
DigitalAlch will eventually "resign" the 16th July 2012 and thus let the forum administrator position vacant.
It is not clear at this point if someone else inherited the position or not.
If seniority and knowledge of Silk Road was to be taken into account chronicpain would be a candidate of choice, as he is one of the oldest account and already administrator of the Wiki.
However we haven't found anything suggesting that any of the other global moderators (or anyone else) replaced DigitalAlch as Administrator.
The 3rd November 2012 a user, flush, registers an account on the forum and few days later starts to
be active as what looks like a Silk Road support role.
I haven't found official statement about flush role but its different posts (screenshot 1 and screenshot 2)
on the forum strongly suggest that he has advanced privileges on the forum as well as on the Silk Road site:
He is helping users with technical issues
Has access Silk Road support mailbox
Has access transaction number
He can reset user's PIN
Flush last connection on the forum is dated 26/01/2013, which is also the date DPR informs UC agent that "The employee" got busted.
Based on the information from the Maryland indictment, flush looks like a good pick for the "Employee" role in the assassination plot:
Hired in November 2012.
High privileges on Silk Road site and forum.
Support role, responding to questions and complaints, resolving disputes between buyers and sellers,
Last connection on the forum the day "the Employee" got arrested
It is not really clear how flush got into that position after only few days active on the forum.
It looks like his account was created on purpose for his support role. Maybe an active user creating a new account
for the support role only in order to not mix it with his current account? Who knows...
Assuming Flush is "the employee" mentioned in the Maryland indictment who could be the undercover agent? We don't know much about him except that he plays
the big dog by introducing himself as "a drug smuggler who specialised in moving large quantity of drugs", minimum 10kg
type of guy. Suppliers selling in bulk or high quantity doesn't seem to be that common on Silk Road, so people have a
tendency to remember them. One guy who seems to have attracted (screenshot)
a lot (screenshot) of attention (screenshot) and questions (screenshot) for his listing of kilos (screenshot 1 and screenshot 2) goes by the name of "nob".
Some users on the forum even thinks the low enforcement scam (screenshot) is too big to be true (screenshot). In light of what will follow the latest assumption might be relevant.
On the 12th of February 2012, a vendor going by the name googleyed1 posts an enigmatic message on the Vendor forum warning other vendors and DPR to not deal with nob:
"So I'm not going to say much but I feel some people should be warned, this seller has cost me 6 months work. It is very dangerous to deal with him and my honest advice is to avoid at all costs. DPR... I am just doing this to protect the other sellers, please understand this. I would not want even my worst enemy to go through what I have with this guy".
(screenshot).
Unfortunately, we do not have access to the vendor forum and the previous message was taken from a quote posted on one of the numerous threads related to nob. Access to the thread, the quote was taken from on the vendor forum, would probably clear up some of the mystery. If anyone with access to the vendor forum roundtable could get the information it would be really useful. Backups of the vendor roundtable seems to be floating around, if you managed to get your hand on them, please consider sharing.
Updated 08/11/2013: Access to the thread on the vendor roundtable mentioned previously confirms googleyed1 warned other vendors not to deal with Nob. Most of them took the piss somehow arguing it was so obvious Nob was LE that googleyed1 deserved to loose money. In an interesting comment googleyed1 stated Nob had the full backing of DPR. However it seems googleyed1 didn't get asked by DPR directly but from "one of the MODS" who said DPR asked him to look around for big vendor with an interest to work with a big vendor. As noticed by another vendor, in theory it could have been the "MOD" who took the incentive to back Nob, however in another enigmatic message googleyed1 doesn't rule this possibility and says "yes this is true, but there have been some other things I don't want to talk about" (screenshot 1 and screenshot 2).
This nob guy could be a good pick to play the part of the undercover agent (Would you say it passes the duck test?).
Deals large quantity of drugs (or pretend to).
Prefers dead drop instead of recommended use of mail for delivery.
Doesn't have much positive feedbacks and no one ever claimed to have bought anything from him (maybe once in very small quantity).
Only user having dealt with nob to some extend recommended other vendor to stay away from him at all cost.
Publicly says he wants to get in with DPR.
Suspected law enforcement.
Few days after the arrest of DPR, a thread starts on the forum where users speculates on the identity of the "Employee", the "Vendor" and the "Undercover agent".
A vendor, googleyed1 (remember the one sending the warning on the Vendor forum about Nob), replied to the thread in order to "clear some things up" (screenshot) and makes the following statements:
Googleyed1 is "The Vendor".
The guy who got busted was chronicpain former Silk Road administrator and "friend" of DPR.
Nob was indeed and without much surprise an undercover agent and Googleyed1 knew about it but for some reason DPR backed nob up and recommended him to Googleyed1.
Chronicpain offered to be a re-shipper for Googleyed1 and got the drug delivered at his place.
Chronicpain offered to be a re-shipper for a cut on the product which was destined to the Silk Road market (screenshot).
The drug was delivered via USPS and it wasn't a drop (screenshot).
DPR wasn't involve nor participate in the transaction, he only backed nob (screenshot).
Googleyed1 being based in the UK, it is possible nob didn't want to ship in Europe. As chronicpain was involved from the beginning, googleyed1 probably asked him to act as his re-shipper, offering him a cut on the delivery.
Chronicpain would have then shipped the whole product in the UK for googleyed1 or sell it through the US on behalf of googleyed1. In any case it looked like Googleyed1 was quite confident the deal will go through and started
advertising its new product on the forum (screenshot).
It might be surprising to have chronicpain involved in this deal as flush ticked all he boxes to be "The Employee". However looking at the timeline and other particularities of both accounts one could extrapolate the same person managed both handles :)
The 12th of November 2012, few days after flush registered on the forum, chronicpain writes his last post in a style really close from someone having some support responsibilities (screenshot). Some of his latest posts also have a similar "tone".
The 26th of January 2013, last connection from flush on the forum. The exact same day "The employee" is reported to have been busted by DPR.
The 12th of February 2013, last connection from chronicpain on the forum. The following day the UC sends a message to DPR telling him "Employee is still alive but being tortured".
As suggested previously it would have make sense for chronicpain to be "promoted" as SR Support staff since he was one of the longest forum moderator and administrator of the wiki
A "Flush" is also a poker hand such as Q♣ 10♣ 7♣ 6♣ 4♣, where all five cards are of the same suit, but not in sequence.
We don't want to mention the over use of ellipsis (...) in both writing styles but we have to... since it is noticeable.
Googleyed1 is 100% confident chronicpain was the "Employee" who got busted. It could be explained by the fact that chronicpain was using his "chronicpain" handle to communicate with googleyed1 and his "flush" handle to communicate with UC/nob.
The assassination plot seems partially solved according to this theory. However some questions remain unclear:
Why DPR got involved with nob, where many users seems to have seen the scam from miles away. Googleyed1 suggested DPR got sweet talked and saw the commission (understand money $$$ here) from a big seller.
Why Googleyed1 apparently suspicious of nob from the beginning (as everyone else) agreed to deal with him, even if he was backed by DPR.
Did chronicpain/flush really turned rogue before the bust and stole the alleged Bitcoins from several top vendors?
Why is googleyed1 bragging about being the "Vendor"? Bold move to admit having been part of a drug deal mentioned in a court indictment involving the prime suspect of a high profile drug market place whereas in the same time the police is arresting buyers and sellers worldwide. Low profile would be a smarter tactic, considering the other two persons involved are behind bars. Unless...
Ross Ulbricht, who was arrested the 2/10/2013 and is allegedly Dread Pirate Roberts, seems to have made some obvious mistakes online regarding his real identity which helped law enforcement to identify him and arrest him. Plenty has been said about his bad "opsec" and there isn't much to add about it for the moment.
However there are still some really interesting "characters" in this story. "The Employee" is one of them which has not received much attention despite the fact he played an important part in the "first act" of the DPR investigation. In the following lines we will try to find out a bit more about him and if the theory of chronicpain/flush being "the Employee" exist as already discussed in "The Employee assassination plot" above. What follow is not a parallel construction and the observations are based on a timeline following our findings.
The only information we've got about "The employee" can be found in the Maryland indictment. Following our theory of chronicpain/flush and the Employee being the same person, another set of information we can rely on are the posts from chronicpain and flush on the Silk Road forum1. We've compiled below a list of "quotes" and "facts" extracted from various posts of chronicpain 2 (The posts from flush being minimalist).
"I am in charge of a web site that sells products and takes credit cards every day. I do go thru authorize.net"
"I am very opiate tolerant"
"Opana is not oxycontin, It's much much stronger"
"Opana is Oxymorphone not hydrocodone"
"Most of you know that Im all about harm reduction"
"Im not a smoker"
"I was a paramedic for 20 years and went through nursing school. Like I said in another thread, I couldn't finish due to an accident."
"Experience with Drupal? I have made my last 2 sites with it and absolutely love it...Easy to manage, change things, etc.."
"That's exactly what happened to my wife. It took a 3 month stint in jail to get her sober. She has been clean and awesome for over 10 years."
"There are a lot of other forums, like poppies.org, opiophile, bluelight, etc that is in clearnet (they talk about much more and with much more detail than here) I have never heard anyone get into trouble."
"My daughter (who just got married) had her mail returned because she used her married name instead of her maiden."
"In fact when I was getting adderall, when they first went generic on the ER"
"Technically, an 80mg oxycontin is equal to 40mg of opana ER. TAKEN ORALLY!! Now, if you snort them, 40mg of opana is 2 or 3 times the strength vs a snorted 80mg oxy. IV its about 3-4 times the strength. Would you consider getting an oxycontin 80mg for 15 or 20 bucks? thats basically what you are paying if you buy an opana 40mg ER for around 60 bucks."
"I could barely make a profit with my lost luggage delivery service. I would get paid between 20-100 bucks a bag, depending on where it had to be delivered. with only one airline, I had about 10 vehicles and there was no way I could go more than a couple hundred miles away from the airport. I eventually had to give it up because I was losing too much money. I guess you could get a taxi network going. Have one taxi hand it off to another taxi, etc. but the costs are going to be so high, it just wouldnt be worth it. Plus, with usps/fedex/ups how can you compete with their prices and delivery times?"
"For those under 45 years old"
"Luckily I got a position with my dads company"
"Used to be in the movie business. I couldn't stand when the actors had to use the clove cigarettes."
"Used to live in the costa del sol.... Gotta love Malaga, Motril, Jaen, Granada.... I liked Sevilla as well, but Cadiz, and Malaga were my favorites....... (the summer is very hot) but the winters are mild and the spring and fall are just superb......"
"When i used to be a manager at high very popular cell phone chain"
"Are you getting the the OP 80s or the old school 80's"
"I usually get Mallincrodt brand roxies."
"I have gotten this message a few times. I never say ok. but it does come up every once in a while. Its not silk road either, I just tried to send an email with hushmail and got the same message not 2 minutes ago.."
"Never say " I have ten pounds of such an such, How do I iv it?" instead, you would say "I've heard that you can do such and such with this, is this correct? any advice?" That way you aren't implicating yourself in anything. there are a lot of other forums, like poppies.org, opiophile, bluelight, etc that is in clearnet (they talk about much more and with much more detail than here) I have never heard anyone get into trouble. (not saying that nobody has) just don't implicate yourself or others. Never mention any specif items that could identify you or others in any way. It's not that hard."
I will get a touchpad for sure, ill just keep looking, dont want to pay more than 200 bucks for one.. the one I found was 250
"I am a semi-pro poker player. I used to be a full on pro poker player. Since I can't play online in the states anymore its made it much more difficult."
"I have cashed in 2 WSOP events and many other events".
"I have started to gamble a bit in sports.. If you know what your doing and have control, you can make a lot of money..."
It isn't much but we can already draw a low hanging fruit profile of the dude (assuming whatever he says is true).
He is in his 40s (probably late 40s) has a wife and daughter whom is married.
He seems to be very knowledgeable about pharmaceutical drug with a keen interest and need for everything related to opioid (Oxymorphone, oxycontin, opana etc.) and benzos.
His nickname could imply that he might be suffering himself from chronic pain (thus the pharmaceutical drug knowledge and use).
He campaigns on drugs harm reduction.
He likely spend some time on other boards and forums like poppies.org, opiophile and bluelight.
He is a drug user as well as a seller on Silk Road.
He is quite technology aware (GPG, Drupal, Touchpad, etc.)
He is a "semi-pro" poker player and used to be a "professional player". He cashed in in two World Series Of Poker.
He used to be a paramedic for 20 years before an accident.
He used to be a manager for a cell phone chain.
He used to be in the movie business
He used to have his own transportation business.
He used to live in Spain.
He is a keen gambler.
A quick google search on his nickname does not help much as it returns way too many results on chronic pain symptoms, management treatment and relief. We need to narrow the search scope.
Using specific combined keywords.
Limiting the search scope.
The boards and forums mentioned previously look like a good start to limit the scope of the search. Searching for the nickname "chronicpain" has the annoying effect of returning large unrelated results on chronic pain treatment and relief. "Flush" also has that really frustrating habit of returning all sort of things that can be flushed somewhere.
We need to focus on the content of the posts which could help us match the profile of chronicpain rather than an unlikely look-a-like nickname.
The method we followed here is:
Search keywords unrelated to the forum main interest/topic in order to hit posts engaging personal discussion related to the person we know something about ("costa del sol", "poker", "wife", "daughter", "silk road", "paramedic", "transportation service" for example).
Quote exactly full or part of messages posted on Silk Road within the scope of the forum, in this case drug related ("Im all about harm reduction", "I am very opiate tolerant", etc.).
Within the results returned, go through the different posts and extract the poster nickname which could fit a potential candidate.
Run the two previous searches type through the posts of the candidate.
Extend searches of potential candidate attributes (email address, nickname, habits etc.) to search engines.
Start again.
We're not going to go through the long and boring process of the combined searches but it was possible to isolate an interested profile named pokergooch.
One of the early forum pokergooch subscribed is bluelight.ru in 2006. Few years later in 2009 he will be an active member of another drug related board opiophile.org. They are both quite famous drug related forums which have also been mentionedseveraltimes by chronicpain (screenshots) on Silk Road.
From his different posts on both forums we can see a quite deep knowledge and interest in pharmaceutical drug and how to used them for pain relief (preferably without using intravenous method), characteristics also shared with chronicpain. As chronicpain, pokergooch has a wife and a daughter of whom he likes talking about. Pokergooch first post on opiophiles.org (screenshot) is actually about his wife and how she is drug tested on weekly basis and got tested positive for methamphetamines. Through several posts we also learn that both pokergooch's daughter as chronicpain's daughter is under Adderall (screenshot).
Digging further other interesting similarities between chronicpain and pokergooch can be highlighted 3. They both:
Recommend the use of a combination of clonidine, lopedermine and benzos (Xanax) against opiates withdrawal. This combination doesn't seem to be the only one and others might recommend something different. (screenshots).
Have very bad headaches side effect caused by the absorption of Neurotin. (screenshots).
Need testosterone due to low sex drive caused by the large amount of opiate consumed. (screenshots).
Are very cautious about the use of fentanyl. (screenshot).
Registered on Silk Road and its forum in fews days of interval. (screenshots).
Seem to like to tell that anecdote, which happened 10 years ago, about that Canadian scammer who disappeared with quite a lot of cash. (screenshots).
Lived in spain. We can find on picasa an account belonging to "pokergooch" geotagged in Spain where the picture of a dog is posted (sasha.jpg). (screenshots).
We certainly don't have enough to assert pokergooch and chronicpain are the same person, but it looks like we are on a good path.
Pokergoosh as his nickname implies is also a keen poker player which, according to his sayings, makes must of his incomes playing poker at a pro/semi-pro level (screenshot). Interesting enough it is another particularity he shares with chronicpain (screenshots). Extending the search of "pokergooch" on different search engines returns extremely interesting results:
A post on a poker forum from a user named "gooch" provides us an MSN username and an email address. You'll note a certain irony in the choice of the email address (screenshot).
The same email address has been used as email contact for a website named "anytimeairportshuttle.com" registered in Spanish Fork, Utah. Pokergooch also seems to be from Utah (screenshot 1 and screenshot 2).
For some reason the Curtis Green listed on the Hendon Mob website player profile is marked as coming from Itasca, Illinois. It is probably a mistake since the official WSOP website for the 2010 WSOP event in Las Vegas lists him as coming from Spanish Fork, Utah (screenshot).
If you Google image search "Curtis Green Utah" there's a pic of the Silk Road logo which leads to the Twitter of a certain Curtis Green (@ilovepoker). For some reason there isn't any trace of this picture on his twitter account. The image must have been indexed and cached by google before it was deleted from the twitter account (screenshot). (h/t @FranBerkman)
On what looks like Curtis Green Facebook page he "Likes", amoung other things clandestine chemistry (as 199 other people), the World Series of Poker and mentioned a WSOP cash in in 2010, Bitcoins and TouchPads which we know both chronicpain and pokergooch were fan of (screenshot). Credit:YaHtZeEarmadillo
If you still have doubts on the correlation between chronicpain, pokergooch, the "Employee" and Curtis Green, what comes next should finished to convince you:
On January 17th 2013 at 14:16 Curtis Clark Green is arrested in Spanish Fork, Utah, for possession of cocaine by the Utah County Major Crimes task force (UCMC). Does the date sounds familiar? Going back to the Silk Road timeline and the Maryland indictment, on January 17th 2013 "undercover federal agent delivered one kilogram of a mixture or substance containing a detectable amount of cocaine to The Employee".
The 18th of January 2013, Curtis Clark Green is released on bail.
From this moment, there isn't much traceable activity (we didn't look much further yet) from neither chronicpain/flush nor pokergooch. We haven't been able to access potential court documents, indictments on Curtis Clark Green, if any exist, so it is difficult to say what are the real charges against him and if he cooperated with law enforcement.
Updated 07/11/2013: Curtis Green's case was filed in Salt Lake County the 08/05/2013, 4 months after his arrest, terminated the 16/09/2013 and is now flagged as CLOSED. No other documents have been made availaible so far. We've search Utah's inmate registry where he doesn't seem to have been incarcerated.
What follow is speculation and food for thoughts:
Few days after having been released we know The employee has been accused of having stolen bitcoins from some top Silk Road vendors, which could easily be explained by vengeance or anger after having been busted and a need of cash.
Did the Employee cooperated with the Law enforcement to help somehow the identification of DPR?
Assuming The Employee knew DPR identity or enough to localise him it could explain why DPR try to have him killed.
Why did chronicpain accepted to get a kilo of cocaine delivered at his address whereas he showed very few interest if not no interest at all in cocaine. His business it is narcotic opioid, which seems to work good enough since he has some kind of unlimited supply due to his condition and a friendly doctor. It doesn't make much sense.
Is it possible he cooperated with Law Enforcement before the bust? We managed to link Curtis Clark Green to chronicpain and with the large footprint he has on Internet we're surely not the only ones
He may as well be still around cooperating with LE and run several accounts on other drug marketplace and forums...
It is a good story so far, but we've decided to keep what we consider the best part of it for the end. The final chapter of this act. It is at the end for the simple reason that we missed it while investigating the relationship between chronicpain and pokergooch. While reviewing some of the notes and links to complete this part of the story we found an amazing post on opiophile.org that for some reason we've missed before. I'm still not sure how we missed that but it is definitely a must read. The original post can be found here: "Plea and abayance is over! My brush with LE" (screenshot). Yes, you are reading the title correctly.
TL;TR
Curtis Green and his wife got busted back in 2006 for some weird insurance fraud involving what appear to be a misunderstanding and a dodgy doctor in Las Vegas easily giving scripts away. The FBI got involved and pressure Green and his wife to involve the Vegas doctor. Green's wife turned CI in Vegas as part of the deal to get the doctor arrested. This news article covers part of the story, from a different angle.
The 07/11/2013, Curtis Clark Green pleaded guilty to a drug charge in Baltimore, Maryland. The following article of the Baltimore Sun seems to confirm the theories disscused previously. We still don't know the extend of Curtis Green LE cooperation if any as according to Ian Duncan who covered the hearing for The Baltimore Sun, Green's court records are currently sealed. Duncan also reported that the hearing wasn't scheduled in advanced.
However the plea agreement reveals that CCG agreed the following facts are true:
He didn't know the real identity of DPR.
He worked for Silk Road and DPR under the aliases Chronicpain and Flush
He was paid a salary to write weekly report about, support issue, fraud and LE activity
He could see messages Silk Road users sent to each other, the details of transaction, Bitcoin accounts of Silk road users, administrators and Ross Ulbricht.
The drug deal as told by the Maryland indictment and above.
He agreed to act as a "middle-man" for the vendor (googleyed1) without Ulbricht and the UC agent knowledge.
An important element from the plea agreement is that Curtis Green confirmed his exact role and privileges as a Silk Road's employee. It is probably safe to assume LE has had access to the exact same information for an unknown period of time starting in or about the 17/01/2013. Assuming DPR closed "The Employee" account on the day he was made aware of the arrest, when he contacted the UC agent the 26/01/2013, LE still had ~9 days to use Curtis' account and access lot of information which includes but might not be limited to:
Silk Road users internal messages.
Details of vendor and buyers transactions.
Bitcoin accounts/addresses of Silk Road users and administrators.
View Bitcoin accounts controlled by Dread Pirate Roberts.
Most of the questions asked in the previous paragraphs are still unanswered but the identity of "The Employee" along with the context of the arrest have now been clarified.
Curtis Green will be sentenced in February 2014, facing up to 40 years of prison.
A lot has already been said about Tony76, one of the biggest scammer on Silk Road. You can read about him on @EileenOrmsby post "the great 420 scam", @chobopeon's "ballad of Tony76" and the excellent page of @gwern, Silk road Theory & Practice. In the following lines we will go as well through Tony76's Silk Road Adventures for archiving purposes and maybe add couple of elements, which might happened to be useful for another tale.
Tony76 registered an account on Silk Road the 10/01/2012 and an account on the forum on the same day (screenshot). As a Canadian wannabe vendor he advertises the products he will be selling which happen to be heroin (his flagship product, allegedly the best heroine on Silk Road) and MDMA. As a good salesman he doesn't miss the opportunity to fish for potential interest on Ketamine and Meth which he can get fairly easily if needed. Apparently short on Bitcoin, he asks for the help of a fellow vendor to pay for his vendor account. The business angel will be rewarded with a "special locked in price of 200/g of H and 50/g of MDMA for life". That's how he rolls Tony (screenshot).
The lucky winner of the life long H&M deal is a vendor named foxymeow (screenshot).
To celebrate his new success Tony decides to treat is customers. sales, discounts, Tony's special (screenshot). The prices are incredible, Tony is "pretty much giving away his product for free". However, in order to do this favour to the community, Tony will require his customers to finalise early (screenshot), which is always a risk for the buyers but It's OK it's Tony and Tony is a trustedvendor now (screenshot). The life of Tony is now made of praising and love from happy fans all over North America. "Tony is the best" and so much love and attention mean a lot for Tony (screenshot).
As always the faithful bless the yet to arrive ostie (screenshot) and the unbelievers complain about late packages or moan about the quality (screenshot). Tony seems to be busy and less involved than usual. Things are different, and even the most pious of them are slowly but surely questioning their faith (screenshot). What happened to Tony? Where is Tony? No, Tony wouldn't do that to us, we made him King.
Yes, he would. Tony is gone and took with him his crown and all the bitcoins of his "whoreshippers" (screenshot).
This was the story of one of the biggest known scam on Silk road. As already explained by different people the scam is quite elaborate in the sense that it was ran over a few months period (assuming the idea was to scam from the beginning) but really efficient and simple in the same time, mainly relying on a well known weakness of the system, the early finalisation (or FE, Finalise Early). For various reasons vendors can require or offer the option for buyers to release their funds in "escrow" before the good is delivered. The advantage for the vendor is obvious as it helps cash flow going by ensuring an early payment whatever happens. For the buyers it is always a bad idea to enter early finalisation but one can see an advantage to access goods which wouldn't be available otherwise. Vendors quickly learnt how to take advantage of FE:
The buyers live in a country where the vendor doesn't usually ship so the vendor requires FE for exceptions.
Non domestic shipping is quite expensive for the vendor so he requires buyers to FE in case something happens.
The buyers is unknown from the vendor or has a really low level of successful transactions so the vendor requires FE.
The price of a product is really low and the vendor is taking a risk if packages are lost or intercepted, so he requires FE.
The vendors wants to keep the money and not ship anything.
In Tony's case it didn't seem to bother many buyers to FE and it allowed the scam to be successful, at least money wise, because a lot of other bits and pieces helped secure the sting (That's being said, if FE wasn't accepted by buyers, the scam wouldn't have happened at such a level).
The scam clearly happened in four different steps:
Offer good product at an attractive prices to attract customers.
Ensure good feedbacks by providing good customers support and shipping time.
Evaluate the level of trust and precondition buyers for the next events.
Scam everyone and fuck off.
The third point is really interesting as it is a behind the scene type of job, there isn't anything to notice just yet as there isn't any reasons to expect anything special to happen. However it allows some type of conditioning to happen which will help maximise profits and prepare the exit.
In march 2012, Tony76 lobbied to have the stats feature (screenshot) of the forum removed (screenshot), for good reasons as it allows close observers to estimate the amount of time a logged in user spend on the forum. When enabled this feature can also be used to guess a timezone a user is living in or allow an observer to correlate information about multiple users and their time of presence on forum, which wouldn't be a good thing if one want to preserve multiple identities for example (screenshot).
On the 03/04/2012, few days before disappearing from the forum, Tony76 asks other vendors if they are considering a 0 refund policy because of "a surge of suspicious 'no package' claims?". Nothing out of ordinary seems to have been noticed from the other vendors except few complaints from buyers trying to get freebies. Strangely enough Tony asks the question but doesn't follow up with any other comments, as if he wasn't really interested anyway. However it is a good preconditioning for future complaint which might occur at a later stage. In case complaints happen, vendors or RS staff will probably delay there suspicion and blame delays accusations on scammers trying to get refund.
The 30/04/2012, when everyone else seems to have accepted that good old Tony scammed them badly, another vendor posts a sarcastic and angry reply showing some understanding of Tony's reasoning behind the request (screenshot).
When listing his product for the 4/20 sales, Tony accepts for the first time international shipping (screenshot). It is pretty obvious he did it to attract new customers and get as much as possible orders. However, it is also interesting to wonder why he wasn't shipping outside North America in the first place. At first glance shipping internationally might be more subject to lost and delayed deliveries which will directly affect the reputation of the vendor, and is probably a parameter Tony has taken into account, but not only. By restricting shipping to some part of the world he also creates a need from those buyers, which will eventually see daily great review of his products and be more incline to buy directly when he opens his listings. It would have been interesting to see the percentage of international buyers during the 4/20 sales.
Starting around March 2012, Tony kind of changes tone with his customer in a very distinctive way. Whereas before this date he was full of "Thanks Brother", "Love" and other mark of reassurance, his behaviour and writing style change and become much more direct and unfriendly, as if he was acknowledging his reputation is now solid enough (screenshot). From this time onward there will be as well much more arguments about shipping delays, scammers and other nonsense which until then where reduce to a bare minimum. Another interesting phenomenon marking this change is the almost identical and systematic reaction of Tony's fan base to any negative comments, valid or not, towards Tony. It is like they were all their to protect him from malicious outsiders (screenshot). Tony's bot. They have been well trained.
A good example of the preconditioning we mentioned earlier is the reaction of a user called lvlbrained, who is questioning the legitimacy of people complaining about missing packages in the following term: "so is this the smear campaign? alot of real low post people suddenly showing up with missing packages. obviously no proof they have any actual orders unless Tony confirms. i guess have to wait to see what Tony says" (screenshot). That user, and he is not the only one, has obviously followed the thread where Tony is warning whoever that a smear campaign will be organised against him so his customers must expect "a bunch of bullshit to be posted" to discredit him (screenshot). Be ready soldiers, they're coming.
To add to the general confusion, Tony has sold (with hindsight we can safely assume on purpose) "weak"batches of products creating more and more arguments between pro Tony and unbelievers (screenshot).
Everything is becoming so chaotic that a group of users decide to get a poll out to get statistics about who received their shipment from Tony. 87% of the 123 voters didn't received their packages. The 5 dudes who received their shipment are likely Tony's accounts or/and trolls, all the others have been scammed for over a month without even realising it. There is a bizarre denial of the reality floating around (screenshot).
Another part of the sting which helped Tony to increase trust from buyers and disguise the scam is the T-Mart or Tony's market. On or about April 2012, Tony sent a private message to "his loyal" and "best customers" to inform them they were invited to a "secret" and "exclusive marketplace" where one would buy Tony's products at a cheaper price, since SR fees didn't apply (screenshot). Tony explicitly asked people who received the message not to discuss anything related to this secret market place. It is another great move from Tony. Most of the buyers who received the invitation must have felt so special having Tony trusting them to keep his secret that there was no reason to question Tony's trust and betray him by disclosing their little secret. It also surely played a role to support Tony's effort to ensure the vigilantes will fight the soon to come anti-Tony propaganda.
As on SR, Tony76 requested early finalization on his shop for the same effects and consequences as no buyers will received products ordered through Tony's marketplace. T-mart seemed to have operated in a simple way compared to Silk Road and listed only Tony's product available for shipping. Unfortunately we didn't managed to access Tony's shop as the hidden service (http://fvemnf53ie7iwd5c.onion) was shutdown around the 02/05/2012 (screenshot).
By having his own market place Tony also had to manage its own wallet, which a Silk Road user, DaMan, attempted to trace. It might have been Tony's only "mistake" so far. We are not Bitcoin tracing expert but it is an interesting excercise which should have been pushed further and with more transparency (screenshot).
Another obvious trick Tony76 relied on to achieved his goal is the use of fake accounts. One episode which gathered a lot of attention from Tony's customer is the alledged attempted of scam by a vendor going by the name ObamaGirl (screenshot). ObamaGirl apparently posted bad review of Tony's product under fake names to discredit him and sent several private messages to Tony to try to extort him. Tony76 posted on the forum different messages from ObamaGirl which made him appear as a victim but also as a great scammer hunter protecting the community. Tony's fan are always really supportive (screenshot).
A particular message from ObamaGirl is really intriguing in the way it somehow seem to provide a quite accurate description of the yet to be scam, and, even if targeted at Tony, with the hindsight, one could also interpret the message as a premonitory post, which would be absolutely genius and we do want to believe the message was posted by Tony76 (screenshot). It is quite difficult to identify with certainty the different accounts Tony76 used to support his plan but ObamaGirl was definitely not the only one. We believe several throwaway accounts and aliases were used by tony76 to bless his products and create confusion when needed. It is also safe to assume some other accounts where used in a rightful way in hope to pull other scams using what would look like a legitimate vendor which has been around for a while, with good statistics and a clean sheet. Mostly for entertainment purposes and because we wish those troll accounts were operated by the real Tony76, you can follow threads with messages by tigger and Antonio76 (screenshot)..
As we tried to demonstrate, Tony76 put together a simple scam mainly relying on the infamous early finalization. However in order to achieve his goal and succeed in his operation, a lot of sophisticated "behind the scene work" has taken place for months to ensure maximum profit and success. It has been said Tony76 disappeared with over $100.000.
Few months after the whole Tony scandal, Silk Road was once again victim of an infamous scammer, Lucydrop. Lucydrop scam followed a similar pattern than Tony76 and some even suggested they were the same person. We're not going to go through all the timeline of the scam but only highlight similarities and see if the suggestion of Lucydrop and Tony76 being the same person is plausible. @chobopeon has written about Lucydrop scam and we are not pretending to add breaking news here. The following is more of a contextualisation exercise for archiving purposes and our own understanding. If you haven't done so yet, you might want to have a look at Tony76 Silk Road Adventures before continuing your journey.
Lucydrop started on Silk Road offering LSD as a flagship product (screenshot). In a similar way than Tony76, shipping is restricted to certain countries. In Lucydrop's case, the restriction applies to the US. The "official reason" given for this restriction is to avoid to "end up with a life sentence" (screenshot). It seems a bizarre choice for a vendor located in Canada as it is probably one of the easiest "international" location to ship to from Canada and LSD is odourless and fairly easy to hide. We assume that for similar reason than Tony76 it is to create a need from US buyers when opening the market for "the grand finale" scam.
Lucydrop followed the same "tactic" than Tony76 to attract customers, advertising a relatively cheap and good quality product, specical offers from time to time (screenshot) and not hesitating to provide freebies when necessary (screenshot 1 and screenshot 2). The reason behind it, is obviously to have as many customers as possible providing good feedback. A particularity of the LSD market on Silk Road, compared with other products, was the presence of the LSD Avengers, which were sending vendor's LSDs to labs for quality testing and posting the review on the forum for the Silk Road community. More than buyers' feedbacks having the LSD Avenger vouching for your product is definitely an edge on the market. Lucydrop got a good review (screenshot) from the LSD Avengers (allegedly one of the highest quality reviewed by the Avengers at the time (screenshot)) and even a member of the LSD Avenger as an admirer (screenshot) to back up the quality of his LSD. As expected after the LSD Avengers review, orders started kicking in and more and more buyers praised Lucydrop's LSD and posted great feedbacks and reviews on the forum (screenshots).
Quality product at a fair price and good customer service are the ingredients to build a solid customer base and Lucydrop customer support hadn't much to envy to Tony76. Lucydrop was always prompt to reply to worried customers, solve issues (screenshot), be polite even with "rude" customers (screenshot) or provide information about its product to ensure a good reputation. Lucydrop's customers loved him and as Tony he made sure to give some love back (screenshot).
Beside the financial aspect, the advantage of having a strong customer base is that it also brings the usual fans who will blindly support and defend the vendors against winds and tides. Tony76 understood it in its time and the recipe seems to work also for Lucydrop. As the scam kicked in more and more users complained about weak products4 being shipped (screenshots) the Ludydop's army will be at workdefending him (screenshot).
An another interesting comparison between Tony76 and Lucydrop is they both seem to have a poor knowledge of LSD. Tony started selling LSD few weeks before disappearing from Silk Road but didn't know much about it. In a slightly different way, Lucydrop, for whom LSD was the main product, contrary to Tony, did rookie mistakes when promoting the product. It might look like minor misunderstanding but the terminology confusion didn't seem to impress much the buyers and the excuse of having a different lingo with his mate didn't make it more legit either (screenshots).
As Tony76, Lucydrop lobbied to have the possibility for vendors to provide feedbacks for buyers, feature which didn't exist on Silk Road. In severalthreads he tried to push for a proper feedback system which will not only be at the advantage of the buyers. With a certain irony, the system is supposed to prevent vendors from getting scammed repeatedly (screenshots). In one post, he pretends as well to be a vendor on SR for 8 months, which is likely a lie since in his first post on the forum, exactly 2 months before, he's saying he just started as a vendor (screenshot). Bold, but as Tony76, Lucydrop relies on a pseudo seniority vendors can vouch for him and therefore establish his reputation.
From a writing style point of view, as other already highlighted there are some more similarities:
The capitalization of the word "I" at the beginning of a sentence, but never if it appears mid-sentence. (This is a very interesting observation from OP which happened to be true most of the time in Tony76 and Lucydrop messages).
Last but not least, both vendor shipped from Canada. Severalpeople told us they were both from British Columbia, but without much evidence other than what they remembered from various "sources". We only found a "public record" of this claim on a Reddit thread which is also a statement without back up. We can't confirm the information, however British Columbia beeing a well known hub for drug production and distribution it wouldn't be surprising.
As much as we would like to see Lucydrop be Tony76, the similarities provided are too thin evidences. There are definitely some common pattern and likeness in both stories but nothing that would put the final nail in the coffin and shows that Lucydrop and Tony76 are the same person. Nonetheless, Lucydrop and Tony76 might still be linked as we will see next.
A month after having tried to get Curtis Green killed, Dread Pirate Roberts engaged in another bizarre murder for hire plot targeting an alleged Silk Road vendor named FriendlyChemist (FC). This episode has been one of the most commented and discussed event following Ross Ulbricht arrest. As for the "Employee" assassination plot, the attempting murder resulted in a fake murder letting DPR believe the ordered hit had been successful. To add to the confusion, no one on Silk Road seem to remember FriendlyChemist, neither as a vendor/buyer nor a user of the forum, which add mystery and interest to this episode. We will share some tin foiled ideas and theories here after on this murder-for-hire event.
The original description of the events appear in the New York criminal complaint of the alleged DPR, Ross Ulbricht.
On or about the 13/03/2013, an alleged Silk Road vendor, FriendlyChemist, contacted DPR through the Silk Road's private message system stating he had a list of names and addresses of Silk Road vendors and customers. He threatened to leak the valuable information on Internet unless DPR paid him $500.000. FriendlyChemist justified the blackmailing by explaining he needed to pay off his narcotics suppliers. DPR and a FriendlyChemist supplier, going by the name redandwhite (R&W), got in touch and DPR put a bounty on FC's head and provided FriendlyChemist contact details to the hitman. The suppliers allegedly killed FriendlyChemist and got paid 51670 BTC for the killing by DPR. However, the FBI investigation showed that no one going by the name provided by DPR existed in the area and even more disturbing no body was found in the area the murder is supposed to have happened.
Following the release of the complaint several theories have been discussed about the identity and the role played by FriendlyChemist and redanwhite. The main ones being:
A law enforcement (FC and R&W) operation targeting DPR.
Silk Road vendors (FC and R&W) ripping off DPR in an elaborate scam.
The involvement of law enforcement (LE) seems really unlikely to us, however it has been one of the most discussed theory. We do not know if it is because there is some confusion with the first murder for hire, already discussed in the "The Employee staged assassination", which indeed implicated LE or if it is because redanwhite is also suspected of having provided fake IDs later on in time and luckily intercepted and confiscated by the U.S Custom and Border Protection which tightened the trap around DPR and eventually partially led to his arrest.
In any case, we are more inclined to believe DPR was the victim of an elaborate scam ran by Silk Road vendors. The main argument to back up this statement is the fact that Ross Ulbricht hasn't been charged of attempted murder in the NY complaint.
The complaint mentions the blackmailing episode which led to the fake murder of FriendlyChemist only to provide solid evidence that DPR is willing to use violence to protect his interests in Silk Road. We find extremely difficult to believe the FBI would miss the opportunity to charge DPR of attempted murder, as it was the case in the Maryland indictment, if they had undercover agents or privileged witnesses in the front-row seats ready confirm DRP hired a hitman to kill someone. One could argue the alleged DPR, Ross Ulbricht, is already charged with attempted murder in Maryland which could be "enough" for the prosecution to which we would reply there are not enough charges for a high profile target like DPR. Moreover the FBI wouldn't conceal evidence of an attempted murder if they had been "hired" by the suspect to carry the hit. Once again, it is important to keep in mind that Ross Ulbricht is not charged of any murder attempt in the NY complaint.
Now that we have the law enforcement theory out of the way let's have a look at the other one where Silk Road vendors might have colluded to extort DPR. You probably want to wear your tin foil socks and gloves at this point as the hat might not be enough. Also to avoid misunderstanding, we do not claim what follow is how the events occurred and we're only sharing some of our thoughts about the context of the murder-for-hire and the pseudo-identities of the different players.
While reading about the Lucydrop scam, we couldn't help noticing how some late events of the scam were fitting conveniently in the FriendlyChemist and Redandwhite timeline.
The first contact between FriendlyChemist and DPR occurred a week after Lucydrop was last active on the forum, at this occasion FriendlyChemist began threatening DPR to leak customer data he fraudulently acquired by allegedly hacking a vendor computer unless DPR pays him the sum of $500.000. The threats will continue for the next couple of days, period during which FriendlyChemist provides to DPR samples of customers names, addresses, orders information as well as the username and password of the vendor he claimed to have "hacked". The threats will stop the 15/03/2013. It is not specified in the complaint if DPR ever replied to any of FriendlyChemist messages so far so we will assume he didn't. The first reply from DPR to FriendlyChemist will only occurred 5 days later, the 20/03/2013.
Meanwhile, in a very convenient timing, the Lucydrop scam took an interesting twist.
The 15/03/2013, on the same day FriendlyChemist threats stopped, a user, RealLucyDrop, registered an account on the SR forum and posted a message claiming to be the "real" Lucydrop and that his account had been taken over few month earlier by his partner (screenshot 1 and screenshot 2). In this message, RealLucyDrop, explained how his partner took advantage of the fact he was in prison, to operate his Silk Road account, to ship weak/fakes products, to steal his work computer and to disappear with customers' money. As a result, RealLucyDrop is now trying to get in touch with DPR to have his "legitimate" Lucydrop "account shut down immediately and freeze all the funds in the account".
The 17/03/2013, RealLucyDrop says he finally made contact with DPR and seems confident that DPR will be able to confirm his identity and the alleged account take over (screenshot). As far as we known, there isn't any public record of DPR confirming any of RealLucyDrop claims. Nevertheless, couple of days after RealLucyDrop got in touch with DPR, the 20/03/2013, DPR, this time initiating the communication, contacts FriendlyChemist and ask him to tell his suppliers to contact him "so he can work out something with them".
If we put aside Lucydrop's scam and take the point of view of the extortion timeline we have the following succession of events:
13/03/2013 - Silk Road vendor FriendlyChemist began sending threats to DPR through Silk Road's private message system. FriendlyChemist stated he had a list of real names and addresses of Silk Road vendors and customers. FriendlyChemist threatened to publish the information on the Internet unless DPR gave him $500.000, which FriendlyChemist indicated he needed to pay off his narcotics suppliers. NY
14/03/2013 - FriendlyChemist further threats to leak vendors and customers info. NY
15/03/2013 - FriendlyChemist provides DPR a sample of usernames, addresses and order information he wants to leak. He also sends DPR the username/password of a vendor he claimed to have hacked and obtained the data from. NY
16/03/2013 - RealLucyDrop says he is the "real" Lucydrop and warned vendors not to buy from the Lucydrop accounts. The "real" lucydrop has apparently spent some time in prison (between 2 and 7 months) and was fucked over by his partner who scammed his customers and disappeared with his work computer (screenshot). F
17/03/2013 - RealLucyDrop said he made contact with DPR about the issue, and DPR should be able to confirm who he really is. (screenshot). F
20/03/2013 - Dread Pirate Roberts asks for FriendlyChemist's suppliers to contact him "so he can work out something with them". NY
25/03/2013 - redandwhite contacts DPR and introduces himself as one of the people FriendlyChemist owes money to. NY
The timing and succession of events are really interesting here, as just after FriendlyChemist provided DPR with samples of the "hacked" customers data, RealLucyDrop appears and explained how his "partner" took over his Silk Road account. With this context in mind one can easily imagine that when RealLucyDrop contacted DPR to have his legitimate account closed and the funds frozen RealLucyDrop told the full story with more details and how the friend of the family, fucked him over, scammed his customers, eventually stole the "work" computer (screenshot) and by extension got access to all his customers data. At this point DPR must have paid attention.
This sudden and unexpected apparition of RealLucyDrop definitely provides credibility to the vendor hack claimed by FriendlyChemist and must have put DPR into an uncomfortable situation as he is now dealing with a wild dog, over whom neither RealLucyDrop nor DPR seem to have control, threatening to leak a lot of customer data, putting the whole Silk Road at risk.
Yes, we think FriendlyChemist is Lucydrop's "partner".
Let's rewind a bit, speculate about what might have happened and streamline the succession of events
DPR is being threatened by FriendlyChemist (Lucydrop's "partner") claiming to have hacked a vendor (Lucydrop) and accessed customer data.
The hacked vendor (RealLucyDrop) makes a sudden appearance on the forum and explained his account had been hijacked by his partner. RealLucyDrop wants his real account Lucydrop closed, froze all transaction and give "proofs" to DPR he is the legitimate vendor. It provides in the same time credibility to FriendlyChemist claims and extortion attempt.
DPR eventually believes RealLucyDrop "proofs" and thus ask FriendlyChemist to ask his suppliers to contact him to arrange a solution.
Supplier (redandwhite) contacts DPR.
Unfortunately, we don't have any solid evidences (should we say no evidences at all?) to back up our theory but the timing of the blackmailing, the "arrival" of RealLucyDrop and the story of the rogue partner looks like more than simple coincidences.
Now, what about the role of Lucydrop, who came back under the name "RealLucyDrop"? Is it a genuine call for help and was his account really hijacked by his partner? As briefly mentioned earlier, we believe the only purpose of the RealLucyDrop account was to have DPR buy the FriendlyChemist story and provide credibility to it. From the timeline, it appears it took few days for DPR to reply to FriendlyChemist and we don't really know if there was exchanges between them other than FC threats. Considering the lack of reaction of DPR, it was maybe decided to bring RealLucyDrop into the game. It might have been obvious for a majority of people but with hindsight we do know now that DPR lacked a bit of perspicacity in some situation to say the least. Another element makes us believe RealLucyDrop is part of the scam, the fake FriendlyChemist dox.
After DPR got in touch with redandwhite he provided him with a name and a place where FriendlyChemist apparently lived in White Rock, British Columbia. According to the fact that no one on Silk Road (site and forum) seems to remember or know FriendlyChemist neither as a buyer nor as a vendor, we wondered how come DPR had his address and knew he was living with a wife and 3 kids.
He could have got the address and name from a genuine and honest vendor who shipped to FriendlyChemist (minus the marital situation, maybe). To contact and identify a vendor he would just have to search for past transaction on Silk Road, if any, between vendors and FriendlyChemist.
Have had a privileged relationship with FriendlyChemist with enough trust to share personal details such as marital situation, real identity and address.
DPR accessed FriendlyChemist's private messages on SR which for some reason would contain his name, his address and his marital situation.
A third party provided him with the information.
We know from the New York complaint that however DPR got FreindlyChemist's dox, it was incorrect information as Canadian law enforcement "have no record of there being any Canadian resident with the name DPR passed to redandwhite as the target of the solicited murder-for-hire. Nor do they have any record of a homicide occurring in White Rock, British Columbia". The important point here is the provided name was inaccurate.
If the information was obtained from a genuine and honest SR vendor it is likely at least the name and address would match and exist, simply for shipping purposes. Also, DPR doesn't provide a complete address and asked redandwhite "if it would be helpful to have his (FC) full address" as if he didn't have the complete information but could get it if necessary. Surely if the information was coming from a vendor who shipped to FriendlyChemist, he would have provided the full address (street, postcode) at once.
The privileged relationship and the private message snooping are just there for multiple choices purpose and very unlikely (I hear someone saying "like the rest of the nonsense I'm reading...", yes maybe).
It leaves us with the possibility of a third-party whoever it might be (friend, family, business partner etc.), who knows FriendlyChemist well enough or has a special relationship with him. The only person on our radar which fit the profile and could have the required information, or put differently, be legitimate enough to pretend to have correct & accurate information about FrendlyChemist, is once again the "real" Lucydrop. We are inclined to believe personal details about FriendlyChemist were provided when RealLucyDrop contacted DPR the first time, on the 17/03/2013, about his rogue partner and/or during the following days. If the "real" Lucydrop had really been scammed as he pretended on the forum, the FriendlyChemist's dox would have been at least partially correct, considering FriendlyChemist is a friend and family friend (screenshot). However, in this case fake contact details were provided which makes us think Lucydrop is part of the scam as well.
What about redandwhite...? He is presented as the supplier FriendlyChemist owes money to and the one DPR commissioned the murder of FriendlyChemist. His nickname implies he is part of a well known organisation, the Hells Angels Motorcycle Club, and it seems to be what DPR thought as well has DPR mentioned in his "diary" (wtf?), "talking with large distributor (hell's angels)". It is probably another attempt from the Canadian Scammer Crew to give credibility to the whole scam, hook DPR and somehow makes him feel impressed he is dealing with an high profile organisation. Is redandwhite really part of the Hells Angels? Probably not, we don't imagine the Hells Angels would use a nickname with such a strong connotation for real, moreover in an online scam, but it is difficult to say. However, would "someone", who is obviously aware of the strong involvement of the Hells Angels in the drug trade in Canada, risk to impersonate the Hells identity? It could be a risky bet, specially if that person is also based in British Columbia and also strongly involved in drug dealing as it seems to be the case. The Hells Angels are known not to appreciate people invoking their name when there is no formal association with the bikers (If you are interested in the Hells Angels and other British Columbia gangs you might want to read more on Gangsters Out and its associated blog. This particular page compile a comprehensive list of "known" gang members in Surrey and the Metro Vancouver Area. We never know... ).
Whatever the truth is about redandwhite pseudo-identity and affiliation the scam worked like a charm and it is fairly obvious he is part of the swindle as shown by the murder-for-hire of FriendlyChemist, where he sent a fake dead body picture to convinced DPR the job was done.
To summarize a this point:
Dread Pirate Roberts was the victim of a Silk Road vendor scam.
FriendlyChemist is possibly Lucydrop's partner.
Lucydrop and RealLucyDrop are part of the scam.
FriendlyChemist, Lucydrop and RealLucyDrop might be the same person/entity.
Redandwhite is part of the scam.
FriendlyChemist, Lucydrop, RealLucyDrop, redandwhite might be the same person/entity.
Following Friendlychemist fake murder, redandwhite told DPR that before killing FriendlyChemist they questioned him and he "spilled everything he knew" and "had identified another individual located in Surrey, British Colombia, who had been working together with FriendlyChemist on this scheme to blackmail" DPR, "and who had been running scams on Silk Road". Redandwhite said "the users went by the username tony76 on Silk Road", and provided a purported true name for the individual.
Tony76 back in business. It is a nice and sexy twist in the story but only half a surprise. From the look of it and assuming we are even partially right on th fact the whole extortion, murder-for-hire plot is a scam, it makes no doubt the alleged revelation of FriendlyChemist to redandwhite involving Tony76 are 100% false. Not that Tony76 is not part of the blackmail scheme but the information about Tony76 involvement has certainly not been retrieved from a dying FriendlyChemist. The choice of accusing Tony76 to be part of the plot is deliberate and destined to trigger a reaction from DPR. It didn't fail as DPR paid another 3000 BTC (approximately $500K at the time) for the assassination of Tony76 and his 3 mates. With Tony76's history on Silk Road it was pretty sure it would hook DPR a second time. Redandwhite (or whoever came up with the idea) was obviously aware of tony76's previous scams.
Was Tony76 involved in the scam? If we consider a possible link between Tony76 and Luccydrop then it is highly probable, but as most of what we've discussed so far it will need more evidences. If somehow Tony76 involvement in this scam could be confirmed it would be an absolute killer and pure genius.
Looking at the Bitcoin address 1MwvS1idEevZ5gd428TjL3hB2kHaBH9WTL used by redanwhite to receive payment from DPR, there is one particular transaction which makes us think there is maybe more to be revealed in that story and we could expect more "revelations".
on the 31/03/2013 DPR paid 1670 BTC to have FriendlyChemist killed
on the 08/04/2013 DPR paid 3000 BTC to have Tony76 and his three partners killed
on the 12/04/2013, 4 days after the previous DPR payment redandwhite received another payment of 2555 BTC.
It is not clear yet to which event this payment is tight with but another Silk Road drama wouldn't really be a surprise.
Redandwhite Bitcoin address also provides solid evidences law enforcement were not involved in the murder-for-hire operation. As highlighted by Nicholas Weaver on twitter, if redandwhite was a law enforcement officer or confidential informant the coins would not have been sold/transferred by mid-august but kept as evidence until the case was closed, whereas here the coins are going through multiple addresses with a clear will to "wash" them.
We've tried to described the best we can some of the ideas and theories we have on that FriendlyChemist and redandwhite business trying to come up with a story which could make sense and explain some of the events of the timeline but we have to admit it is not an easy task with the available information and as of today it might sound like musings of a slightly confused person. Hopefully time will tell... If you want to discuss further this story you can do so on the following Reddit thread.
Timeline of events surrounding the investigation and arrest of individuals involved in large scale importation of Methylone from China. An archive of the relevant court documents discussed below can be downloaded here
District of Maryland (Marco Polo Task Force):
GEORGEHANDELKENNEDY
Eastern District of Virginia:
BROWNSCROGGINSHADDOCKBAKERMOOREWALSHTAYLORJONESTUTWILER
Middle District of Florida, Orlando Division:
SALZMANNMAYELL
Western District of New York:
BUERMANVIERAYOUNG
District of Alaska:
GATTIS
District court in and for Payne County, State of Oklahoma:
JOHNSON
06/07/2011 - Digitalink received a letter from USPS (United States Postal Service), regarding a package confiscated because of white powder leaking from it. Digitalink confirms it is Methylone and that he is expecting some more. F
XX/11/2011 - Agents with Homeland Security Investigation conducted several interview with a source in Maryland (CS-1). CS-1 had been selling drug on Silk Road and ultimately turns over his or her seller's account and records of buyers' information. "Agents assumed the online identity of CS-1, including" the user account. Does not specify if limited to only the user account. KENNEDY
05/01/2012 - Fairfax County Police Department (FCPD) executed a search warrant at the residence of Patrick UN and seized 3 ounces of Methylone. BAKER
06/01/2012 - Custom Border Protection (CBP) in San Francisco, using information from CS-1, identified a package shipped from China to Sheldon Kennedy. The packages contained 55 grams 4-FA. Disposition of the package is not stated in the document. KENNEDY
02/02/2012 - Portsmouth Police Department's Special Investigations Unit (SIU) organise a controlled purchase of suspected 3,4-methyelenedioxymethamphetamine (MDMA), from an individual identified as Michael Casey Brown, the SIU detectives relayed information that Brown was suspected to be importing the MDMA from an unknown source in China. Brown gives up his email account, aol account/password, information on his China source, named "ALICE" and his ordering information which is stored in his email folders. An associated, McClennan is similarly cooperative and says that only Brown and one other person within 500 miles have methylone, the other being in Northern Virginia, because no one else can "get the stuff from China." BROWN
06/02/2012 - Robin Gattis has a parcel of methylone from China intercepted by CBP at Anchorage Port of Entry (POE) and opened. The package is tested positive for Methylone. A controlled delivery is organised by state and federal agents, after which Gattis is arrested on state drug charges. BUERMAN | GATTIS
07/02/2012 - A package arrived at the CBP POE, Anchorage, Alaska, from Shanghai Yidai Cosmetic Co. Ltd, Shanghai, China. The package was addressed to Brad Vannater. BUERMAN
10/02/2012 - United States Postal Inspection Service (USPIS) notified law enforcement (LE) of multiple packets originating from Nanjing, China destined to an address on Sampson Place, Portsmouth, Virginia addresses to Michael Haddock. The packages are identical to packages which had been identified in online purchase of Methylone from another investigation. HADDOCK
13/02/2012 - Digitalink last active on Silk Road forum. F
15/02/2012 - USPIS seized a package destined to Sampson Place originating from Nanjing, China. HADDOCK
XX/02/2012 - Special Agent (SA) Lewis starts investigating an organisation involved in large scale importation of synthetic drug from laboratories in China in the Eastern District of Virginia and Middle District of Florida thanks to a cooperating defendant (CD-1). Through this operation Justin Steven Scroggins a/k/a "Woot", a/k/a "Dirk McDiggler" is identified as involved in this operation. SCROGGINS
28/02/2012 - Gattis, upon his release from jail emailed the supplier in China and said that "The last package you sent was intercepted by homeland security and I was arrested.... Is there any way I can have it resent to a different name and address or something if I found one?" GATTIS
xx/03/2012 - HSI agents conduct various checks on Kennedy, financial and utility checks. KENNEDY
14/03/2012 - Affidavit in support of application for issuance of arrest warrant against Brown filed. BROWN
14/03/2012 - Judge Stillman issues a search warrant for the email account alicechoica@gmail.com, which resulted in the access of "thousands email communications going to and from the Target Account". From this date LE has all correspondence to and from alicechoica@gmail.com. BUERMAN
16/03/2012 - Special Agent (SA) Lewis started to observe Scroggins discussing, through recorded telephone conversation, internet chats, and video teleconference, his use, importation and distribution of various controlled substances. SCROGGINS
29/03/2012 - CBP POE Cincinnati seizes 504 gm methylone from Shanghai Yidai Cosmetic Co. Ltd in an UNKNOWN case BUERMAN
05/04/2012 - Scroggins, Haddock (referred as CD#1) and an individual using the username "reidtang" conducted a three-way video-conference suing Skype to discuss importing several synthetic drug from reidtang laboratory in China into the US via Haddock (CD#1). SCROGGINS
05/04/2012 - Undercover agent (UC) buys 1g of cocaine via SR from edgarnumbers for 21.28 BTC. KENNEDY
07/04/2012 - LE intercepts a package of US currency being shipped from Scroggins, at the Broad street post office in Portsmouth, VA, to Michael Haddock (refers as CD#1 in the affidavit). SCROGGINS
10/04/2012 - Scroggins is arrested following a controlled delivery. SCROGGINS
12/04/2012 - Parcel addressed to Eric Andrews seized by CBP officers co-located at the San Francisco, California International Mail Facility. A search of the parcel resulted in the discovery of 2,047 grams of a white powdery substance which, upon analysis by CBP, tested positive for Methylone. BUERMAN
xx/05/2012 - DEA Starts investigating David Lawrence Handel. HANDEL
xx/05/2012 - Hosting provider hostgator.com, received a citizen complaint regarding a website (www.fantasiesworldwide.com) selling several chemicals (2-FMA, 4-MEC, 4-FA, A-PVP and MXE). BUERMAN
xx/05/2012 - HSI agents received subpoena information from Google providing information about Kennedy's gmail account and other info on files. KENNEDY
07/05/2012 - HSI agents monitored Kennedy taking packages at the post office. KENNEDY
07/05/2012 - HSI and USPS intercept one of the two packages posted by Kennedy, addressed to a location in England. The package revealed to contain 110 grams of DMT. KENNEDY
01/06/2012 - LE conducted a "knock and talk" at Taylor's house and found controlled substances. Taylor admitted importing Methylone from China. Taylor will become cooperating defendant (CD) and explain he began to wholesale the imported Methylone to David Lee JonesTAYLOR
01/06/2012 - Last post of edgarnumbers on Silk Road forum. F
28/06/2012 - Federal search warrant executed at Sheldon Kennedy's residence. He waives his Miranda rights, and acknowledges selling drugs/guns on Silk Road; turns over all records and his financials information. KENNEDY
30/06/2012 - Methylone shipped from China to Chad Cameron (EMS tracking number EE019965832CN). GATTIS
xx/07/2012 - HSI SA Alpers (Agent investigating Vannater and Buerman in a case in Michigan) learned that HSI SA Brian Lewis of Norfolk, Virginia (EDVA) was also investigating a Chinese source of supply of illicit chemicals using the email address alicechoica@gmail.com. BUERMAN
03/07/2012 - The package shipped from China to Chad Cameron is intercepted by U.S. Customs in Chicago. The package will never be delivered to Alaska (EMS tracking number EE019965832CN). GATTIS
12/07/2012 - Taylor phones Jones as CD and tells him he has 3kg of Methylone from China. Jones receives the packages and is arrested by Portsmouth Police JONES.
17/07/2012 - Gattis orders more methylone from Alice to self and friends’ addresses, which is intercepted in June and July. Controlled delivery in July. GATTIS
24/07/2012 - CBP officers at the USPS facility in San Francisco, seized 1KG of Methylone from China addressed to Stephen Kimbrell. GATTIS
27/07/2012 - As a result of the seizure, the parcel is placed under GPS tracker. GATTIS
30/07/2012 - Controlled Delivery of the parcel to Stephen Kimbrell. GATTIS
28/08/2012 - CBP in San Francisco intercepted a package from China containing 1037g of Methylone to be delivered to Brian William Johnson on the Oklahoma State University campus. JOHNSON
30/08/2012 - LE made arraignments with Postal Inspector to organised a controlled delivery upon which Johnson is arrested after having collected the package from the post office. JOHNSON
XX/09/2012 - Second search warrant authorized on the Target Account alicechoica@gmail.com. BUERMAN
07/10/2012 - Brett Walsh (referred as CD#1) and his roommate (?) are stopped with four ounces of Methylone and two firearms in North Carolina. Walsh roommate takes the blame saying Walsh wasn't aware of the arm and drugs. Walsh is released. MOORE | WALSH
09/10/2012 - Walsh voluntary travelled to the Portsmouth police station to admit he was involved in the drug deal and said he bought the Methylone from Moore. Walsh also stated Moore began buying Methylone from a laboratory in China. The same evening LE organised a controlled purchased of Methylone from Timothy Moore. MOORE | WALSH
11/10/2012 - LE obtains a search warrant on Moore's residence based on the information provided by Walsh and the controlled purchase. Aware of a new Methylone delivery, LE awaited for United States Postal Inspection Service (USPIS) to intercept the package before executing the search warrant. MOORE
24/10/2012 - United States Postal Inspection Service (USPIS) informed HSI that two packages originated from China were delivered to an Augustine Circle address in Portsmouth. This address had been previously identified as receiving packages of Methylone from an identified synthetic drug laboratory based in China. This address was used as a shipping destination for two separate email accounts (mirandabailey@hushmail.com and rogerrabbit7777@gmail.com). Further investigation concluded that the resident of this address was connected to Moore via an acquaintance of Moore. MOORE
24/10/2012 - LE officers executed the search warrant on Moore's residence and the Augustine Circle address. Moore said he got the email address of the laboratory in China from a friend. MOORE
16/11/2012 - A Confidential Source (CS#1, the friend?) provides information about Moore's girlfriend Taylor, saying she approached CS#1 to wire money to China to order Methylone back in December 2011. MOORE
12/12/2012 - Orleans County Major Felony crime Task Force (MFCTF) obtained a search person, residence (11395 Martin Road, Shelby, New York), and the car he drove, a 2005 Acura which authorized a search for, among other items. various narcotics and related paraphernalia. YOUNG
13/12/2012 - Allen Young escaped from attempted arrest by LE. YOUNG
12/03/2013 - CBP stationed at the JFK International Mail Facility in New York, interdicted a mail parcel EE730675867CN destined to A Bosch, Palmyra Road, Fairport, New York 14450. The SA in charge requested that local postal inspectors make it appears as though the package was subsequently misrouted to Albany, New York. BUERMAN
19/03/2013 - A confidential source (CS-1) from Palm Beach identified Sebastian Salzmann as a Methylone distributor and informed DEA Agent that a package containing methylone was being sent from China to an individual in Oviedo, Florida. This individual (Mark W.?) will also become a confidential source (CS-2). MAYELL
20/03/2013 - DEA intercept packet shipped to CS-2 and question him/her. CS-2 said that an individual named Nathan Mayell paid $6500 for 500 grams of Methylone. CS-2 (Mark W.?) would pay Salzmann $4750 who would then place the order from China. MAYELL
20/03/2013 - 502 grams of Methylone from China delivered to a CS (Mark W.?) and seized by DEA. SALZMANN
20/03/2013 - CS-2 contact Nathan Mayell saying the package was stolen and he would order another one at a later date. MAYELL
01/04/2013 - CS (Mark W.?) placed a recorded phone call to Salzmann to buy 1Kg of methylone. SALZMANN
09/04/2013 - CS (Mark W.?) received a tracking number from Salzmann (#EE839399428CN) for a package to be delivered to Jordy Godinez, with CS as final recipient. SALZMANN
10/04/2013 - Jordy Godinez is arrested while on his way to deliver the package to CS (Mark WAKLER?) on behalf of Salzmann. SALZMANN
15/04/2013 - Sebastian Salzmann arrested. SALZMANN
XX/05/2013 - Third search warrant authorized on the Target Account alicechoica@gmail.com. BUERMAN
03/05/2013 - Arrest of Nathan Mayell and Emily Wencelblat. MAYELL
29/05/2013 - US Postal inspector contacted HSI and advised they intercepted a package from China to Matthew Peterson, NY. VIERA
30/05/2013 - Federal search warrant was applied and received to search the package. The package is tested positive to MDMA. The package is resealed for possible Control Delivery. VIERA
30/05/2013 - USPS received a phone call requesting delivery of the package. VIERA
31/05/2013 - USPS contacted the phone number provided the day before registered to an individual named Dean Goodmote and informed the individual that the package was available for pick-up. The same day HSI and USPS arrange for controlled delivery of the package. VIERA
31/05/2013 - Goodmote comes to pick up the package at the post office and is arrested. He told the agents the package was intended for an individual named Peter VIERA, for who he distributes narctotics. Viera is arrested the same day and advised he was ordering the Methylone online from China with an individual named Allen Young. VIERA
13/06/2013 - Sealed indictment filed against David Lawrence Handel and arrest warrant issued. HANDEL
22/06/2013 - Buerman placed an order with alicechoica@gmail.com for 3 kilograms of methylene to be sent to Brandon Edwards at 6000 West Osceola Pkwy, Kissimmi, Florida 34746. The order involve also an individual named joshua paww a/k/a Parnell. BUERMAN
03/07/2013 - Taylor and Taylor sentenced. Keith Allen Taylor receives more than 11 years in federal prison for importing more than 74 pounds. Caroline Taylor, who is not related to Keith Taylor, received 8 years for importing more than 13 pounds. M
12/07/2013 - A judge authorise a 30 day interception of electronic communications occurring over the electronic mail account alicechoica@gmail.com. BUERMAN
23/07/2013 - Start of the interception of all electronic communication to and from the electronic mail account alicechoica@gmail.com authorized by the Hon. Frank P. Geraci, United States District Court, Western District of New York. BUERMAN
24/07/2013 - Criminal complaint filed against Young. YOUNG
29/07/2013 - A border search warrant is conducted on an international United States Postal Package sent from Nanjing, China. The content of the package was field tested and indicated positive result for the presence of Methylone. LE organised a controlled delivery of the package and arrested an individual named Tutwiler. The Methylone had been bought with several other individuals for distribution in the Eastern District of Virginia. TUTWILER
05/08/2013 - Nathan MAYELL pleaded guilty. M
07/08/2013 - 3 packages addressed to Rita LEVY-PANZICA and Michele Hess (x2) are intercepted at JFK airport following information observed within the emails. BUERMAN
08/08/2013 - Controlled delivery attempted by Law enforcement agents to HESS and LEVY-PANZICA. BUERMAN
22/08/2013 - End of the interception of all electronic communication to and from the electronic mail account alicechoica@gmail.com. BUERMAN
24/09/2013 - Arrest of David Lawrence Handel. HANDEL
02/10/2013 - Motion and Order to Unseal Indictment as to David Lawrence Handel. HANDEL
02/10/2013 - Silk Road shut down and arrest of Ross Ulbricht the alleged Dread Pirate Roberts. M
11/10/2013 - David Handel released on bail. HANDEL
22/10/2013 - Criminal complaint filed against Tutwiler. TUTWILER
31/01/2014 - Sealed complaint filed against Kennedy. KENNEDY
19/02/2014 - Arrest of Kennedy in Miami. KENNEDY
20/02/2014 - Complaint against Kennedy unsealed. KENNEDY
Over the past few months we've been looking at different sides of the Silk Road fallout. We first got interested in the identity of "The Employee", mentioned in Ross Ulbricht's Maryland indictment, then at the Tony76's scam and his potential involvement alongside FriendlyChemist and redandwhite in Dread Pirate Roberts murder-for-hire episode partially described in the New York complaint. Our goal was, and still is, to provide meaningful and contextual information surrounding the Silk Road investigation leading to Dread Pirate Roberts arrest. With the same goal in mind we've been looking in the past few weeks at a different side of the story focusing on law enforcements (LE) investigation and arrest of individuals involved in large scale importation of Methylone from China. For the readers not familiar with Research Chemicals (RCs), we would recommend, for once, to read that article from the Daily Mail, "The Chinese laboratories where scientists are already at work on the new 'meow meow", which should provide a bit of context for what will follow.
Before going in the Silk Road specific let's go back in February 2012, when Portsmouth Police Department's Special Investigations Unit (SIU) contacted Homeland Security Investigations (HSI) following a controlled purchased of suspected 3,4-methylenedioxymethamphetamine (MDMA) from an individual identified as Michael Casey Brown. Brown was suspected of importing MDMA from China. Upon his arrest, Brown waived his Miranda rights and stated "that during spring 2011, he received an email address from an acquaintance for a laboratory in China that could supply him with synthetic drugs. After verifying the email address on various internet forums designed to assert the legitimacy of synthetic drug wholesalers, Brown made contact with a particular laboratory, later identified as Kangshuo Biotech in Suzhou City, Jiangsu Province, China" from which he eventually received packages of Methylone in heavy duty plastic-type bags labelled as "Tungsten". Brown provided LE with all electronic communications he had with his contact, at the lab, named "Alice".
The modus operandi to pass the order was quite straight forward and common in most similar cases:
customer makes email contact with "Alice" to confirm pricing and availability;
customer places an order for Methylone via email to "Alice";
customer or sidekick completes wire transfer to "Alice" for payment using Western Union/MoneyGram/other;
customer contacts "Alice" via email to ensure "Alice" has received the funds;
the package is, in general, delivered within five business days to the address provided upon order.
Brown will eventually be sentenced in October 2012 to 121 months in prison.
This somewhat "classic" police work was likely one of the starting point of investigations leading to many more arrest in the following months.
Few days after the search warrant at Brown's residence, "on February 15 2012, the United States Postal Inspection Service (USPIS) notified Hampton Roads Border Enforcement Security Task Force (HR-BEST) of multiple packages originating from Nanjing, China destined for an address on Sampson Place, Portsmouth, Virginia. These packages were identical to packages which had been identified in online purchases of Methylone and other controlled substances from another investigation". Those packages were shipped to an individual named Michael Haddock. The court documents don't provide much information about the Chinese labs the package originated from apart that the parcel contained sealed Mylar bag containing approximately 1kg of Methylone. At their arrival at Haddock's residence law enforcement were authorised to search the house and recovered "996.7 grams of Butylone, an analogue of 3,4-Methylenedioxy-N-methylcathinone (Methylone)1; 653 tablets of Dizaepam (which were not the FDA approved, prescribed medication); a total of 13.525 grams of 3,4-Methylenedioxy-N-methylcathinone (Methylone), a Schedule I controlled substance, and 0.840 gram of 4-Methylethcathinone, commonly known as 4-MEC, an analogue of Methcanthinone, a Schedule I controlled substance".
Couple of months later, the 19th April 2012 a message is posted on the research chemical board Euphoric Knowledge (EK) announcing the arrest of an administrator, w00t and inviting the members to leave the ship. Ten days earlier, on the 9th of April 2012 an affidavit was filed against Justin Steven Scroggins a/k/a "W00t", a/k/a "Dirk McDiggler" in the Eastern District of Virginia for conspiracy to Import an Analogue Controlled Substance. Scroggins was "initially identified by a Cooperating Defendant (CD#1) in this investigation". "On almost daily basis since March 16, 2012, Scroggins has been observed discussed his use, importation and distribution of various controlled substances to include but not limited to: Cocaine, Marijuana, and various synthetic drugs". On April 5th, 2012, LE monitored a recorded three-way video conference on Skype between Scroggins, CD#1, and an individual using the Skype name "reidtang", discussing importing several synthetic drugs from reidtang's laboratory in China. The drug would be ordered by CD#1, from reidtang's laboratory, on behalf of Scroggins. Scroggins agreed to send the money to CD#1 so he could place the order. On April 7th, Special Agent (SA) Brian R. Lewis intercepted a "package of U.S Currency being shipped to #CD1 from Scroggins at the Broad Street Post Office in Portsmouth, Virginia" with the tracking number "EI250466728US". Scroggins will be arrested the 10th of April 2012, and word of the arrest spread within the community few days later, enventually leading to EK shutdown.
Let's have a short review of the previous events before going further.
Brown, et al. seem to have been nailed due to a controlled purchase. A controlled purchase, as the name implies, is a buy controlled by the LE officers. Depending on the context, LE or an informant, under supervision of LE, will buy the controlled substances from the target and from there secure a search/arrest warrant. There isn't much information about the context of the purchase but we know it involves a Source of Information (SOI) or say in a simple way, an informant. The Scroggins affidavit is much more explicit, directly mentioning a Cooperating Defendant (CD). There isn't any doubt the CD in this case is Michael Haddock, as the package sent by Scroggins to the CD was signed by M. Haddock. We might never know for sure but to Haddock misfortune, he seems to have been a collateral damaged of the Brown's investigation. Indeed, Haddock's statement of facts says that the packages intercepted by the United State Postal Inspection Service (USPIS) were seized as they were "identical to packages which had been identified in online purchases of Methylone and other controlled substances from another investigation". At the view of this map and the fact both Brown and Haddock likely receive packages at the same post office it wouldn't be surprising.
Fast forward to another arrest and a criminal complaint filed in September 2013 against Joshua Buerman for possession with intent to distribute, and distribution of a detectable amount of Methylene, a Schedule I controlled substance, and a mixture and substance containing 4-Methyl-n-ethylcathinone, a/k/a "4-MEC", an analogue of Methcathinone, a Schedule I controlled substance, if intended for human consumption. Buerman first came under the radar of LE in the state of Michigan, in May 2012, when federal agents started investigating a website owned by Buerman, named "fantasiesworldwide.com" selling all sorts of research chemicals using the email address fantasiesworldwide@hushmail.com (screenshot) and described as a "profitable business of importing and distributing illegal controlled substances and controlled substance analogs", some of which was obtained, again, from China. Unlike other court documents this one provide interesting information about the chinese source of supply.
"On or about July 12, 2013, the Honorable Frank P. Geraci, Jr, United States District Judge, Western District of New York, issued an order pursuant to Section 2518 of Title 18, United States Code, authorizing the 30 day interception of electronic communications occurring over the electronic mail facility assigned to the address alicechoica@gmail.com (hereafter, "Target Account") an electronic mail (email) account that was created on or about June 2, 2007, under the Registered Account Holder name of Alice Choica. The Account Holder is believed to be living on mainland China. Those contacting this email address generally refer to the user as Alice. Electronic communications were intercepted between approximately 20:37 (GMT) on July 23rd, 2013 through August 22, 2013".
It is not clearly specified how the investigation on Buerman identified Alice as being Buerman's source of Methylone but alicechoica@gmail.com had already been under surveillance for a while. Indeed the criminal complaint mentions that "HSI SA Brian Lewis of Norfolk, Virginia (EDVA) was also investigating a Chinese source of supply of illicit chemicals using the email address alicechoica@gmail.com" and that as early as the 14th March 2012 "a federal search warrant was issued for the Target Account in the Eastern District of Virginia by United States Magistrate Judge F. Bradford Stillman. That warrant resulted in the production of several thousand email communications going to and from the Target Account, all of which clearly demonstrated that the individual utilizing the Target email address was actively distributing controlled substances and analogue substances throughout the United States". Careful readers will maybe have noticed few important details:
HSI SA Brian Lewis, is the same federal agent who investigated Brown, Haddock and Scroggins in the Eastern District of Virginia.
Brown's contact at the Chinese Lab was named Alice
The judge F. Bradford Stillman who issued the search warrant for the target email alicechoica@gmail.com is the same judge that signed Brown's affidavit
Brown's affidavit was filed the same day, 14th March 2012, the search warrant for the target email alicechoica@gmail.com was issued
HSI possibly identified the email address alicechoica@gmail.com as a chinese source of supply of Methylone while investigating Brown and searching through Brown's emails. From there they requested a search warrant for the email address alicechoica@gmail.com.
In total at least three search warrants and one live interception of emails, in at least two distinct investigations have been issued for the "Target Account" alicechoica@gmail.com between March 2012 and July 2013:
14th March 2012, Eastern District of Virginia issued a search warrant on the Target Account.
September 2012, Unspecified district issued a search warrant on the Target Account.
May 2013, Unspecified district issued a search warrant on the Target Account.
23rd July 2013, Western District of New York authorized a 30 day interception period on Target Account. "Electronic communications were intercepted between approximately 20:37 (GMT) on July 23rd, 2013 through August 22, 2013.
For the latest known period of interception from July 2013 to August 2013 in "the Western District of New York local agents were responsible for disseminating all investigative leads to the appropriate law enforcement agencies in each affected jurisdiction. In other words because the Target Account routinely provided Tracking Numbers for shipped parcels, Customs and USPS officials were in many cases able to identify a particular mail parcel that was entering the United States thereby giving law enforcement a better opportunity to interdict the package" and coordinate nationwide interceptions and arrests. The tapping of the email address obviously facilitated live interception of packages (using USPS/EMS tracking numbers) and controlled deliveries. The search warrants on alicechoica@gmail.com were as important to collect Alice's customer information such as email address, shipping address, aliases, estimation of the quantity of imported substance etc.
We will note that two versions of the Buerman's affidavit have been published. A complete version, filed the 13th September 2013, and a redacted version, 10 days later, the 25th September 2012. The redacted version is now the "only" version available on PACER. The redacted version of the affidavit is stripped of all information helping identification of the source of supply. DEA agents clearly fucked up here and published much more information than intended or didn't think of the consequences for other "on-going" investigation as some people are as of today are still doing business with this supplier.
What about the Chinese labs?
Kangshuo Biotech - Brown affidavit mentions a laboratory "later identified as Kangshuo Biotech in Suzhou City, Jiangsu Province, China" as the source of importation. The "Contact Us" page, available on the website, contains a slight discrepancy regarding the laboratory address as two different addresses are listed.
Zhongshan Road, Nanjing City, Jiangsu Province, China
Laodong Road, Suzhou City, Jiangsu Province, China
The electronic contact details being similar and the same website being used it might also be because Kangshuo Biotech has two laboratories in different location. We will notice the name of the contact person, listed as Alicia while Brown's affidavit mentions ongoing correspondence with Alice and others link Kangshuo Biotech with alicechoica@gmail.com should convince us that one of the point of contact for this lab is alicechoica@gmail.com
In another case involving the importation of Methylone from China (also investigated by SA Brian R. Lewis in the Eastern District of Virgina between August 2012 and October 2012), United States of America v.Moore, Taylor, Walke, the affidavit says that in "a subsequent search of Taylor's vehicle, pursuant to the sarch warrant, several envelopes containing bank statements were retrieved. In reviewing these records, two wire transfers to Kangshuo Biotech's account at the Shenzen Development Bank in china were discovered. Kangshuo Biotech is the laboratory that was contacted by Moore an Taylor, and the same laboratory responsible for shipping packages of Methylone to Moore from China. A review of the traffic between mirandabailey@hushmail.com and Kangshuo Biotech shows that the bank wires correspond to orders of Methylone placed by Moore and Taylor". Kangshuo Biotech mentioned again as the chinese source of Methylone.
KaiKai Technology - Buerman court's documents don't clearly specify the name of the laboratory used as wholesaler however the operator of alicechoica@gmail.com instructs Buerman to do a Western Union transfer matching the address of a lab named KaiKai Technology. The contact page of Nanjing KaiKai Technology, as of today, display a different address, but older references of the address, as mentioned in Buerman affidavit, can be found here, here or there. You will also notice that two different contact persons are associated with the lab: Kevin Peng (kevin.pengchem@gmail.com, kevinpengchem@hotmail.com) and Alice Choi (which we can safely assume is the account holder of alicechoica@gmail.com).
Jiangyin Abigale Chemical - The recorded Skype conversation from the Scroggins affidavit involved, at least, (some says another Euphoric Knowledge administrator known as WipedOut might have been of the party), MrMike, w00t and an individual going by the name reidtang. Reidtang is easily associated with Jiangyin Abigale Chemical Company, Jiangsu Province, China. The lab is linked to the email address reidsales@hotmail.com and list reidtang as Skype contact. We also know thanks to the lovely "Tips tricks and tidbits from your husband: Mr. Mike" that Haddock was using at least 3 different suppliers. It shouldn't come as a surprise that one of the other lab Haddock ordered from as some point in the past is associated with good old alicechoica@gmail.com. Indeed MrMike reviewedalicechoica@gmail.com several times between May and December 2011. Unsurprisingly, w00t was also alicechoica@gmail.com's customer as shown by this comment from November 2011.
Shanghai Yidai Cosmetic - Shanghai Yidai Cosmetic is mentioned in Buerman's court documents in relation with two other cases. It is not really clear if it is a laboratory or just a company name used on the label of the packages. Robin Gattis' superseeding indictment refers to suppliers suggesting to "add a fake company name" which would tend to think it is common practice. In any case, "about February 7, 2012, a package arrived at the CBP Port of Entry (POE), Anchorage, Alaska, from SHANGHAI YIDAI COSMETIC CO LTD, Shanghai, China. The packages was addressed to Brad Vannater", Buerman's partner at FWW, in Michigan. "The package was manifested as containing matt hardener and had a listed weight of one (1) kilogram. The packages cleared CBP and was not seized. One day earlier, that is February 6, 2012, "another package manifested as 'matt hardener' was shipped from the same Chinese company, SHANGHAI YIDAI COSMETIC CO.LTD. through the POE, Anchorage, Alaska. This particular package was being shipped to Robin Gattis, Wasilla, Alaska. Unlike the package sent to VANNATTER, the package shipped to Gattis was actually seized and searched by CBP, pursuant to their border search authority. According to HSI Special Agent Ty Bishop (Anchorage, Alaska) the "matt hardener" tested positive for Methylone". The package seizure was followed by a controlled delivery and arrest of Gattis. Court documents shows that Gattis' Chinese source was using the email address rcsupplier0526@gmail.com. This email address has also been associated with a lab named defchem and other websites like http://www.ur144.net. Buerman's affidavit only mentions alicechoica@gmail.com as the source of importation of methylone. Does it mean Shanghai Yidai Cosmetic is also related with Alice or Buerman was using multiple labs. The latest would have our preference but it doesn't exclude the other possibility as well. MrMike and w00t were also linked to rcsupplier0526@gmail.com as shown here and there. Buerman's affidavit also says that "additional research conducted by CBP Officer Witt revealed that on March 29, 2012, CBP, POE Cincinnati, Ohio seized 504 grams of Methylene that was sent from the SHANGHAI YIDAI COSMETIC CO to a recipient unrelated to the investigation into Fantasy Worldwide. The shipment was also manifested as "matt hardener". Unfortunately we didn't manage to locate a case referring to this interception.
Anyway, by looking a bit more in details about the labs it looks like email addresses like alicechoica@gmail.com, rcsupplier0526@gmail.com and others act as "brokers" or "middle-man/woman" between the customers and the labs and are not necessary associated with one single laboratory. It is also obvious that the previously mentioned middle men/women were (still are?) extremely popular over the years and have been used on regular basis as main source of supply by multiple RC vendors. For example, the different email addresses and contact details of Alice, KaiKai Technology or Kevin Peng have of a total of more than 300 ratings and reviews on specialised websites. Last but not least, the labs are all located quite close from each other and seem to be settled around a specific areas in China, which greatly help package identification by law enforcement.
We started with that daily mail article and the self-proclaimed King of RC industry, Eric Zhang, we might as well close that chapter with him. If you wondered if Eric Zhang made it to Eric-99, you will be interested to know that he was apparently arrested, back in December 2012, in China and is still wanted in the US after having been indicted in June 2012. A winner.
Now, how everything we discussed so far is related to Silk Road? To be honest we don't really know but we thought it would be interesting to look at other cases involving the importation of Methylone from China since the known Silk Road vendors investigated by the Marco Polo Task Force and indicted in Maryland, namely Jacob Theodore George, David Lawrence Handel, and Sheldon Kennedy, share the common characteristic of having imported large scale of Methylone from China and sold it on the Road.
Jacob Theodore George IV a/k/a "Digitalink" is allegedly the first Silk Road vendor to have been arrested by the Marco Polo Task Force, sometimes in January 2012 (or maybe November 2011, depending on how much you trust what is being thrown around). One sure thing is Digitalink already had past history with law enforcement. After his latest offence in 2009 he was sentenced to 3 years of jail, in May 2010, which was suspended for some reason. The court only ordering him to "abstain from Heroin and illegal drugs".
Digitalink registered on Silk Road forum in June 2011, a month later, in July 2011, he received a "love letter" for a package containing Methylone seized by USPS. Despite the advices from other forum members to not claim the package and forget about it, Digitalink claimed ownership and got it re-delivered (original thread available here). Eventually, the 19th January 2012, after repeated recent arguments with customers he decided to close down his shop. You can read about Digitalink's Silk road "history" on Reddit or here if interested in more details.
Kennedy's indictment mentions a Confidential Source (CS) in Maryland which started cooperating with Homeland Security Investigation in November 2011. "Starting in November 2011, agents with Homeland Security Investigation conducted several interviews with a source in Maryland (CS-1). CS-1 had been selling illegal drugs on Silk Road. CS-1 explained how Silk Road worked to the agents, and voluntary provided access to CS-1's Silk Road accounts, email accounts, and Bitcoin account that documented CS-1's own involvement in Silk Road. CS-1's computer was also found to contain CS-1's "customer records", including names and addresses of hundreds of individuals (in the United States and other countries) that receive drug shipments from CS-1. Agents assumed the online identity of CS-1, including CS-1's Silk Road user account". The timeline, the fact Jacob Theodore George IV is from the Baltimore area and was described by ICE HSI Special Agent in Charge William Winter as "the first vendor on Silk Road selling illegal drugs to be arrested" would point toward Digitalink as being the CS. As much as we genuinely think the CS mentioned in the document is Digitalink, there are some things just not right the way it is presented in the court document.
Indeed going through Digitalink's forum posts, in November 2011, December 2011 and part of January 2012, it seems to be business as usual; giving away samples, putting up new listings, getting good feedbacks from customers, and no obvious complains. It doesn't really fit the profile of a law enforcement managed account. Surely if he was taking orders and not shipping the product, buyers would have complained as it actually happened at the end of January 2012 around the time Digitalink was arrested (18th January 2012, according to the indictment, thus a day prior to announce he was closing his shop on Silk Road).
Also, as shown in other indictments and affidavits, law enforcement doesn't hesitate to backlog as far as possible in time to get the maximum charges when they have the opportunity to do so (Buerman and Taylor cases being perfect examples). Digitalink was an early vendor on Silk Road, and started vending around July 2011 why would he be charged only from November 2011 as it is the case in the indictment? We first thought it was because Methylone was still legal in Maryland before November 2011, but that wouldn't work out well since the "Federal Analog Act" passed in 1986 and Digitalink would definitely not go away with "I was selling/buying methylone for plants, trust me mister officer it is not for human consumption". LE might just have ignored the July - November period as Digitalink cooperated during the investigation.
A footnote in Kennedy's affidavit says that "CS-1 was initially not truthful about being a drug dealer on Silk Road. CS-1 was also arrested because he continued to use illegal drugs after his first interview with agents. However, the information provided by CS-1 relied upon in this affidavit has been corroborated by agents' review of the CS-1's Silk Road and email accounts, and files contained on CS-1's computer", which we understand as the CS must have had interviews with HSI agents sometimes in November 2011 for an offence not immediately correlated with Silk Road (maybe related to the July seized package or another package intercepted) or simply unrelated with Silk Road (probation violation), walked free pending further investigation but continued vending on Silk Road until his arrest in January 2012. Jacob George's plea agreement seems to support this hypothesis as "In January 2012, the defendant voluntarily admitted to federal agents with Homeland Securities Investigations that he acquired and sold drugs as described above" and "The records corroborated his statement that he had received three shipments of methylone from China since November 2011, with a combined quantity totalling more than 570 grams".
Digitalink received three shipment of Methylone from China between November 2011 and January 2012. He refers to the "re-stock" openly in his vendor thread on the 19th November 2011, the 20th December 2011 and around the 30th of December. The fourth shipment didn't seem to have make it to its final destination and Digitalink suspected his package had been seized after it stayed few days in customs. Five days later he will be arrested by HSI Baltimore or what became the Marco Polo Task Force. If you've made it so far and peaked at some of the affidavits and complaints from other cases you should have an idea of what might have happened (the search warrants and analysis are provided below as examples and are NOT related with Digitalink case):
CBP officers (or United States Postal Inspector) intercepted a suspicious package from China.
A federal search warrant was applied for and received to search the content of the package.
The seized parcel was opened and examined by CBP officers (or United States Postal Inspector).
An "unknown" white powder was found and a CBP Laboratory Analyst conducted a preliminary on-site screening analysis, which indicated the unknown white powder contains Methylone (4methylenedioxymethcathinone), a Schedule I Controlled Substance (An emergency ban was put into place by the DEA on 21 October 2011).
The suspected drugs were seized and replaced with another substance.
An order authorizing the installation and monitoring of an electronic alerting device and global positioning system (GPS) tracker was obtained from a magistrate.
Law enforcement officers executed a controlled delivery of the suspect parcel (from the post office, or directly at the address indicated on the package).
Upon opening of the package, law enforcement arrested the suspect(s).
Another possibility that could explain the bizarre timing and how Digitalink potentially became a CS is his background in the "P2P scene". One of the first message of Digitalink on the Silk Road forum was about him being the "leader" of EP1C/T0XiC-iNK movie release group. In July 2011, to add insult to injury, Digitalink posted a message with a PGP key associated with the email address digital.ink@live.com, which can easily be linked to his P2P activities under the name iNK. In a nutshell, Digitalink was part of different release groups under the multiple nicks KoOlWaReZ, EP1C, T0XiC-iNK, iNK or DiGiTALiNK. Back in 2011 he got accused of having snitched on several other members of the scene. The highlight being the arrest of former partners, the iMAGiNE release group, in September 2011 when an "ICE joint operation got them" according to Digitalink. You can read about Digitalink background in the P2P scene here (screenshot) and will notice he was already kind of infamous back then. Not sure which way around it worked out, it is kind of irrelevant, but the iMAGiNE bust would have been a good enough reason to pay a visit to Digitalink due to his past relations with iMAGiNE regardless if he cooperated with law enforcement before September 2011 or not. To be honest it is quite difficult to find out the part of truth in this story, but we found the information worth mentioning regardless.
Digitalink forum account was active until the 26th of January 2012, almost 10 days after his arrest which would confirm what is being said in Kennedy's affidavit that "Agents assumed the online identity of CS-1, including CS-1's Silk Road user account".
Another individual reported arrested by the Marco Polo Task Force is David Handel. Kennedy's affidavit explains that "other individuals charged in the District of Maryland in connection with the Marco Polo task force include Jacob Theodore George IV (CCB-13-0593), Curtis Clark Green (CCB-13-0592), and David Lawrence Handel (CCB-13-0313)". A particularity of Handel court document, contrary to George or Kennedy for example, is that there is neither a reference made as Handel being a Silk Road vendor nor a nickname associated with its identity. The only element linking him to Silk Road is the Marco Polo Task Force, which as far as we understand its role, was/is dedicating resources to investigate drugs trade surrounding the hidden service. Handel seems to have been arrested around the 22nd of August 2012 and was charged for distribution and possession of research chemicals, namely Methylone, 2C-E and 2C-B. Another charge include "use and carry a firearm, that is a Glock 26, Serial Number SRP018, during and in relation to a drug trafficking crime" (the terms "use and carry a firearm" are different than "brandishing and discharging a firearm", see Bailey v. United States for more information, as the terms "use a firearm" seem open to lengthy discussions and interpretations). This second count in the indictment would suggest Handel was actively retrieving (or selling) the drug carrying a firearm, on him or in his car, rather than chilling home waiting for a disguised postman carrying a controlled delivery.
Going through the old Silk Road forum, we found an interesting vendor profile who shares similarities with what is known of Handel from his indictment and could be his Silk Road alter ego a/k/a davidd:
davidd was a big and reputable vendor selling research chemicals. By February 2012 he was "ranked #31 out of 298 sellers with 99.6% positive feedback from more than 500 transactions".
his last post on the forum is around the 6th of August 2012, three weeks before Handel arrest.
On the 30th of September 2012, limetless, at the time still forum moderator, posted a message he received from an acquaintance of davidd saying that davidd had been arrested "Aug 21-22 when he went to pick up at LEAST a kilo of 2c-e. I believe his suppliers were busted as many Chinese labs have been busted recently as a product of Operation Log Jam".
Like Digitalink and edgarnumbers profile page, which we know were arrested by the Marco Polo Task Force, davidd vendor page apparently modified to sell a kilo of methylone. Unfortunately we couldn't find davidd's kilo of methylone with a picture but we are incline to believe it was probably very similar to edgarnumber and digitalink "featured listings" picture with a transparent ziploc bag on a DEA/FBI/HSI evidence table, right?. Edgarnumbers and digitalink vendor pages were backed up by Stexo the 21st of June 2013 and we can notice that both vendors were "seen" the same day for digitalink and a day before for edgarnumbers, strongly suggesting both accounts were still active (will discuss edgarnumbers timeline briefly below, for the nerds out there who spotted an inconsistency). We don't have the information for davidd, but a different conclusion would be surprising.
Law enforcement obviously tried to make the most of the accounts they took over after an arrest, by listing bulk, which increases the chances to catch a reseller, and privately contacting other Silk Road user to secure deals privately, the goal in both cases being to get a delivery address to work with. Almost a month after davidd's arrest, limetless was contacted by what he thought was davidd for some MDMA business (full thread). The operator of davidd's account was slightly pushing to get limetless to send him a delivery address so he could send a sample of the product. Limetless almost fall for it, but luckily for him, a post on the "rumour mill" forum saved his ass (full thread).
Last but not least, Sheldon Kennedy a/k/a edgarnumbers was also investigated by the Marco Polo Task Force and indicted in the District of Maryland. As digitalink indictment, we would also defined this one as "bizarre" from a timeline point of view. LE apparently got edgarnumbers' shipping address and name using information provided by a confidential source (CS-1 likely being Digitalink, as already discussed), implying that CS-1 sold drugs to Kennedy and thus had his dox, which was probably found on CS-1's computer. From there LE agents went through a background and records checks on Kennedy, revealing for example that a package originating from China to Kennedy had been intercepted in January 6th 2012 and other information about Kennedy's online footprint found through online searches (social media and gmails accounts). The indictment also reveals buys made by LE from edgarnumbers, including drugs and weapons, part of the "100 individual undercover purchases of controlled substances from Silk Road vendors" between November 2011 and September 2013 made by law enforcement agents.
Problem with the affidavit version is we know that the packages intercepted January 6th 2012 mentioned in the affidavit was originating from China and shipped by one of the friendly Chinese lab discussed in The 中文 Connection and under close monitoring from LE starting (it could possibly be earlier) March 2012. It is not stated in the court document what happened to the seized package but Kennedy received a love letter a month after the interception, on the 3rd of February 2012. The way the affidavit is put together would make one think the interception resulted from the information provided by CS-1, where it is probably not the case as Digitalink (if being the CS-1) was likely not cooperating yet at the time. Agents in Maryland learnt about that interception during a background checks on Kennedy's name and address from CBP at a later point in time, sometimes in March 2012 would be an educated guess, which tells us that by February 2012 the Marco Polo Task Force probably neither knew Kennedy was vending on Silk Road nor that he was using the alias edgarnumbers, which would have otherwise probably resulted in a controlled delivery upon interception of the package and made him by the same occasion the first Silk Road vendor arrested in early January 2012, an occasion not to be missed.
Another element which raises questions about the accuracy of the affidavit is the execution of the search warrant at Kennedy's residence, which supposedly happened on the 28th of June 2013, more than a year and half after the intercepted package by CBP in San Francisco and a year after edgarnumber was allegedly seen "taking packages to the Post Office" which were again intercepted by HSI and USPS inspector on the 7th of May 2012. It doesn't make sense to spend time on surveillance, background and record checks through the first half of 2012 and execute a search warrant almost a year after, which would have been plenty of time for the suspect to clean up evidences. In our opinion, the search warrant was executed much earlier in time. It is possible it is an error/typo from the agent who wrote the affidavit and the search warrant was in fact executed the 28th of June 2012. Moreover, you would expect LE to want an informant and/or a vendor account to work with as early as possible in the investigation rather than later.
We've also searched for the Bitcoin transactions mentioned in the affidavit as it is said that "on or about April 5, 2012, and undercover HSI agent purchased a gram of cocaine from Kennedy, for 21.28 Bitcoin" and "on or around May 24, 2012" another "agent paid 151.08 Bitcoins" for a Glock 26. However, none of the transactions could be located on the blockchain. We've also looked at other close enough dates around the time frame without success (if you have more luck, feel free to contact us).
Few final, random, thoughts to wrap up:
In real life investigation (as opposed as online related), the DEA mostly build cases through informants. It seems that the recipe for online investigation is very similar and didn't require much change of habits. Orders (buy/walk), informant, accounts take over (undercover), sample address (packages interception) and controlled deliveries are the main tools available and used.
In most of the cases we reviewed the suspect targeted by the investigation waived his Miranda rights and cooperated with LE in one way or another after the first interview. Gentle reminder that it is in your own interest that you Don't talk to the police whatever happen. At least be prepared not to, even when caught red-handed. If a collaboration is an option or could help, let your lawyer play the game.
Affidavits and other criminal complaints only contain information sufficient to establish probable cause of a crime so a judge will provide a search/arrest warrant.
Affidavits are written in such a way that one can believe an action A is the result of B where in reality both are unrelated. Don't trust them, read between lines when possible and remember the DEA operates parallel construction.
Looking for other Silk Road vendors profiles selling Methylone in Bulk from US, with that ziploc bag on a white-ish table, would probably show other Silk Road vendors who have been arrested/compromised by the Maro Polo Task Force → Search for this if you have vendors pages backup.
Offering samples is an easy way for LE to source delivery addresses.
Using the same alias as vendor and buyer must obviously not be done but it is our opinion that using the same shipping address is risky. Assuming a buyer address is found by LE after a vendor is arrested, LE will likely run a background check (CBP for example) on the name and address, with the possibility it shows up as well in other intercepted communication (Chinese lab for example) or increase the risk of package seizure in general. To be avoided.
Encryption of all communication is mandatory and shouldn't be seen as an option, never, as LE wiretaps communications and backlog to add charges through email searches etc.
There isn't such a thing as signing or not signing a package would prevent one from ownership. If the package is accepted and open, it is yours and you'll have to deal with the mess, don't be fooled by thinking one is safe by not signing and accepting a delivery. Grugq's Hacker OPSEC site also has tips and tricks worth reading on packaging.
Don't keep your stash where you get your packaged delivered or make sure it is clean upon delivery.
LE will add charges if firearms are found near drugs (the same room for example), they call it the "weapon enhancement" and will try to connect the weapon with the drug offence as it is well decided that a handgun, as opposed to a rifle or other long gun, is a drug dealers weapon of choice due to its ability to be concealed and its deadly force if needed.
Reality shows that no one will go to jail for you. You may as well put all the chances on your side so if a partner or someone you've made business with is busted it will affect your liability as little as possible.
Ordering research chemicals from Chinese laboratories in the Shanghai/Jiangsu area likely increase the chances of seizure/interception by CBP.
As always, everything found on this page should be taken with a pinch of salt, you have been warned.
09/10/2012 - CaptainMal starts a BTC Exchange Service on Silk Road as a vendor. F
17/10/2012 - User Inigoregisters an account on SR forum. F
03/11/2012 - User Flush registers on the SR Forum. F
19/12/2012 - StExo’s last post on the forum for close to 5 months. (He also deletes all public posts from this date and prior. Next post is in public keys on May 7, 2013). F
07/05/2013 - StExo’s first public post in close to 5 months; He posts two new PGP public keys. He has visibly edited as "< removed >" 37 prior pages of posts. F
29/05/2013 - StExo announces his “scraping the Road” project, hosted on FreedomHosting, explains this is an archive of all vendor pages so that buyers can still access vendors in the event of emergency. F
07/10/2013 - A meeting is held betweeen StExo, Astor, moderators from the original Silk Road (Libertas, SSBD, Cirrus) and others (described as contracted devs) to discuss a Silk Road replacement (Note that Inigo was apparently AWOL and thus not present). F
07/10/2013 - A meeting between an infiltrated Homeland Security Investigations undercover agent (HSI-UC), DPR2, and others is held on a new Tor based discussion forum concerning potential creation of Silk Road 1.0 replacement (screenshot p13). NY
07/10/2013 - New Silk Road 2.0 forum open and DPR2 posts a message to the SR2 Forum inviting prior vendors to participate. F
08/10/2013 - The account V is created on the Silk Road 2 forum 6. F
08/10/2013 - The account Libertas (Global Moderator) is created on the Silk Road 2 forum. F
08/10/2013 - The HSI-UC is given moderator privileges on the new forum (screenshot p13). NY
08/10/2013 - DPR2 posts a message about "security consideration" on Silk Road 2 forum but signs the message as StExo9Inigo. F
09/10/2013 - The account Cirrus (Global Moderator) is created on the Silk Road 2 forum. F
09/10/2013 - The account Sarge (Global Moderator) is created on the Silk Road 2 forum 7. F
09/10/2013 - The account ChemCat is created on the Silk Road 2 forum. F
09/10/2013 - Message from DPR2 listing the current moderators and administrators "Libertas, Cirrus and Sarge are all global moderators. Dread Pirate Roberts and Inigo are administrators." F
10/10/2013 - The account DoctorClu is created on the Silk Road 2 forum 8. F
13/11/2013 - Account Defcon created on the Silk Road forum. F
13/11/2013 - HSI-UC observes an individual using the alias Defcon being promoted as administrator on the SR2 Forum (screenshot p14). NY
13/11/2013 - Defcon posts first message to SR2 forum to "check in". F
20/11/2013 - Blake Benthall sends to himself an email containing links to private messages viewable only by members of the SR2 forum. NY
XX/12/2013 - Defcon became involved in owning and operating underground website, "Silk Road 2.0" (screenshot p18). NY
01/12/2013 - Start-up close.co is searching for a Senior Engineer with expericence with software development and Ruby on Rails. M
06/12/2013 - DPR2 updates the list of mods: Administrators: Dread Pirate Roberts Defcon; Global Moderators: Libertas Synergy Cirrus Inigo Sarge; Newbie Guide: ChemCat. F
12/12/2013 - SR2 member DoctorClu starts launching a "denial-of-service" attack on Tor Market, a competitor of Silk Road 2. F
13/12/2013 - Defcon and DPR2 discuss administrative issues, such as alternate onion address to be made available while the site experience heavy traffic. Defcon asks DPR2 to sign the message with his PGP key. NY
19/12/2013 - Alleged girlfriend of a moderator/administrator of Silk Road posted a message on Reddit saying her boyfriend just got arrested. M
19/12/2013 - SR vendor posts a messages from another allegedly arrested vendor hinting at the fact Silk Road was infiltrated by LE. F
20/12/2013 - A post from Dread Pirate Roberts on the "journalist" subforum of Silk Road reveals Inigo, Libertas and samesamebutdifferent (SSBD) have provided their real identity upon requet of the original DPR before taking their administrators position. The post also seems to confirm SSBD was also a Silk Road 2 administrator under the name Synergy. F
20/12/2013 - DPR says to his staff that he has "no reason to be offline for any period greater than 24 hours" and that "If such time elapses (24 hours)" where he doesn't appear online everything associated with him should be considered compromised. F
22/12/2013 - Cirrus posts the Vendor Portal url (http://vx3w763ohd256iyh.onion/login) on the forum, following Libertas, ssbd and Inigo's arrest. F
23/12/2013 - V and DoctorClu are appointed global moderators of the forum. F
23/12/2013 - DoctorClu joins the SR2 staff with a starting salary of $750 per week (the weekly salary later climbed to about $1,750). WA
28/12/2013 - Defcon posts to the SR2 forum announcing that he has taken control of the marketplace but didn't received from DPR2 the key of the cold escrow storage wallet. F
28/12/2013 - Forum member Tang joins the moderators team as "Newbie Guide" and a long time forum member joins the Silk Road staff under the alias Stealth. F
XX/01/2014 - A FBI NY Source of Information (SOI) starts providing Law Enforcement with reliable IP addresses for Tor and hidden services such as SR2, which included its main marketplace URL (silkroad6ownfk.onion), its vendor URL (vx3w763ohd256iyh.onion), its forum URL (silkroad5v7dywlc.onion) and its support interface (uz434sei7arqunp6.onion). WA
02/01/2014 - Defcon posts a message in the Vendor only forum that Minnesota based vendors should destroy evidence and temporarily stop vending due to the FBI preparing a large darknet-related operation based on intelligence received from two informants. F
05/01/2014 - Defcon informs the community DPR2 has return the key of the "majority of the cold escrow storage wallet". F
05/01/2014 - Defcon posts a message in the vendor only forum bragging that Silk Road 2.0 was the largest black market while also urging buyers to encrypt their addresses for all purchases. F
10/01/2014 - Defcon posts a message in the vendor only forum announcing a "priority list" in administering Silk Road 2.0. The top prioity was the need to conceal the servers and protect them from seizure by law enforcement. F
14/01/2014 - Defcon posts to SR2 forum that he is in control of the commission rates. F
23/01/2014 - HSI-UC starts receiving regular payments from Defcon for work done supporting the site (screenshot p18). NY
28/01/2014 - Defcon and DPR2 chat about "btcking" arrest, compensation for DPR2 for time spent running the site, and access to private keys and accounts of DPR2 (screenshot p22). NY
XX/01/2014 - Benthall purchases a $127,000 Tesla Model S including $70,000 of payment in BTC (screenshot p26). NY
18/02/2014 - Researchers at CERT (part of the Software Engineering Institute at Carnegie Mellon University) submit a presentation proposal to Black Hat, proposing to discuss a new identification attack on Tor. M
19/02/2014 - Defcon announces commission rate will be five percent. F
16/03/2014 - Defcon posts to the support staff section of the SR2 forum asking for the staff to analyze other black-market sites to identify "bulk vendors and high-volume vendors" who could be recruited to Silk Road 2.0 (screenshot p19). NY
17/03/2014 - Defcon posts to the support staff section of the Silk Road 2.0 forums asking staff to brainstorm ways to grow the vendor userbase. One moderator (Moderator-1) responds that they should focus on certain types of narcotics vendors, such as heroin, prescription pills, cocaine, and bulk cannabis. Another moderator (Moderator-2) suggested focusing on vendors who previously sold the products mentioned by Moderator-1 on Silk Road 1.0 but had not become vendors on Silk Road 2.0 (screenshot p19). NY
06/04/2014 - HSI-UC observes Defcon login to the Silk Road customer support interface using specific version of Google Chrome web browser and OS X. Further records provided by Exchanger-1 show Benthall logging into Bitcoin Account-1 using the same Chrome and OS X versions. (screenshot p27). NY
22/04/2014 - Defcon accesses account invoices for SRv2 server at hosting provider from Las Vegas Hotel ("Hotel-2"). Based on hotel records, Benthall was a guest at "Hotel-2" and used Email blake@benthall.net to register. NY
XX/05/2014 - The FBI identifies a server they believe to be hosting Silk Road 2.0 (screenshot p21). NY
08/05/2014 - Defcon announces further efforts to expand the Bitcoin infrastructure's ability to process more cash deposits per minute while preserving anonymity. Defcon sends a private message to the staff describing updates made to the infrastructure, which includes protecting sensitive information from being recovered if the servers were seized by LE. F
30/05/2014 - SR 2.0 server imaged by foreign (Ducth?) law enforcement (screenshot p21). NY
30/05/2014 - Benthall was sent 24 notifications that noted server was offline. Following the alerts Benthall submitted a customer support message from an IP address ending with ".116" (IP Address-1) saying the server srv2.close.co hasn't been responding for several hours. Benthall requests that the provider does not reboot the machine. This may indicate critical programs being stored only in RAM (screenshot p23). NY
30/05/2014 - IP logs obtained from Google for Benthall Email Account-1 indicate that the user logged into the account from IP Address-1 (screenshot p24). NY
xx/06/2014 - Black Hat accepts the presentation and posts an abstract of the research, referencing the vulnerability and saying the researchers had carried out the attack in the wild. M
10/06/2014 - Benthall sends support request to hosting provider from IP address ending in ".6" (IP Address-2) which belonged to an hotel in South Lake Tahoe, California ("Hotel-1") (screenshot p26). NY
10/06/2014 - Review of Benthall Email account-1 showed he was a guest at Hotel-1 (screenshot p26). NY
29/06/2014 - Oracle, presenting himself/herself as a former Silk Road consultant/friend, publishes its "memoirs". M
04/07/2014 - Tor Project discovers the ongoing attack, ejects the attacking relays from the Tor network, and starts developing a software fix to prevent the attack. The discovery was aided by some hints that the Tor team was able to extract from the CMU/CERT researchers. M
21/07/2014 - Blackhat talk by CMU/CERT researches about Tor Deanonymization removed from schedule at request of SEI/CMU lawyers. M
30/07/2014 - Tor Project announce a recently discovered vulnerability. M
30/07/2014 - Defcon posts in admin area of SR2 forums that he is arranging to change the server hosting due to recently announced vulnerability in Tor. The website goes temporarily offline during the migration to the new server. (screenshot p15). NY
30/07/2014 - Homeland Security Investigations (HSI) Seattle receives information that a user associated with IP address 67.182.142.24 accessed the vendor portal of SR2. Records reveal the IP address was associated with a Comcast internet account registered to Steve Phelps at 4238 163rd Avenue SE - Bellevue, WA 98006. WA
XX/07/2014 - Emails in Benthall inbox Account-1 show that since November 2013, Benthall sought to sell $45,000 worth of Bitcoins (screenshot p26). NY
XX/07/2014 - The NY FBI Source of Information "stops" providing IP addresses related to the SR2 investigation. The SOI’s information ultimately led to the identification of the SR2 servers, which led to the identification of at least seventeen black markets on TOR. The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address. WA
13/08/2014 - HSI agents initiates surveillance activities at the Bellevue residence. WA
10/09/2014 - Defcon tells support staff that a computer hacker had stolen all of the Bitcoins from the marketplace server and explains that the stolen funds were held on the server to cover user balances available for withdrawal (screenshot p17). NY
10/09/2014 - Defcon provides his support staff with the Bitcoin address he believes the hacker transferred the stolen funds. Possible BTC address is 1rundZJCMJhUiWQNFS5uT3BvisBuLxkAp (screenshot p17). NY
11/09/2014 - reddit user sraccount1234 speculates that SR2 has been "hacked" again. M
11/09/2014 - Defcon talks to HSI-UC about reopening Silk Road 2.0 (screenshot p17). NY
11/09/2014 - Defcon tells HSI-UC that the site needs to recoup 2,900 Bitcoins to cover the loss and he would donate 1,000 of his own Bitcoins to provide liquidity. Defcon acknowledges the site has ~ 150,000 monthly active users and estimates that it will take 3 months of commission payments to recover 1,900 Bitcoins of the theft (screenshot p17). NY
12/09/2014 - Pursuant to a judicial order issued the previous day, FBI starts collecting pen register data for Blake's residence IP address (screenshot p29). NY
14/09/2014 - End of the pen regster data collection and sureveillance. NY
10/10/2014 - Defcon posts to support staff section of SR2 forum that the site had recouped 1,000 Bitcoins (screenshot p18). NY
XX/10/2014 - HSI-UC observes communications by Defcon that indicate Silk Road 2.0 was generating at least $8m in monthly sale and $400,000 in commission. NY
28/10/2014 - To date, Benthall has received a total of 575.58 Bitcoins into Bitcoin Account-1 and converted 543.63 into USD. (screenshot p26). NY
29/10/2014 - Sealed complaint against Blake Benthall filed on PACER. NY
05/11/2014 - Benthall's apartment is raided by the FBI. Law enforcements found $100,000 cash in the apartment and an unencrypted PC. M
07/11/2014 - Complaint filed in the Southern District of New York against "Any and all assets of the following darknet market": Silk Road 2.0, Alpaca, Black Market, Blue Sky, Bungee54, Cannabis UK, Cloud Nine, Cstore, Dedope, Executive outcomes, Fake ID, Fake Real Plastic, Farmer1, Fast Cash!, Hackintosh, Hydra, Pablo Escobar Drugstore, Pandora, Pay Pal Center, Real Cards Team, REPAAA's Hidden Empire, Smokeables, SOL's unified USD conterfeit's, Super Notes Counter, The Green Machine, Tor Bazaar, Zero Squad. NY
07/11/2014 - Bulgaria’s State Agency for National Security (SANS) shuts down 129 "hidden websites" as part of Operation Onymous. M
09/11/2014 - Bulgarian hosting provider VPSBG denies contact with Bulgarian State Agency for National Security as part of the Operation Onymous which shutdown 129 online hidden services hosted in Bulgaria.
10/12/2014 - HSI agents assisted by US Postal Inspector, visit several US Post Office near the Bellevue residence and show the postal employees pictures of Phelps and Farrell. WA
20/12/2014 - Farrel is stopped at Chicago O'Hare International airport and interviewed by US Customs and Border Protection Officers and Homeland Security Investigations Special Agents. Farrel was found with to be in possession of many digital devices. Farrel's computers, phones, and digital media were detained for further review and forwarded to HSI-Seatle. WA
22/12/2014 - Law Enforcement approaches Phelps and Farrell at the Bellevue Residence for questioning. Farell said he was familiar with Silk Road but denied ever buying or selling drugs on Silk Road. According the Phelps, Farrell receives packages on daily basis from UPS, FedEx and USPS. On at least one occasion Phelps kept such a package. WA
23/12/2014 - Phelps voluntary surrenders a package containing 107 Xanax pills to law enforcement. WA
02/01/2015 - Agents executes a search warrant at the Bellevue residence. During the course of the search, agent seized various computer media, various prescriptions medications, drug paraphernelia, silver bullions bars valued at $3,900 and approximately $35,000 US currency. After maintaining he didn't know much about SR2, Farrell stated "You're not going to find much of a bigger fish than me, my moniker on Silk Road is "DoctorClu" and said he was the support manager and worked as "Defcon's" right hand man. WA
04/02/2015 - Sealed Document as to John Doe signed by Magistrate Judge Ronald L. Ellis filed in Blake Benthall case related to Silk Road 2. NY
12/10/2015 - Government provided Farrell's defense counsel a letter indicating that "Mr. Farrell's involvement with Silk Road 2.0 was identified based on information obtained by a 'university-based research institute' that operated its own computers on the anonymous network used by Silk Road 2.0”. WA
11/11/2015 - Tor project accuses the FBI to have paid Carnegie Mellon University (CMU) researchers to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. M
24/02/2016 - The judge in the criminal case against Brian Farrell (a/k/a DoctorClu), confirms that Carnegie Mellon University attacked Tor and was subsequently subpoenaed by the FBI for the IP addresses it obtained during its research. M
After the arrest of Dread Pirate Roberts (DPR), the administrator of the online black market Silk Road (SR), and the chaos that follows, former Silk Road vendors and moderators, despite warnings and doubts about the legitimacy of the whole endeavour, decided to regroup on what would become the Silk Road 2 Forums to organise the rise of Silk Road 2.0. A new Dread Pirate Roberts who was quickly dubbed DPR2 and many whispered was the well known SR user StExo, emerged to captain the old SR crew and sail the replacement site to calmer waters. SR2 would successfully open on the 6th of November 2013 and operate without many troubles until the 19th of December 2013. On this date, three former SR administrators and moderators Inigo, Libertas and SSBD are arrested in an organised law enforcement (LE) operation which should have shut down Silk Road 2.0 for good. Much to the surprise of many observers, the arrest didn't affect the trust of the vendors and buyers in the marketplace and shortly after a new administrator, going by the username Defcon, took over the "
management" of the site with a newteam of moderators. However, from there it was all down hill with myriad scams, thefts, hacks and other drama. Eventually LE seized both the Silk Road 2.0 marketplace and the forum with the arrest of alleged administrator Blake "Defcon" Benthall. Upon release of the complaint against Blake Benthall additional information was published regarding the role of an Homeland Security Investigations Undercover agent (HSI-UC) who infiltrated the administration staff of Silk Road 2.0 and aided in the investigation leading to Blake's arrest.
While there existed severalindividuals working in an undercover capacity to aid various government agencies seeking to shut down the original Silk Road, one undercover agent played a central role in the arrest of Ross Ulbricht. In order to confirm that Ross was at least someone who could assume the DPR1 moniker, the FBI organised an undercover agent to initiate an online chat with DPR1 at the same time that they planned to arrest Ross. While many have speculated about the identity of this undercover agent it remained an open question as to whether they were a member of the SR1 crew or not. As the past year progressed it became clearer that this undercover agent was in fact a member of the SR1 crew and that they were the same UC who was heavily involved in the take down of SR2. The first trail of breadcrumbs broke off in the complaint against Benthall where we learned that:
"On or about October 7, 2013, [The HSI-UC] was invited to join a newly created discussion forum on the Tor network, concerning the potential creation of a replacement for the Silk Road 1.0 website. The next day, on or about October 8, 2013, the persons operating the forum gave the HSI-UC moderator privileges, enabling the HSI-UC to access area of the forum available only to forum staff. The forum would later become the discusson forum associated with the Silk Road 2.0 website (The "SR2 Forum")."
Indeed, the above discussion forum, which was later to become the SR2 Forum, was created on the 7th of October 2013. It would be a reasonable assumption to believe that only very trusted and vetted members, especially those trusted enough to be provided with moderator privileges, were initially invited as suggested in the complaint. Beyond the now obvious fact that SR2 was infiltrated by LE from day 1 (we could even say day 0 since the UC was instrumental in the planning), it is very likely the account operated by the HSI-UC was involved in the original iteration of Silk Road.
When SR1 was seized on the 2nd of October, 2013, five users had administrator and/or moderator privileges on the market place and/or forum: DPR1, Libertas, Inigo, samesamebutdifferent, and Cirrus. A couple of days after "opening" the SR2 forums, on the 9th of October, 2013, DPR2 posted on the forum a list of the current Silk Road staff: "Libertas, Cirrus and Sarge are all global moderators. Dread Pirate Roberts and Inigo are administrators." It wasn't until a few weeks later that the list was updated throwing three new usernames into the mix "Administrators: Dread Pirate Roberts Defcon; Global Moderators: Libertas Synergy Cirrus Inigo Sarge; Newbie Guide: ChemCat".
Since the HSI-UC was given global moderator privileges on October 8, 2013 according to the Benthall complaint the undercover agent must have operated at least one of the previously mentioned accounts.
Reddit Cannonball
Fast forward to the 20th of December, 2013. Everything seemed to be sailing smoothly on "the Road" but a reddit post was about to disrupt the pleasant calm. The post, titled "SR admin and mod just got arrested....my boyfriend" and by a user claiming to be the girlfriend of an administrator/moderator, warned the subreddit that her boyfriend had just been arrested: "I'm not sure what his login name was, all i know is that apparently he was an admin and then a mod and that he also ran the book club". Of course, given the constant trolling the Silk Road subreddit was subject to, many users were skeptical. It wasn't until she posted a partially redacted search warrant as well as a card belonging to the indefatigable Special Agent Christopher Tarbell, infamous amongst the computer underground for his arrest of computer hacker "Sabu" and the earlier take down of SR1. The information was later confirmed in an FBI press release announcing the arrest of three individuals in the U.S.A, Ireland, and Australia, for their roles in running silk road website. These individuals were later identified as the original SR moderators: Inigo, Libertas, and SSBD. Following the arrest of the three moderators/administrators, DPR2 hand ed over the market to Defcon and disappeared. At the same time, another moderator, Sarge, quits his position as he doesn't "wish to be a person of interest any longer" leaving Cirrus and Chemcat as the remaining moderators.
As the damage from the attack on SR2 was being assessed, a Tormarket forum post was slowly drawing increased attention by the community. In it, a user, purporting to be an SR2 vendor, quotes a post made to the SR2 vendor roundtable (a restricted forum area for vendors only) by another SR2 vendor to alert vendors that they had been arrested. The arrested vendor further explained that while being interviewed by LE they were shown numerous Bitcoin (BTC) transfers and private conversations undertaken on the site that pointed towards LE having administration access to the SR2 marketplace and/or moderator access to the SR2 forum.
Mutiny
Given the realisation that LE were staying one port ahead of the Silk Road crew, many people started turning their attention to members of the crew and evaluating which captain they truly served. Eventually though, after the Defcon arrest, few doubts remained that the UC was Cirrus
the only former Silk Road 1.0 moderator/administrator not arrested.
promoted from forum moderator to staff with market access after the arrest of Libertas, SSBD and Inigo.
Soon after, the Daily Dot obtained a list of evidence the prosecutors planned to present during Ross Ulbricht's trial. Among the pieces are:
screenshots of Cirrus' computer while chatting with DPR.
screenshots of chat window on Cirrus' computer approx 2 hours after arrest.
screenshots of chat window on Cirrus' computer approx 5 hours after arrest.
photograph depicting chat with Cirrus on Ulbricht laptop.
This evidence shows that while chatting with DPR1, Cirrus took screenshots of the discussion for law enforcement themselves or LE had taken over Cirrus' account in order to take the screenshots themselves. Either way, any doubts that lingered over them were lifted and the UC was unmasked, it was Cirrus all along.
The route taken on the Silk Road Journey
A question that remains from the both Silk Road investigations is whether the UC was the result of a long and successful infiltration of Silk Road by law enforcement or a silent arrest of Cirrus who was persuaded to act in an undercover capacity or had their account taken over. In order to find out we will have to dig up the Silk Road archives and try to learn more about Cirrus.
The Cirrus account was created on the Silk Road forum on the 11th of July, 2013. That same day, DPR1 made an announcement on the forum to introduce the "new" full-time moderator. It should be obvious that Cirrus must have had another identity before being promoted moderator and the introduction of a new username was to separate Cirrus from their previous username. Luckily, the previous username of Cirrus was an open secret and it was "known" they were previously Scout. There are various theories behind Scout's username change to Cirrus but most of them agree that some type of disagreement/argument happened with DPR1 which resulted in Scout being temporarily stripped of their moderator privileges before being reintroduced as Cirrus upon the request of the other moderators/administrators who were in need of additional help. Those interested in an account of the events can read about it here or here.
The Scout account was created on the Silk Road forum on the 12th of July, 2012, however, Scout's first post on the forum would only happen almost exactly 6 months later on January 13, 2013. At this point, Scout apparently already had moderator privileges on the forum as they were able to move a topic from one place in the forum to another. Furthermore, that very same day, Scout is introduced as a "new"member of staff by Nomad Bloodbath. Luckily, we know Scout had a vendor account on Silk Road before changing to the Scout account and must have been using another username as a vendor.
The swashbuckler
We have to say that we're guilty of having overlooked some of the notes that we took when investigating the original "Employee" story involving chronicpain/flush as at the time the previous nym of Scout had been recorded as "moderator", but it wasn't directly relevant to the murder-for-hire story it wasn't added to the SR1 time line until months later.
Anyway, before being promoted as moderator, Scout was operating a bitcoin exchange service under the name CaptainMal. Identifying CaptainMal is a little bit tricky since the account was deleted soon after Scout was announced as a moderator. Luckily, multiple quotes of CaptainMal survived the account deletion and provide enough context to document the role CaptainMal played on the marketplace and forum. Further study of the timeline and similarities between CaptainMal and Scout are left as an exercise for the reader.
It's likely CaptainMal started as a vendor offering a Bitcoin exchange service in October 2012, providing a way for Silk Road buyers to obtain bitcoins through different payment methods Moneygram, Western Union, Moneypak, Bank transfer (Bank of America, Wells Fargo) and even cash in mail. They hepled other vendors cash out by buying their Bitcoins and sending them cash through their method of choice, including Western Union or directly in the mail. In addition to this, the contribution CaptainMal made to the community was not limited to Bitcoin exchange either, they were also an active participant on the SR1 forum providing guidance on the different methods available to buy and sell bitcoins as well as helpful advice for new members on how to best use SR1. This led to CaptainMal quickly becoming a respected member of the Silk Road community.
As reported by severalusers on the Silk Road forum, CaptainMal was active from October 2012 until January 2013 when promoted moderator. Following the promotion, CaptainMal remained active for a very short period of time before switching accounts to Scout and eventually deleting the CaptainMal account. The deletion is referenced by Scout in an effort to uphold the name and reputation of CaptainMal after a scammer tried to capitalise on CaptainMal's good reputation be creating an almost identical accounts following the deletion of the original one from the forum.
From the payment methods accepted it wouldn't be surprising if CaptainMal became a low-hanging fruit arrest target of law enforcement as the use of Western Union, bank transfer, cash in mail, for illicit activities are difficult to scale (i.e., achieve in increasingly larger amounts) while at the same time keeping tight operational security (OPSEC) practices. Furthermore, all those payment methods are traceable transactions leaving long "paper trails". At the time, some BTC exchange "vendors" operated under the wrong impression that buying and selling bitcoins facilitating drug trafficking was a totally legitbusiness as long as they remained wilfully ignorant of the origin of the funds. Unfortunately, as learnt the hard way by Charlie Shrem and Robert M. Faiella (a/k/a BTCKing) this isn't the case and operating a BTC exchange knowingly facilitating the purchase of bitcoins for drug trafficking isn't as safe as they might have thought (genuinely or not).
From reading the criminal complaint against BTCKing, it shows that undercover agents, posing as SR1 buyers, had been buying bitcoins from Silk Road's BTC exchange service vendors on regular basis. They then issued search warrants to ascertain email accounts associated with the payment method used, owners of bank accounts used for bank transfer, Money Transfer Control Number (MTCN) information for Western Union transfers, and any records held at third party Bitcoin exchanges used by the vendors. Also since on or about August 2013, LE were in possession of the Tormail Email server, a Tor Hidden Service (Tor HS) that was the preferred Email provider of many miscreants involved in cybercrime. Tormail was also the email service associated with CaptainMal email addresses were they operated both 'captainmal@tormail.org' and 'captmal@tormail.org' accounts.
Following the information remaining in quotes of CaptainMal's posts on Silk Road forum, we noticed multiplereferences to bitcointalk.org (which isn't surprising considering it is the main Bitcoin forum available) so we thought it could be a good place to start finding an alter ego for CaptainMal, since other open source searches on the nym CaptainMal didn't provide interesting results. To narrow down the search we looked at accounts active on the Bitcointalk forum from October 2012 to January 2013, which coincided with CaptainMal's presence on SR1. To cut a long story short, we eventually identified an interesting profile using the nym c0dex (screenshot).
There are several reasons why we decided to look closer at this profile, reasons which may seem obscure but nonetheless proved helpful:
The c0dex account, on bitcointalk.org, was created during the same time period we believe CaptainMal was created on the Silk Road forum, around October 2012. Both accounts discussed similar topics on bitcointalk.org and the SR1 forum relating to BitInstant, Blockchain.info, fastCash4Bitcoins, and other payment methods.
There are a number of writing style similarities between CaptainMal, c0dex, and Scout. For example, all three of them often use UPPER-CASE for emphasis of a word, they use dash/hyphen signs as punctuation in sentences with the occasional use of an ellipsis. They also all share the common motto "Bitcoin is 100% legal", which we discuss below..
On a humoristic side, CaptainMal, c0dex and scout also enjoy South Park quotes and references as shown here, here or there.
A short while after c0dex joined bitcointalk.org they were cheated in a BTC for PPUSD scam (archive). In mid-November 2012, c0dex tried to sell ~$555 worth of Bitcoins via PayPal but later posted that they were cheated by someone, who ironically, may have wanted BTC "to go buy drugs on Silk Road for "festival enhancement"". Unfortunately, some posts in the thread have been heavily edited, while others have been deleted completely. It's not clear how the BTC transaction was organised since we weren't able to find any posts by c0dex at the time advertising Bitcoin exchange but that shouldn't discount the possibility they were using another account. One top of this, the thread shows that c0dex was at least aware of SR1 at this time. For the next few weeks, c0dex will try to get her money back by chasing after the scammer with the help of a group of like minded "Bitcoin avengers." Towards the end of the month, PayPal notifies her that they will dispute the chargeback that the buyer had initiated and c0dex promises to keep the thread updated with her progress recovering her money. Almost a month later on the 27th of December, 2012, c0dex returns to post that the buyer won the dispute and that they were effectively robbed of $580. Meanwhile, on the 10th of December, while c0dex was in the process of waiting for the chargeback decision to be made, CaptainMal over on the SR1 Forum mentions that one time they tried to sell Bitcoin for PayPal and that they were STILL trying to make up the money they lost from it. In the same post, captainMal warns a user they are replying to that no BTC exchange in its right mind would accept Paypal payment for BTC on Silk Road. The sameadvices will be given by Scout the following month.
On November 9th, 2012, two threads, respectively on bitcointalk.org (screenshot) and Silk Road forum, discuss BitInstant being down and transactions not going through. This particular succession of messages shows, in our opinion, with a very high probability another link existing between CaptainMal and c0dex. The quotes are listed in chronological order (you might want to have a look a the complete threads linked abbove).
03:00 AM - c0dex: i made the stupid mistake of making two deposits tonight. one went through immediately but the second one, sent at exactly the same time, isn't even showing up on blockchain.info ... Sad it's been about 3+ hoursB
03:29 AM - CaptainMal: i didn't have any problem accessing the site through Firefox .... however, one of my two payments to bitinstant for ~$500 has not shown up in my blockchain wallet and it has been 4+ hours. also can't get a hold of support through email, phone, or PM on bitcointalk.org ..... so i'm out ~$500 and i really have no idea whether or not i'll ever see that money again. :(F
04:39 AM - Yankee (BitInstant) replies invoking their fraud filter as a cause of the problem. B
05:09 AM - c0dex: I understand about the fraud filter, however I only received one of the two transactions.B
05:10 AM - Yankee (BitInstant) tells c0dex he replied his PM. B
06:09 AM - CaptainMal: so frustrating. try sending them a PM on bitcointalk.org .... apparently when you send 2 transactions, they say the fraud filter catches it and may not release it. i don't quite understand b/c i've done multiple transactions with them before and never had an issue ... but whatever. finally, after 5+ hours and multiple emails, they did send my second transaction through manually. you may need to harass them until they do the same for you. from the looks of it, another person at bitcointalk had the EXACT same problem tonight. ugh.F
You'll find out by reviewing other topics that BitInstant's fraud filter issue is discussed only three or four times in the whole bitcointalk.org forum in the BitInstant context. On Silk Road, the BitInstant's fraud filter topic will be discussed in 11 different threads. 9 times out of 11, "fraud filter" is either mentioned by CaptainMal or Scout but yet it affected two users from two different forums, on the same day, at the same time with each user complaining on their respective forum (attentive readers will also notice the way the "X+ hours" is written by both CaptainMal and c0dex in a similar fashion). CaptainMal further stated that "another person at bitcointalk had the EXACT same problem tonight". It is not only "another" but the only user, which will prove to be CaptainMal himself. C0dex posts in the BitInstant thread will eventually be stripped of their content to be replaced by a single dot in February 15, 2014. An afterthought?
We see simultaneous posts again by c0dex and CaptainMal (Now working under the username Scout) on February 6th, as blockchain.info (screenshot) had issues affecting login capabilities. Within less than 30 minutes interval, both CaptainMal (now scout) and c0dex (screenshot) highlighted on their respecive forum the 3 hours downtime they experienced.
Moving forward and searching for c0dex on other Bitcoin related websites we found on bitcoin-otc.com another profile with the same nym c0dex, registered on October 10, 2012 (screenshot), the same day the c0dex profile was created on bitcointalk.org (screenshot). Even if the c0dex account hasn't been used for trading on bitcoin-otc.com, the operator took the time to create a PGPKey (screenshot) associated with the email address c0dex@tormail.org (screenshot). Another bitcoin-otc profile, packt (screenshot), created the following day is quickly found to be also associated with the same email address (screenshot), however using a different nym and PGPkey (screenshot). Contrary to the c0dex account packt has several transactions associated with the profile and traded cash to btc, btc to paypal, coffee or moneybookers. At the opposite of Silk Road where transaction are meant to be anonymous, bitcoin-otc rely on a web-of-trust network with pseudo-anonymity where people conduct over-the-counter trading, so it isn't uncommon to rely on its real identity to facilitate the transaction as well as the rating received from previous transactions. This is one of the reason trading of BTC for PayPal for example is "safer" than on Silk Road. The link between c0dex and Packt being the same person is also confirmed by the user elevateddownfall in c0dex's PayPal scam thread, addressing c0dex as "Yo packt" for an "opportunity to make few coins" (screenshot).
Packt being at the time an active user on bitcoin-otc, some IRC logs are still available revealing interesting information. We didn't mention this point of commonality between CaptainMal, Scout and c0dex earlier as we wanted to introduce packt first in order to not be too confusing but all of them are using the same MOTO: "Buying / sellingBitcoinsislegal" or "Bitcoinsaren'tillegal" depending of the situation. We will also find in the logs the mandatory South Park reference, packt's maritalsituation and hints at being a catlover. Packt leaked its location couple of time and is likely from Texas as shown by the IP addresses used when authenticating on #bitcoin-otc (ExoneraTor will show none of the IP addresses used were part of the Tor network on those particular dates). Furthermore, packt mentioned on October 23, 2012 that he "went to a godspeed concert recently". Indeed, the band happened to have played in Austin and
Dallas couple of weeks before, suggesting again packt being Texas based.
A shipwreck in the mist
Using the previously discovered pieces of information and a bit of social engineering we managed to get packt's email address and name associated with a "Verified PayPal Account".
Name: Tracy O.
Email: shpwrckd@[REDACTED DOMAIN]
Open source searches on the username shpwrckd shows the identity information linked with the PayPal account to be likely accurate as a similar name is being used on different online profiles associated with the alias shpwrckd. A lot of the search results (screenshot) are related with websites vending "artists" photos, prints, canvases and other type of crafts on which the website takes a cut upon selling the "art". Most of those profiles seems to belong to the same Tracy O. identified previously. Apart from the artwork shop account you'll find very few social network accounts of interest associated with the username shpwrckd or the previously existed ones have been deleted. There is a flickr account (screenshot. The account was initially active but was deleted after we tried to contact the owner. The profile now redirect to an error page indicating that the member is no longer active on Flickr), a shady twitter account (screenshot), the account was initially active but was deleted after we tried to get in touch with the operator on December 28, 2014 or a travel website (screenshot) with an account shpwrckd, from Dallas, Texas, but that's about it. However we suspect a clean up was done and shpwrckd profile on several websites were deleted. The artwork websites (screenshot), selling shpwrckd's pictures are taking so much space and seem to be so unrelated with the relations we are trying to established that it is a bit confusing at first. Going through the flickr account we do find some matches with packt profile like kitten and dogs pictures (screenshot) or pics from gigs in Austin (screenshots) and Dallas (screenshots) but nothing remotely related with a BTC exchange service operator and Silk Road moderator.
One particular account initially discarded was shpwrckd from the website North American Motoring, but it will happen to be very useful. If you've looked through the flickr account you would have notice couple of albums with Sport Utility Vehicles (SUV) pictures (screenshot). At first glance the posts of shpwrckd on North American Motoring forum aren't providing much information of interest as some of the posts have, again, been removed or edited (screenshot) and the others don't seem to match the previously discussed profiles. Well, that was until we looked closer at that (screenshots) particular posts and the attached pictures (screenshot). On one of them we clearly see a SUV (referred as a 4runner by shpwrckd in the post) parked behind an Austin mini in front of a building (screenshot). The 4runner has a Texas licence plate and looks very similar to the SUV on the flickr picture (screenshots). A closer look at the picture by analysing the exif data will provide GPS coordinates (screenshot) and the associated address [redacted], Dallas, Texas. Further research on the address reveals a company named CRYPTOCURRENT LLC registered on December 7, 2012, [redacted], Dallas, TX and managed by a Theresa O. (screenshot).
CRYPTOCURRENT LLC, was an anonymous (read no questions asked) bitcoin currency exchange which "had been operating since August 2012 informally, with its first publicity occurring on March 11, 2013. The service closed in May, 2013" according to bitcoin.it. Multiple references of the service and its operator JonSnow (screenshot), can be found on bitcointalk.org. Cryptocurrent will also be promoted and praised multiple times on Silk Road from, what appear to be only, happy customers. Even Scout posted to set the record straight about cryptocurrent in order to avoid confusion and keep the business reputation. Cryptocurrent seems to have operated in the background for a while as the first mention of the service pre-dates the official Cryptocurrent thread on bitcointalk.org in March 2013 (screenshot). An early reference to Cryptocurrent can be found on Silk Road in February 2013 advertised as a BTC seller accepting Cash in Mail, Bank of America and Wells Fargo cash deposit and bank wire. Cryptocurrent will eventually stop operating sometimes in May 2013 with an official announcement posted on Cryptocurrent twitter account.
The sunken bitcoins
Before wrapping up, we're going to have a look at some bitcoins transactions that should hopefully further link shpwrckd a/k/a c0dex a/k/a JonSnow with CaptainMal a/k/a Scout a/k/a Cirrus. Back in November 2012, FuckingAce (a/k/a "Ace"), from the ScurveyCrew, asked on the Silk Road forum for a BTC loan in order for them to open shop and get a vendor account on the marketplace. CaptainMal will eventually offer to fulfil the loan and transfer 13 BTC to an address provided by Ace. We can actually verify the transaction occurred on November 28, 2012, few minutes after Ace provided the BTC address. The sender, CaptainMal, transferred the fund from the address 1CUQkPVFY33ubCoibB8xX8JQdo8oP1dVwL, which is part of the wallet [04c5687390]. Looking at other BTC transactions associated with the wallet [04c5687390] it is obvious the owner of the account is using Silk Road on regular basis, which is consistent with CaptainMal operations.
On April 3rd, 2013, JonSnow is expecting a large 20K transaction from her "Bitcoin supplier", but the amount was sent to an expired "one-time address" requiring the help of blockchain.info support to push the coins to her wallet. If you look at the transaction on the blockchain you'll notice the bitcoin supplier has wallet [00991efbe2] and is sending 150 BTC to the shared coin address 16SpPDDeTVzeqLQ6W4un8Qn2EoQkTopFFz. The interesting part here is the address 1LDq7K5S3pqVFCEwvPiNNd5PdXisxfZH7G used to send the BTC to JonSnow. This address appears on regular basis on the blockchain as sending "round numbers" of BTC to the wallet [04c5687390] which was previously established as belonging to CaptainMal:
At the look of the transaction incoming from wallet [00991efbe2] one can see most of the transactions are coming from Silk Road, then later on Silk Road 2 and Agora market places, heavily suggesting that particular wallet belongs to a vendor (another wallet of interest sending BTC to CaptainMal's wallet is [f7401fb791]).
Finally, the last transaction from CaptainMal's wallet, [04c5687390], which follows a series of transaction with BitcoinFog, is sent to the address 1AQb7RsfMsXpdErHUKvuFEDFiDS43pNzPA, which belongs to c0dex/JonSnow's wallet [05725b9fef]. Considering the really small amount of the transaction we can assume that it was a simple way to get rid of the left overs coins and empty the wallet.
Letter of marque and reprisal
As discussed at the beginning of this post, it is highly possible that Scout got under law enforcement radar due to her bitcoin exchange service activity, at first under CaptainMal nym then via Cryptocurrent, since it was clearly used by Silk Road buyers/vendors to buy and sell bitcoins. When CaptainMal was promoted moderator under the nym Scout, it became de facto a target of interest. There are several accounts of Dread Pirate Roberts requesting from his staff 100% commitment on Silk Road, and not tolerating other side activities, which could explain (other than obvious OPSEC reason) why CaptainMal stopped her BTC Exchange service on Silk Road, or at least pretended to.
We haven't really answer the original question asked at the beginning of this post "is the undercover agent the result of a long and successful infiltration of Silk Road by law enforcement or a silent arrest of Scout (or Cirrus) which resulted in an account take over"? but based on the information we found we would be more inclined to believe the latter, where CaptainMal a/k/a Scout a/k/a Cirrus, was silently arrested and the account taken over by an HSI-UC agent (or maybe Scout/Cirrus acting as a Cooperating Witness for a while and still operating the account herself). It is also very difficult to say when the arrest occurred. We didn't notice a clear shift of behaviour in Scout/Cirrus posting on Silk Road and if we know Cirrus was in good company when Ross Ulbricht was arrested, (the different screenshots of her chatting with Dread Pirate Roberts during and after Ross Ulbricht arrest), it doesn't provide a time frame for the arrest. However it is very likely that law enforcement planned to arrest Dread Pirate Roberts logged in on his laptop so they might have arranged for Cirrus to engage in a discussion with DPR. This scenario would have required Cirrus to be flipped beforehand. The "emailgate" mentioned previously is definitely an event of interest but it is also difficult to recognize the truth of the forgery. An FBI agent contacting Scout via email to offer her money to infiltrate Silk Road doesn't really sound plausible and more like a desperate move. It could also have been a way for the FBI, assuming Scout had already been arrested, to try to re-enforce trust in their newly acquired moderator account by reporting a "fake" law enforcement attempt to approach a moderator. The plot might not have worked out as expected, DPR demoting Scout, and the FBI eventually got lucky to get re-integrated within the staff. Not having any ways to verify the accuracy of the story, that's only speculation from us. The next days and Ross Ulbricht trial will likely cast some light on it.
One sure thing is the Cryptocurrent Twitter operator had some flair on the day Silk Road 2.0 was seized. Can it just be a simple coincidence?
I've always been a powerful figure in the scene, but the last 11 days have made me realize just how much power I wield. It is quite a burden, but I bear it with pride. However, some day, and that day would come, I would start to see that power as a right, and not as the result of honesty, integrity, and hard work. And I'd start to silence those that disagreed with me. And I would become all that I hate.
Plural of Mongoose
Ross Ulbricht trial revealed, through a set of chat logs found on his laptop, the existence of an individual going under the name "Variety Jones a/k/a cimon". Dread Pirate Roberts' journal shows that Variety Jones and his alter ego cimon became "a real mentor" for Ulbricht in the early months following the creation of Silk Road in 2011. After reporting a major security vulnerability, in bitcoind, to a then hesitant Silk Road administrator, Variety Jones provided guidance on other technical matters like servers configuration, security review, but also advised on how to improve the communication with the community and interact with customers. Variety Jones influence "behind the scene" got bigger as the marketplace grew in size and popularity, slowly empowering, his newly named, Dread Pirate Roberts to start his own legend. But who is Variety Jones?
Variety Jones registered an account on Silk Road forum on June 27, 2011. From the information available on his vendor page he was selling exclusively cannabis seeds, shipping from the UK, and according to the website "Down the silk rabbit hole" as of November 03, 2011, Variety Jones had the highest number of items listed on Silk Road, 231. Outside of Silk Road, open Internet searches on the alias "Variety Jones" don't immediately produce results. There is an account Variety Jones, with only 8 posts, dating from 2002, on the forum uk420.com, which looks relevant but doesn't provide much information.
More interesting, a reference of a Variety Jones can be tracked back to February 2006 and an individual using the alias Plural of Mongoose. Plural of Mongoose presented himself as a respected member of the legendary cannabis grow site overgrow.com (OG), but was also involved on a larger scale in the cannabis seeds community through various online shops selling cannabis seeds for breeders, most prominently seedsdirect.co.uk. However, before getting into the specifics we need to take a trip down memory lane, stopping first at OG.
Overgrow was originally created by a group of cannabis activist from the weedbase forum in April 1999 (screenshot). Soon after, the troop was joined by what will become the technical backbone of overgrow, Vancouver based, coder and administrator the mighty ~shabang~ a/k/a overgrow (screenshot 1 and screenshot 2). Along the way, another Canadian using the nym Richard Calrisian a/k/a RC got involved by paying for the cost of running the forum and promoting his own seed bank Heaven's Stairway. ~shabang~ stayed the main administrator and developer of the forum, until 2004 when RC copied the site and redirected the domain overgrow.com from ~shabang~'s Vancouver based server to a server located in Montreal and owned by RC. The change of ownership created a split within the community and raised the question of who had the legitimacy to run the site. Overgrow will eventually shutdown in 2006 after it was reveal that RC, whose real name was revealed as Richard Baghdadlian, had been busted by the Royal Canadian Mounted Police (RCMP), leaving it's members in doubt and somehow fearful of more arrests and seizures (screenshot).
It is in this context that Plural of Mongoose (a/k/a PoM) will appear. Through a series of posts on the now defunct planetganja.com, PoM will go into the behind the scene which led to the shutdown of overgrow.com. While apparently revealing an insider and informed view on the situation, PoM created complex intrigues with wild accusations involving several vendors, breeders, members of overgrow and revealing their respective connections to each other (screenshot).
In one particular post of the series, dated February 21, 2006, PoM describes a visit to a good friend of his, Variety Jones.
Plural of Mongoose: In early 2004, a few weeks after leaving Seeds Direct, I left England to spend some time with a good friend of mine, Variety Jones. VJ was my editor for about two years, but so much more than just that in all the time I've known him. I met VJ when I was just a pup, and he had always been my counsel. If I started getting to big for my britches, I could always count on him to take me to task. There is nothing I knew that I didn't share with him, and he was a sounding board and confindante like no other. His beautiful house lay in a tranquil country setting, a perfect location to meet people and get to know them. My favorite memory of such events has to be an evening at VJ's house with Kif Richards and his lovely wife. You couldn't ask for a nicer group of people.
While there, I flew ~S in to spend 24 hours with VJ and myself, and have a little meeting, face-to-face. First off, let me say ~Shabang~ was a joy to spend time with - we were all sorry it had to be such a short meeting, but needs must, eh. I hope that someday the three of us can get together and share another spliff. But enough of that sentimental crap.
From the quote above, we can see that Plural of Mongoose has a very high opinion of Variety Jones portraying him, with admiration, as a "counsel" and a friend he can count on. This description of Variety Jones somehow echoes the words in Ross Ulbricht's journal in an interesting way.
The extract also hints at PoM, Variety Jones and ~shabang~ (or ~S) knowing each others, not only from their online ventures at overgrow.com, but also "in real life". PoM goes further in their relationship explaining how few years before the fall of overgrown.com he bought 50% share of overgrow that ~shabang~ owned, adding "I trust ~S with my life".
~shabang~ was the main coder and administrator of OG, and also developer of the karma reputation system for vbulletin. He built the foundation of what will become one of the biggest vbulletin board at the time, 100 000 members strong when the RCMP pulled the plug. Since then, he became a legend, some sort of Keyzer Soze of the cannabis boards, appearing on and off in between shabatical, as he liked to call his period of absence from the scene. Every marijuana forum, worthy of the name, created after the demise of OG, had the shadow of ~shabang~ hanging around and their administrators called out as ~shabang~ at some point.
It will be half a surprise to learn that ~shabang~ was also member of Silk Road. He registered an account on June 27, 2011, the same day as Variety Jones. His account was last active August 05, 2013. There are very few posts of ~shabang~ on SR considering he was "active" for over two years (27 under this nym). Despite the low post count, we can form a quick idea of his profile as being tech-savvy, security and privacy minded, which would certainly fit the ~shabang~, administrator of OG. Variety Jones will eventually wonder if the person operating the ~shabang~ alias on Silk Road also happen to be his old pal from the OG time. Silk Road moderator Nomad Bloodbath, in what is likely a positive answer, confirmed to Variety Jones that it is the same ~shabang~. Couple of month later Variety Jones will acknowledge their past affiliation with overgrow.com.
In December 2011, Ross Ulbricht, known then as "Silk Road", changed the hidden service URL to the vanity onion address "silkroadvb5piz3r.onion" but didn't let the previous URL point to the marketplace, creating some confusion on the forum. A technical discussion with Variety Jones will follow to find a solution to configure multiple .onion addresses to point to the same site. The exchange shows the technical limitations of Ross Ulbricht on the topic as well as a more advanced knowledge from Variety Jones. ~shabang~ also chimes in to the conversation a few minutes later to provide advices on hidden service configuration and criticizing Silk Road poor choices. Acknowledging his lack of technical ability in the field Ross Ulbricht will send ~shabang~ a private message to learn more about the recommended setup. ~shabbang~ will eventually delete his post, which we can only read thanks to "Silk Road" reply quoting ~shabang~ message. This is somewhat bizarre since ~shabang~ post doesn't seem to contain particularly sensitive information. We believe this exchange might have been one of the early one which eventually led to further collaboration between Ross Ulbricht, Variety Jones and ~shabang~.
In April 2012, according to the early feedback on his vendor page, ~shabang~ was selling Yubikey devices, for two-factor authentication, intended to improve the security of the buyers and sellers accounts on the marketplace. The listing describes the Yubikeys as being currently beta-tested on Silk Road which is consistent with a post from ~shabang~ where he explains that he is an "alpha tester" of the solution and that "Silk Road is currently beta testing their own Yubikey authentication server". Also in April 2012, the Silk Road expense spreadsheet, found on Ross Ulbricht's laptop by the FBI, lists a purchase of $37,000 of Yubikeys. At the same period, in May 2012, Smedley, who seems to be the main developer of the marketplace, also mentions the Yubikey project during a chat with DPR, in what we think is not a coincidence and show Dread Pirate Roberts will to develop a Silk Road branded Yubikey solution (GX-231C).
Smedley started contracting as a developer toward the end of January 2012 as one can deduce from the chat log between DPR and Variety Jones (GX-226I). From the same excerpt, it looks like Variety Jones introduced Smedley to DPR or at least played the intermediary between the two. Few days later, on February 2nd, 2012, the Silk Road expense spreadsheet shows a first payment of $15,000 labelled "payroll (sr2.0)". Seven similar payments, also labelled "payroll (sr2.0)" will occur over the course of the next six months for a total of $185,090. In May 2012, DPR and Smedley will have a catch up discussion about the development process and the progress made so far (GX-231C). Eventually, on July 22, 2012, Dread Pirate Roberts announces a new version of Silk Road, which we think was the internally named "Silk Road 2.0" since the associated payment labelled "payroll (sr2.0)" will stop shortly after. Unfortunately no release of the two-factor authentication solution despite the investments and efforts from the development team and ~shabang~ to promote the technology.
The Silk Road Sales Data exhibit (GX-940), which summarizes the transactions that were in the SR databases at the time the servers were seized by the FBI, lists 23 transactions of Yubikeys for a total of $1,728 (฿222.75) and a total commission of $114 (฿16.06). It clearly shows the project didn't succeeded as initially planned but also indicates that the $37,000 on DPR's expense spreadsheet were likely used as a funding for ~shabang~ to promote the Yubikey devices rather than a purchase from a Silk Road vendor. Considering the $37,000 Yubikey investment from Dread Pirate Roberts, ~shabang~ Yubikey business, his technical background and close ties with Variety Jones it sounds reasonable to speculate that he might have been involved not only by reselling and beta testing the Yubikey devices but also working closely with Smedley on the development side to implement this new feature. Additionally, for the reckless tin foil lovers amongst us, it is possible that ~shabang~ may even have been operating the Smedley account.
Coming back to the intriguing posts from Plural of Mongoose it became more and more apparent, as the story unfolded, that the main reason of PoM's posts was not directly related to overgrow busts but a means to achieve a vengeful vendetta against another interesting character named Glyndwr Foster a/k/a Gypsy Nirvana. Gypsy Nirvana, who borrowed his name from his ex girlfriend Tattoo parlour, has been part of the online cannabis scene for what seems to be forever selling seeds through several ventures, the most notable one being Gypsy Nirvana Ltd, owner of seedsdirect.to and International Cannagraphic Magazine at icmag.com. In the 80s, before getting into the seed trade, Gypsy Nirvana had a mildly interesting actor career in Hong Kong, giving birth to movies like Bionic Ninja. Anyway, Plural of Mongoose and Gypsy Nirvana used to be business partners in the UK and the Netherlands based seed shop seedsdirect.to. Plural of Mongoose was eventually fired by Gypsy Nirvana after he and Gypsy's ex were accused of data-mining/harvesting customer and breeder information and sending it to a third party in Canada. The relation between Gypsy Nirvana and Plural of Mongoose got worst and, according to Plural of Mongoose posts, eventually reached physical assault, death threat and Gypsy Nirvana allegedly contracting a Calgary based hitman to get Plural of Mongoose killed, "Crazy shit, murder and international intrigue, going on in real-time!" as PoM will describe the situation when posting the story.
Along the way, Plural of Mongoose with the help of, Gypsy Nirvana's ex-girlfriend and co-owner of Gypsy Nirvana Ltd, Nicky, took over "Gypsy Nirvana ltd" and its affiliated cannabis forum and magazine www.icmag.com (screenshot) . The love birds modified the status of the company by appointing Plural of Mongoose Director and an interesting "Mr Jones" as Secretary. After a complaint through the UK Companies House Gypsy Nirvana will eventually get his company back, under his own name and control. The legal procedure resulted in the identity of Plural of Mongoose to be revealed as Thomas Clark a Canadian citizen, born in 1961 and living in Surrey, UK.
What about Variety Jones? Well, we got hold of the documents associated with the company "Gypsy Nirvana ltd" showing that the Mr Jones registered as the company Secretary is an English citizen going under the name "Peter Robert Jones", assuming that person even exist and used his real name it could be an interesting lead. However, we could not find anything linking a Peter Robert Jones with the breeder community and even less with Silk Road. Is Variety Jones from Silk Road Peter Robert Jones? Probably not.
Another theory, which has become a favorite of ours, involves Plural of Mongoose in the role of Variety Jones. It is obviously difficult to say with certitude, and we suspect a twist might spice up this story, but there are definitely some parallels between PoM and Variety Jones from Silk Road as we will try to show below.
In one of the posts made during the "Plural of Mongoose - Gypsy Nirvana drama" following Overgrow bust, Plural of Mongoose published a statement (thread) which appears to be intended to law enforcement and sum up the threats from Gypsy Nirvana he was allegedly subjects to. At the very beginning of the statement he claims to suffer Motor Neuron Disease as well as having been diagnosed with multiple sclerosis (MS).
Statement of Thomas Clark, Tuesday, 26 April, 2004
To help put this situation in perspective, I think it's important to have a little background first. I weigh under 10 stone, and have Familial Motor Neuron Disease. This means the motor signals don't travel correctly to my muscles, which leaves me with inefficient muscle control, and constantly weak. I was also recently diagnosed with MS as well, which adds to general weakness of my extremities. In short, any 7 year old kid in a playground could beat the heck out of me, without having to put down their ice cream. The two men, Mr. Foster and Mr. Edwards, who tried to kill me, are well aware of this fact.
Going through Variety Jones threads on Silk Road forum we find couple of posts mentioning the use of cannabis for pain relief (screenshot 1 and screenshot 2). Furthermore, in a chat with Dread Pirate Roberts Variety Jones tells him that he "had zero sleep last night due to leg/muscle cramps" and seemed to be quite please to have just received 1oz of weed from ~S (~shabang~) as a good pain relief (GX-226I). Main symptoms of motor neuron disease includes "muscles wasting away, muscle cramps, spasms or twitching" and usually occur first in the arms or legs. We can safely assume in that particular case the leg/muscle cramps are not from running a marathon.
In another post Variety Jones makes a direct reference to multiple sclerosis. The quotes can't be assigned directly to Variety Jones as he seems to be only giving examples of reason to grow cannabis but, with the hindsight of his condition, the quotes might not just be randomexamples.
In a lighter way, Pural of Mongoose and Variety Jones have a certain lyricism when talking about marijuana. In a post on Silk Road forum titled Flavoured Marijuana, Variety Jones starts by comparing wine and cannabis before going with passion into the different "flavours and aromas" of his favourite cannabis strains. The vocabulary used for the description is not dissimilar to some of Plural of Mongoose reviews in the overgrow's strain guide. In the excerpt quote earlier, relating his meeting with Variety Jones and ~shabang~, PoM says that Variety Jones used to be his editor. His mundane strains descriptions and his imaginative Silk Road story "A tale of Darren Jones, vendor on the Road in the year 2450", would certainly fall within the skills of a word-smith.
Surprisingly for someone being in the marijuana seed business for so long, Variety Jones seems to exclusively get weed from other vendors. He makes multiplereferences of his buys on the Silk Road forum but we couldn't find a single reference of him discussing selling weed or even growing his own seeds, corroborating Gypsy Nirvana's idea of a Plural of Mongoose never having grew a seed crop in his life and matching the description of one of PoM previous nym "NotAGrower" (screenshot).
In 2008, Plural of Mongoose and a Seeds Direct associate, Gene Barker, travelled to Thailand and the island of Koh Chang. They took back with them to the west a marijuana strain which happen to be only available on this island and was named after it. Seeds Direct used the Koh Chang seeds as freebies for customers and an associated thread was created on PG to discuss PoM and Gene trip to Thailand as featured by a local blogger. In a chat with DPR (GX-226I), Variety Jones hints at being familiar with Thailand and having travelled over there, "I love thailand for the weather, the people, and the weed ain't bad either" he says.
Then we have the chat logs and screenshots presented as exhibits at Ross Ulbricht's trial. Most of the chat logs were private messages extracted from the Silk Road servers or TorChat log files recovered from Ross Ulbricht's laptop, like those with Variety Jones (and cimon). Exhibit GX-215 for example shows a snapshot of the TorChat log files when the FBI seized Ross' laptop. The files tv32wkhirljvcb4f.log and u7y2e2c3rbfqzjfe.log contain respectively DPR conversations with Variety Jones and cimon. We can learn from that same exhibit that DPR last chatted on TorChat with Variety Jones on July 16, 2012 and cimon April 4, 2013. The chat log with cimon is also the last file modified in the .torchat folder, suggesting the use of a different platform of communication after this date as we know DPR and cimon continued communicating after April 2013. Cimon installing the chat client pidgin, the mention "we are all on a more secure chat channel" by DPR to Cirrus along with the instruction file explaining how to configure a new XMPP account and add the user Dread as well as the multiplescreenshots of DPR use of Pidgin confirm the hypothesis of TorChat being dropped in favour of a XMPP hidden service. One of the screenshot, published by the US government as exhibit GX-201G, shows Dread Pirate Roberts' buddies on Pidgin. His contact list contains the usual and known crowd, "Libertas", "Inigo", "smed", "nod" but interestingly neither Variety Jones nor cimon. From the "unknown" contacts two individuals have their original Jabber identifiers and one user was renamed with the alias "mg". The same "mg" also appears on a screenshot, sent by Ross Ulbricht, of a Pidgin window (GX-317), and was online and chatting with DPR when Ross Ulbricht was arrested in the library (GX-201H). In our opinion "mg" is a shortened alias for "mongoose" which would then explain the absence of the VJ and cimon aliases from DPR's contact list. Another possibility is that "mg" is the nym used by "Ace" of the Scurvey Crew who noted in an interview with Vice that they were chatting with DPR when he was arrested. Although, it is possible "Ace" and DPR were not communicating through XMPP but via PM on the SR forum and marketplace.
Last but not least, in one particular chat log between Dread Pirate Roberts and cimon (a/k/a Variety Jones) cimon tells Dread Pirate Roberts that his real identity could easily be found if only DPR spent a bit of time searching for... "Plural of Mongoose" (GX-227H).
Cimon: You know - I post up, and give you shitloads of info that could if you tried just a bit (fuck, Plural of Mongoose alone should do it!) that you could determine exactly who I am. I did that to make you feel comfortable.
This confession is a pretty good give-away and seems consistent with our independent findings and the links we think exist between Plural of Mongoose and Variety Jones.
In an article from High Times magazine dated July 2006, the journalist Chris Bennett, who covered at the time the overgrow arrests, gives an interesting description of the "megabyte megalomaniac" Plural of Mongoose:
PoM was like a puppet master, and it was eerily intriguing watching him pull the strings on the forums that made people dance in the real world: Business transactions fell apart, people retired nicknames and dropped from view, court dates came and went - but when the chance arose to interview PoM, I decided to pass. By that time, I had it from a reliable source that PoM deposited things on people's PCs via e-mail that gave him access to their personal desktops and files. Frankly, PoM scared me, and I didn't consider him a reliable source of information anyway. So why feed his fire?
In February 2008, Gypsy Nirvana recovered his company "Gypsy Nirvana Ltd" in the High Court of London but was also cleared of the assault charges and what seems to have been fake accusation of Plural of Mongoose, giving weight and credit to Bennett's view of PoM (screenshot).
Gypsy Nirvana: [They] even conspired to get me into criminal court on fake assault charges....one I was found not guilty of and the other one (after 2 years) [PoM] dropped the charges due to the fact that he lied so much in his witness statements that he would have been found guilty of perjury if he took the stand.
It was later revealed, among other bizarre intrigues, that PoM blackmailed Gypsy Nirvana and his staff at icmag.com, threatening to turn over breeders addresses to law enforcement (LE), if he wasn't given administrative access to icmag.com, addresses he probably gathered while working for seedsdirect. It is difficult to verify the claims of Gypsy Nirvana and his mignons and they may as also be rewriting history to their advantage. However it could also show that, once again, Plural of Mongoose is living by the maxim he used as signature at planetganja.com, "The last fucking thing you want is my undivided attention...™ ".
Considering LE investigation and arrests surrounding overgrow.com and the online breeder community and the extensive Silk Road investigation we find it difficult to believe an attention seeker like Plural of Mongoose managed to fly under LE radar while being part of the scene for so long. If PoM's allegation that he gave Dread Pirate Roberts a lot of information about himself, during their endless chats, as the Plural of Mongoose nym freebie would tend to show, the 1400 pages of chat logs must have provided LE with more than enough information to locate him wherever he is, especially since he was doxed back in 2008.
According to some rumours, PoM left Canada in the early 2000s after the police found a grow room of his in the remains of a building that catch fire. The incident led to a court case which didn’t look too good for PoM and he felt that leaving Canada would be a safer option. He asked his then online friend from Overgrow, Gypsy Nirvana, if he could come to the UK and lay low for a while. Gypsy Nirvana agreed and PoM eventually ran to the UK where he started, among other things, working as Gypsy Nirvana's IT kind of guy and helped run seedsdirect website, until their fall. A similar story is being told with PoM leaving the US for Amsterdam and then work for Gypsy Nirvana. The word being that PoM "is on the run forever from Uncle Sam" or the Canadian authorities depending which version of the story is to be believed.
PoM best enemy, Gypsy Nirvana was arrested in August 2013 in the Philippine where he is awaiting extradition to the US on drug trafficking charges for allegedly manufacturing, exporting, and importing marijuana, and money laundering "after several informants, who were Nirvana's former associates, tipped off US authorities about his activities". While part of the community seems to agree on an individual named Rezdog as being one of the informant, since he fully cooperated with law enforcement, others also see PoM's spirit as being involved in the arrest of Gypsy Nirvana. However, like the obscure story of the growing room in flame, it is close to impossible to verify (screenshot 1 and screenshot 2).
The same characters have been crossing path over the past 15 years on various cannabis boards and in real life to eventually reappear on Silk Road after years unheard of. Variety Jones and ~shabang~ accounts were registered on Silk Road forum the same day, on June 27, 2011, within 30 minutes interval. With hindsight and understanding of their past relation with Plural of Mongoose it does sound like a very lucky coincidence to say the least. The old guard back in saddle with Variety Jones the "counsel" and "confidante like no other", and ~shabang~ whom PoM would "trust with his life". Even if it is difficult to know with a high level of certainty who operated the account Variety Jones on Silk Road, the evidences presented above and common sense would tend to lead to Plural of Mongoose rather than to a copycat version who would have disseminated hints of being PoM, over the course of couple of years, to a Dread Pirate Roberts, along with anyone else around, who would have never heard of Plural of Mongoose before anyway. We don't have much information on the erstwhile Variety Jones since most of the boards where he is said to have been active under this nym are now gone. We know that he was a cannabis breeder and seems to have been a different person than PoM but that's about it. His reincarnation lived in the UK, sold cannabis seeds on Silk Road, has an IT background, a gifted silver tongue and Plural of Mongoose paw prints all over.
Then we have ~shabang~, who also has both, the technical background and a deep knowledge of the scene, to be a hand in the shadow driving the operations but hadn't been seen in the recent years, at least under this nym. Interestingly ~shabang~ also worked for seedsdirect.to around 2000, Gypsy Nirvana's seed bank PoM also worked for. Indeed, ~shabang~ created an early version of seedsdirect.to as shown by the footer and the source code of the site, further establishing the long, entrelaced and very confusing connection between PoM, ~S and Gypsy Nirvana. In one post on the Silk Road forum Variety Jones after a long period of time without posting comes back and says that he "just returned from an 8 month sabattical, and SR sure is wicked fast today!". As anyone who has been around OG will know, having a "sabbatical" is heavily associated with ~shabang~ which he sometimes calls a "shabatical" and seems to have been a hobby of his at OG. The difficulty here is to establish if the ~shabang~ account was also operated by PoM or not. Shared handles are common practice within the cannabis community and it isn't unheard of that a single account is used by several people or that a "known and respected" moniker is registered by someone else, creating interesting trolling opportunities. In any case, as we suggested earlier, the Yubikey project heavily hints at ~shabang~ being involved much more than his public posts would let one imagine at first glance.
The events surrounding the demise of overgrow.com and its associated characters seems to have been pillars of the shadow history of Silk Road, establishing in the same time the beginnings of a Canada-UK connection who almost ten years later saw emerge shady and intriguing characters who wrote some of the darkest moment of the Silk Road marketplace. It is clear that, unlike Ross Ulbricht, the likes of Richard Baghdadlian, Gypsy Nirvana, ~shabang~, Plural of Mongoose, and so on and so forth, knew the ins and outs of the game far better than Ross ever did. Having been part of the cannabis scene for a very long time, they all have been through the blackmailing, busts, scams, undercover operations, snitching, sock puppet trolling and fake assassination drama before, nothing new but history being replayed with Dread Pirate Roberts this time singing lead vocals. While Ross Ulbricht idea of creating Silk Road wasn't even yet an embryo of concept, Plural of Mongoose was publishing series of article on how to protect its privacy online warning 56K modem users for the length of the page, another era.
We tried to put together pieces of the puzzle surrounding the mysterious Variety Jones, but it does involve quite a complex web of underlying identities and history difficult to untangle as the original forums (OG and PG) where all those guys were active have been wiped from the Internet and seems to be available only through private backups. There is however one person that should be able to shed light on the incestuous relations of Variety Jones, Plural of Mongoose and ~shabang~ but he has been sitting in a cell in Manilla since the end of August 2013.
On May 29th, 2015, after 13 short days of trial, Ross Ulbricht a/k/a Dread Pirate Roberts (DPR) is sentenced to life in prison without the possibility of parole for his role in creating and running the online black market, Silk Road (SR). At trial, the U.S government key witness was Homeland Security Investigations (HSI) Special Agent Jared Der-Yeghiayan (JDY). JDY infiltrated Silk Road staffs by taking over the Silk Road moderator account Cirrus. This undercover account will eventually be used to collect evidence against DPR and ensure he would be online when arrested. JDY was asked several time about the circumstances he took over the Cirrus account. When first asked by the government when he started operating the Cirrus account JDY vaguely replied "July 2013".
TURNER: And what was the name of your support staff account that you eventually took over?
JDY: The name was Cirrus.
TURNER: When did you take that account over?
JDY: It was July 2013.
Later on, again during direct-examination, JDY is asked another time when he took over the Cirrus account and he gave this time a slightly more precise answer, "Late July 2013"
TURNER: What was the username associated with the support staff account that you took over?
JDY: It was cirrus.
TURNER: How do you spell that?
JDY: C-I-R-R-U-S.
TURNER: And approximately, when did you take over the cirrus account?
JDY: It was late July 2013.
Few minutes later, JDY is asked again, by Judge Katherine Forrest, when he first took over the Cirrus account and he provided this time a time frame.
THE COURT: What was the approximate date when you took over the account, sir?
JDY: Approximately July 26, 27th of 2013.
JDY confirmed that he took over Cirrus account on or about July 26, 27th of 2013, implying that he had by then full access to the account. During cross-examination this time, Joshua Dratel, Ross Ulbricht's attorney, presses further along the same line of questioning about when the Cirrus account was taken over.
THE COURT: That's all right. That's okay. I didn't know if I needed to look at it. I have the witness'. Let me take a quick look. All right. As of August 2, 2013, were you cirrus?
JDY: August 2, I was; yes.
THE COURT: All right. And how about July 23?
JDY: I was not.
THE COURT: You were not cirrus on July 23rd?
JDY: No.
As some of the readers might know, the date of July 23, 2013 is an important date in the Silk Road timeline, as it is the date the Silk Road Server 193.107.86.49, in Iceland, was forensically imaged by the FBI. Unsurprisingly, JDY was also cross-examined by Dratel about the support he provided to the FBI to successfully image the Silk Road server.
DRATEL: Did you tell the FBI a specific time that would be a good time to take down the servers?
JDY: I did.
DRATEL: And that was because you said there wouldn't be a lot of administrative work on the site and so that -- is that right, there wouldn't be admins?
JDY: There wouldn't be administrative action on the site, yes.
DRATEL: That was because you wanted it to be done in a way that nobody could notice, right, if possible?
JDY: I would think, yes.
It looks pretty clear from the excerpt above that JDY was in a privileged position, or at least a "good enough" position by July 23, 2013, to provide guidance to the FBI New York about when would be a good time to image the Silk Road server. According to law enforcement briefs and news reports, the different agencies investigating Silk Road had from time to time an unhealthy cooperation and inter-agency information sharing didn't seem to be the norm. As context often matters, one might wonder why would the FBI NY relies on information provided by an HSI Special Agent based in Chicago, as it was clearly the case according to JDY testimony, if he wasn't operating a privileged account? Any agent part of the FBI/HSI Silk Road task forces would have been able to pick a date if it was just a matter of choosing "a right moment" to image the server from a "normal" user point of view, but that's not what happened. The FBI specifically requested JDY opinion as when it would be the "right" moment to image the server because he knew "there wouldn't be administrative action on the site" minimizing the risk of the work to clone the server being noticed by Silk Road staff.
There is however a small and rather interesting discrepancy in JDY's explanation because at the time the server was imaged, on July 23, 2013, JDY previously testified that he was not operating the Cirrus account. If he wasn't operating Cirrus account how did he find himself in a position to pick a date to image the server "knowing" there wouldn't be administrative action on the site at this period?
In order to find out we need to take a step back and get things in context. In a previous story, Trawling the flotsam of the Silk Road Shpwrck, we speculated that Scout had been raided due to her Bitcoin services activity or that she gave up her account voluntary to the HSI undercover agent "mr.wonderful" but things might have played a bit differently.
Following Ross Ulbricht's arrest, investigators found on his laptop a file, "LE_counterintel.txt", containing information that appeared to have been based on insider knowledge of the federal investigation into Silk Road. One of the source of information, identified by the alias East India Traitor (EIT), contacted Dread Pirate Roberts via the Silk Road forum to provide him with intelligence that he allegedly gathered from being interviewed by law enforcement agents after doing 6 months federal time in a DRAP program for SR related crimes. Interestingly, Ross Ulbricht's defense says that they have determined the identity of EIT, without revealing it, but that it could also have been the rogue DEA agent Carl Force IV. It is difficult to assess the veracity and accuracy of the information provided by EIT however we might be able to shed some light on EIT's background.
EIT created an account on the Silk Road forum on July 27, 2013, followed by a somewhat cryptic "Welcome to the show fuckers" post about Silk Road security. Based on his 44 archived posts and the information he privately shared with Dread Pirate Roberts, EIT appears to have a good understanding and knowledge of Silk Road. However, despite his operational security pro-tips he managed to leak enough info to link his East India Traitor account to what we believe to have been his main account since Silk Road inception.
Through his forum posts and private discussion with DPR, EIT disseminated few personal information. We learn for example that he is a graphic designer and that his favorite strains of weed is the "Pre98-Bubba Kush". In DPR's "LE_counterintel.txt" file, he is quoted comparing Silk Road to a "revolution" and a "pseudo-revolution". Another interesting bit of information we learn from EIT is that he has knowledge of the "old timers" from the Open Vendor Database (OVDB) days. Doing some research on the Silk Road forum archives for users with those characteristics and our own informed understanding of the Silk Road ecosystem and users, one single profile stands out, the former Silk Road moderator Nomad Bloodbath.
Nomad Bloodbath joined Silk Road in the early days after having heard of the marketplace on 4chan in December 2010. Few month later, around June 28, 2011 he is offered a moderator position after he, and other members, decided to create an FAQ thread on the Silk road forum for the newcomers. With over 4000 posts Nomad Bloodbath was one of the most respected member of Silk Road, bringing heart and soul to his moderator job and contributing to the Silk Road revolution. The story goes that Nomad felt undervalued by Dread Pirate Roberts for all the work he achieved to maintain the forum in good shape and over time a toxic relationship grew between Nomad Bloodbath and DPR, resulting in Nomad allegedly quitting his moderator position sometimes in late 2012, early 2013 (a conservative date being around January 2013 but no formal post was ever made about Nomad quitting).
Reading through the thousands of posts of Nomad Bloodbath one can notice similarities with East India Traitor. Nomad's "all time favorite" cannabis strains also happen to be Pre98 Bubba Kush. Like EIT, Nomad often referred to the "Silk Road revolution" even dubbing himself "Silk Road Revolutionary" on his forum profile. Having been on Silk Road since the beginning Nomad was also familiar with the Open Vendor Database (OVDB) and some of its vendors, like Envious and Enelysion, whom, like EIT, Nomad misspells "Eneylsion". As for the graphic designer it was no secret that Nomad was Silk Road's artistic touch selling designer and custom designed artwork in the form of collectible toys on his vendor page.
Nomad last post on the public forum is dated April 1, 2013 but he will eventually come back and post on the vendor restricted area of the forum, the vendor roundtable, two months later, on May 24, 2013, announcing a vacation break. "Currently my IRL time is filled with much more important personal things and frankly my politics simply do not align with Silk Road's pseudo-agenda" ("pseudo-revolution" anyone?). However, before leaving for good he offered Silk Road vendors his famous chalkboard skulls for 50% off and free shipping. On that same day he also decided to get rid of his two-years old PGP key and silently change it on his vendor page with a new one. How do we know? The last PGP key available on his vendor page was also created May 24, 2013 as shown by the metadata:
To summarize, we have one of the most trusted member of the Silk Road community and ex-moderator, Nomad Bloodbath who comes back, after months without posting, to announce he is about to take a "vacation break" from Silk Road. After 2 years and half using the same PGP key he decides to "silently" change key to sell... toys and chalkboard skulls. It does look like the perfect plan for law enforcement to gather vendors' and moderators' addresses upon delivering one of those harmless toy. And yes, we believe that at this point Nomad Bloodbath account was compromised and controlled by law enforcement.
One of Nomad Bloodbath lucky customer who ordered and seem to have received a skull following Nomad's announcement is forum moderator samesamebutdifferent (SSBD). On June 20, 2013, more or less a month after Nomad's "vacation break" post, SSBD posted that he had "one [skull] in transit". If Nomad's account was indeed compromised, it could explain why, when the indictment against the Silk Road moderators and administrators, Inigo, Libertas and SSBD, was unsealed on December 20, 2013, SSBD was the only one who had his other aliases listed, as "samesamebutdifferent" a/k/a "Batman73" a/k/a "Symmetry" a/k/a "Anonymousasshit". Inigo and Libertas had also been known and obviously used other aliases, however none of those other aliases appeared in the indictment hinting at SSBD's background having been further investigated. We do not know, if SSBD provided his personal address or a drop, however it surely provided LE with his buyer account(s) and a geographic location to organise surveillance.
Another interesting document, which re-enforces our theory about Nomad having been compromised and SSBD's identity early uncovered and seems to have been overlooked, is Exhibit 7, part of a Reply Memorandum of Law submitted on behalf of defendant Ross Ulbricht in support of his motions for a new trial. It's a copy of an email exchanged between JDY and one of his HSI colleague discussing their investigation and how not to look like "complete fools" due to the "HSI Baltimore Gang" behaviour.
The email is dated September 20, 2013 (emphasis added):
Baltimore can have a few vendors of our choosing - as well as the ability to say they "helped" ID some of the admins by "allowing" NY to use OUR UC account to identify some of the lower admins, and they can have sloppy seconds on DPR for their murder for hire. They can also have some info on other bitcoin companies that MK might name is shady after we get done with him.
That's the best that can be given and they should consider themselves lucky for getting anything close to that. Or we can just stall, and
Baltimore gets nothing and we contributed to the other two admins getting away [redacted]. We'll get no HSI banner on the site, and will probably get no cooperation from NY with any information related to MK. If DPR names MK in the interview and we didn't help them get the other admins when we had the chance - NY will leave us out of it and tie him into their conspiracy. We will then be left dealing with HSI Baltimore's tears and them then trying to take [redacted].
At the time of this exchange between HSI Agent JDY and his colleague, the known Silk Road administrators/moderators (both terms being used loosely here) were Inigo, Libertas, SSBD, and the undercover account Cirrus, operated by Special Agent Jared Der-Yeghiayan. The wording of the first redacted sentence seems to imply that prior to the arrest of Ross Ulbricht and the discovery of the staff IDs on Ross' laptop, only two staff members were still not clearly identified. The use of "The other two admins" in the sentence also hints at JDY including all members of staff under the "admin" umbrella, since only Libertas and Inigo were administrators on the market. We believe that by September 2013, when the email exchange occurred, at least one other staff member had previously been identified (we're not including Flush and Scout for the obvious reason that we know both had already been raided). For reasons explained above it is highly likley that SSBD had already been identified by law enforcement prior to DPR arrest, only letting the identity of "The other two admins", Libertas and Inigo, to be determined.
The main LE investigation teams working on the Silk Road case were based in Baltimore (DEA/HSI), Chicago (HSI) and New York (FBI). Can we speculate on which team took over Nomad Bloodbath account? It seems that JDY, again during Ross' trial, might have provided part of the answer when Dratel questioned him about the circumstances he took over Scout's account (emphasis added).
DRATEL: One of your challenges in getting Scout to relinquish her account and give you access to Scout, and then ultimately to Cirrus, was how to convince Scout that you were law enforcement and that DPR was tricking her -- him you thought at the time but her and that her better option, or Scout's better option was to go with the law enforcement, you had to do that online in a way that didn't impair the investigation, correct?
MR. TURNER: Objection to form.
THE COURT: If you understand the question, you can answer it.
DRATEL: I --
DRATEL: I will break it down.
JDY: I guess the response is that I wasn't -- I didn't portray myself as law enforcement to Scout. That was another agent that did that. I had another account at that time that I was utilizing to talk to Scout that they did not know -- I wasn't portrayed as law enforcement.
DRATEL: But that was a challenge for the investigation, correct, as a whole?
JDY: A challenge, I'm sorry, to?
DRATEL: To convince Scout, whether it was you or a colleague of yours, to convince Scout that DPR was tricking Scout and that Scout's better option was to essentially align with law enforcement?
JDY: That was another agent's goal with another account that they were utilizing. My particular goal with the account that I was utilizing was to try to get Scout to buy something from me which would then result in exchanging their name and address.
DRATEL: Right. That is ultimately what happened, right?
JDY: That is what happened.
DRATEL: I'm saying, the other agent's challenge was this other aspect of trying to do something online that would convince Scout to essentially relinquish her account to law enforcement?
JDY: Correct.
Here we go. We learn from JDY cross-examination that he was using an undercover account, not portraying as law enforcement, to talk to Scout trying to convince her to buy "something" that would result in obtaining Scout's name and address. We believe that it eventually happened and led to Scout being raided at some point in June/July 2013. We previously thought that Scout had been identified due to the Bitcoin exchange she was running on Silk Road, under the alias CaptainMal, however we didn't find at the time any confirmation that she kept her Bitcoin exchange running on Silk Road after she was promoted forum moderator.
With the new theory discussed above we would now be more inclined to believe that Scout arrest was the result of providing her name and address to JDY operating Nomad Bloodbath's account, the same way SSBD did. Scout was appointed forum moderator after Nomad Bloodbath requested some help to moderate the forum and it is easy to imagine that a certain degree of "trust" grew between them while working together on the forum.
Unfortunately we can only speculate as what happened as we didn't find any reference of Scout ordering a skull or other toys from Nomad. However, Nomad being arrested and his account taken over by JDY to reach to the other Silk Road moderators (Scout, SSBD) fits the investigation timeline nicely.
Last, but maybe not least supporting this theory, the PGP keys.
We've mentioned earlier Nomad Bloodbath' sudden change of PGP key in late May 2013. We found another PGP key that could also be associated with Nomad Bloodbath, or someone trying to impersonate Nomad Bloodbath, and was created couple of weeks later, on June 12, 2013. Analysis of that key yields an interesting result. Indeed, as defined by RFC 4880 some constants are specified by the OpenPGP format, like the public-key, symmetric-key, compression and hash algorithms, among other parameters, to be used by PGP implementations. It is then more or less up to the implementation to decide which algorithm will be implemented and used by default. In a nutshell, depending on the PGP software used, its version and the underlying operating system a set of parameters will be used by default when creating a PGP key, regardless of the key size.
For example, Nomad Bloodbath key created in May 2013 has the following preferences and characteristics:
The public key was likely created using a Windows operating system, as suggested by the version header, MingW32, which is consistent with Nomad Bloodbath's 2011 public key as well as his use and recommendation of GNU Privacy Assistant (GPA) on Windows.
We can also note that the key doesn't have expiry date.
In comparison Nomad Bloodbath PGP key generated few weeks after, June 12, 2013, has the following preferences and characteristics strongly indicating that it was generated using a different software, version of PGP and/or operating system.
:signature packet: algo 1, keyid 30D1715931717798
version 4, created 1371038457, md5len 0, sigclass 0x13
digest algo 10, begin of digest 7a 83
hashed subpkt 2 len 4 (sig created 2013-06-12)
hashed subpkt 27 len 1 (key flags: 2F)
hashed subpkt 9 len 4 (key expires after 4y1d0h0m)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 30D1715931717798)
Key flags: 2F, means that the key may be used to certify other keys, the key may be used to sign data,
Preferred symmetric algorithms: AES with 256-bit key (sym 9), AES with 192-bit key (sym 8), AES with 128-bit key (sym 7), CAST5 (sym 3)
Despite, the version header not present, further research on a set of Silk Road users' public keys tends to show that public keys with those previous preferences and characteristics seems common to keys generated by MacGPG2 for MacOSX users. From the several screenshots disclosed during Ross trial we know that JDY was also using MacGPG2 for MacOSX and in what might not be a coincidence, the other known JDY's undercover account, Cirrus, used a PGP key with very similar metatada and key properties as Nomad Bloodbath's June 2013 PGP key.
The metadata below being common to both.
We believe this further link JDY being behind both, Nomad Bloodbath and Cirrus, undercover accounts.
What about July 23, 2013, the date the server was imaged? How did JDY know when it would be a good time to image the Silk Road server if he wasn't controlling the Cirrus account? He might have get the information from Nomad but it seems very unlikely that Nomad would still be familiar to the admin team rota months after leaving. Scout? JDY testified he wasn't in control of the account until after the Silk Road server was imaged. However, this doesn't mean LE hadn't raided scout yet. Going undercover and infiltrate with a moderator account the biggest darknet market of the time requires a bit of preparation. BBC documentary "Silk Road: Drugs, Death and the Dark Web" provides us with a bit of context about how the account take over took place.
JDY explains that after scout was raided he spent three or four days with her for a complete debriefing learning how to communicate as scout, how the moderators operated and other intel. Having access to cirrus personal messages and restricted area of the Silk Road forum surely provided useful information to the FBI and when it would be a good time to image the server as "there wouldn't be administrative action on the site".
Does it mean that JDY "lied" about the date of the account take over by pretending it happened at a later date? Not necessarily; and our best theory is that it might be the result of administrative delays and when the account "officially" became a registered HSI undercover account handled by JDY. The arrest of scout was certainly a big achievement and other agencies probably tried to claim the account for themselves as well, delaying the whole process. We have very few information about when scout was raided and her account eventually taken over. A potential date could be June 19, 2013, logged in the HSI investigation timeline as the day HSI Chicago and HSI Baltimore "gang" conducted a joint search warrant based on a new target developed by HSI Chicago.
-On June 19, 2013, During a joint SW conducted by HSI Chicago and HSI Baltimore based on a new target developed by HSI Chicago SA McFarland spoke with SA Der-Yeghiayan about the Target A and SA McFarland stated that he had complete control over AUSA Kay and he was the one to decide whether or not Target A would be interviewed. SA McFarland stated that he would honor SA Der-Yeghiayan's request to not pursue or interview Target A.
This would fit the timeline nicely as Scout last connection on the Silk Road forum is June 18, 2013, what would have been a day before the raid. However, due to what is sometimes referred as "emailgate" or the operation "mr. wonderful", it is almost certain that on June 19, 2013 scout had already lost control of her account to DPR and Cimon, which complexify the timeline even more.
During the period of interest, between May 2013 and July 2013, multiple events linked to each other happened more or less simultaneously making the timeline very confusing. Probably also confused by all the shenanigans DPR didn't log his weekly criminal activity in his journal for the period of time that interest us. We know now that JDY was actively using Nomad Bloodbath identity approaching vendors and moderators trying to sell his skulls that an undercover LE agent was approaching moderators using the account "mr.wonderful", which eventually resulted in scout being demoted and locked out of her account by DPR while a rogue LE agent, under the alias "alpacino" was providing DPR with alleged internal knowledge to the LE investigation (will keep this one for another time).
The speculative and annotated timeline below tries to streamline the series of events discussed above.
18/05/2013 - Undercover HSI agent "mr.wonderful" creates an account on the forum. F
We have few accounts of "mr.wonderful" being operated by an HSI agent with hints of the DEA playing a role in the background.
JDY: "Mr. Wonderful was operated by another HSI agent."
alpacino: "initially it was a DHS (HSI) or CBP gig but the account is no own by someone at DEA (with few cooks in the kitchen)."
East India Traitor: DEA visited/visits me twice a month... asks me shit, then they brag about their shit. Such as the mt gox bullshit a couple months ago, asking if SR members would go for paid informant work, I sent them on wild goose chases just enough to get them to come share with me more than they could get from me. I in no way snitched out anyone, they are currently trying to get into your staff forum mods esp .. .i suggest they change usernames every month start posts counts back at zero. I suggest you relocate outside usa ... if not already, they are foaming at the mouth which branch of the LE gets credit for your arrest.
Clearly, the "mr.wonderful" operation was a HSI Baltimore business. That description Nomad Bloodbath is making of the DEA agents visiting him and the questions related to the paid informant work matches what we know of the "mr.wonderful" operation. Carl Force IV was probably too busy trying to defraud DPR to be directly involved with this one. If we had to guess who was operating the "mr.wonderful" account we would go for SA McFarland, considering he had been reassigned the HSI Baltimore case in 2012 because they needed a certified undercover agent, according to the HSI Investigation timeline, which makes him a good candidate.
24/05/2013 - Nomad Bloodbath "VACATION BREAK" offers chalkboard skulls to sell on the vendor roundtable and changes his PGP key. F
At this point Nomad Bloodbath account was compromised and operated by HSI Chicago according to JDY testimony.
JDY: That was another agent's goal with another account that they were utilizing. My particular goal with the account that I was utilizing was to try to get Scout to buy something from me which would then result in exchanging their name and address.
Nomad account will eventually be used to compromise scout and SSBD. It's unknown how Nomad Bloodbath was arrested but considering he had very poor OPSEC he probably ended up being a low hanging fruit control delivery. He actually told DPR, using his alias "East India Traitor" that he "did 6 months federal time in a DRAP program for SR related crimes", which led to him meeting the Baltimore gang.
01/06/2013 - someone claiming to be LE trying to infiltrate forum mods. DJ
03/06/2013 - put cimon in charge of LE counter intel. DJ
The "someone" mentioned by DPR is "mr.wonderful". Two weeks after "mr.wonderful" created an account on the SR forum and started approaching the forum moderators DPR is made aware that an alleged LE is trying to infiltrate his staff. This is the premise of "emailgate" and will result in Scout and SSBD being demoted for engaging with "mr.wonderful". DPR will then ask Variety Jones/cimon to investigate.
05/06/2013 - Tried counter intel on DEA's "mr wonderful" but led nowhere. DJ
The quote above appears in DPR's diary but the date is unclear. Between June 5th and September 11th, 2013, DPR hasn't dated his journal precisely. The entry above is the first sentence of a blob of text describing events between June 5th and September 11th. DPR likely backlogged his entries at this point and that June 5th date should probably not be taken too literally and one can assume the "counter-intel" operation happened, for more than a couple days, sometimes in June 2013.
To "counter intel on DEA's mr.wonderful", DPR took over scout and ssbd email and forum accounts, going as far as pretending to be scout online. We can find the credentials of both accounts in DPR's "le_counterintel.txt" file where he kept information leaked to him related to LE investigation into Silk Road. He probably read over private messages, engaging with "mr.wonderful" to try and get information. From his own words it hadn't been successful.
scout's tormail where he is talking to mrwonderul:
username: scoutsr
password: b311amOn
Symm's tormail talking to mrwonderful:
symmetry2
bjBTrmPzUBhmN3uH
scout, forum username: scout
pass: nlNlaGKUb1r6sqYY
In a "funny" twist, the "mr.wonderful" operation jeopardised HSI Chicago own investigation by preventing JDY to access scout forum and email accounts as a growingly paranoid and suspicious DPR fired scout and changed her accounts' details, locking JDY out of her accounts. DPR continued posting with scout's forum account so it would seem she was still around. JDY acknowledged at trial that "mr.wonderful" operation was a challenge for his own investigation.
DRATEL Did you go back and read posts having to do with Mr. Wonderful?
JDY: I didn't have access to the Scout account to go back to read that. I only had access to the Cirrus account.
05/06/2013 - SSBD moved back to primary moderator, "I'm going to move you back to being the primary mod on the forums. I'm going to keep paying you $1k/wk though... How does that sound? Be my forum mod?" NY
Another side effect of the operation mr.wonderful, ssbd, who had just been promoted admin on the main site is moved back to the forum by a DPR in prevention of "mr.wonderful" approaches on its staff.
11/06/2013 - SA Der-Yeghiayan sends an e-mail noting the difficulty of determining the identities of users on the Silk Road site because multiple people were operating multiple accounts with different user names, leading him to ask, "Sheesh. Who's on first again?" CH
Yeah right? If even JDY find it difficult to know who is controlling which account we have little chances. It does however shows the general confusion at the time as highlighted at trial by JDY.
DRATEL:. And, in fact, there were times when you taught that DPR might be operating some of the other administrator accounts, right?"
JDY: There was, yeah, there was times that we didn't know who was operating what accounts.
JDY: Specifically in this period of time there was multiple things going on with multiple accounts.
DRATEL: And that's June of 2013?
JDY: That was June 2013, yes.
11/06/2013 - Last post of Scout on the Silk Road forum. F
At his point DPR had already confiscated scout's account and it is very likely the latest posts from scout were actually made by DPR. He eventually stopped posting on June 11th. Background activity on the account will however continue until June 18th.
12/06/2013 - PGP key nomad bloodbath created.
As already discussed above this could be one of the PGP key used by JDY to impersonate Nomad Bloodbath.
18/06/2013 - Last connection on the forum of user scout. F
19/06/2013 - Joint Search Warrant conducted by HSI Chicago (SA Der-Yeghiayan) and HSI Baltimore (SA McFarland) based on a new target developed by HSI Chicago. CHI
The last connection of "scout" on the forum, happened a day before the joined search warrant on what we believe could be a possible date for scout raid. However, again, it is very likely that at this point the "scout" account on the forum was controlled by DPR and/or "cimon" trying to counterintel "mr.wonderful". Funny enough the "mr.wonderful" operation likely prevented JDY to access "scout"'s forum account and associated inbox.
20/06/2013 - monik3r (scout) First post on the forum. F
monik3r is thought to be another alias of scout she used on IRC among other places. Weirdly enough we couldn't find when the account was created and only have access to few sporadic posts across the forum. Was the account operated by "scout" at this point isn't very clear and it could as well have been used by JDY as a "training" account while debriefing scout.
26/06/2013 - mr.wonderful asks "where is scout ?" on the SR forum. Monik3r replies that "maybe he got a new assignment?" F
As often things are a bit unclear and we were told that DPR having found out that no secret was made that "monik3r" and scout were one and the same, also took over "monik3r" account on the SR forum. It could explain the "surreal" exchange between "mr.wonderful" and "monik3r" where mr.wonderful enquiries about scout whereabouts and receives an answer from "monik3r" invoking a "new assignment". Unless JDY was operating the "monik3r" account at this point? Who responded to "mr.wonderful"? The real scout, DPR or JDY?
26/06/2013 - Last connection of mr.wonderful on the forum. F
11/07/2013 - Cirrus registers an account on the forum and becomes global moderator. F
Following strong lobbying from the moderators/admins (Libertas, Inigo, SSBD) to have scout back in the team, DPR agrees to reinstate scout as global moderator under a new name, Cirrus. Unknowingly, DPR accelerated his downfall by allowing HSI agent Der-Yeghiayan as part of his staff.
14/07/2013 - JDY email re: "Cirrus is scout, inlightof might be dread according to scout." (typo corrected). CHI
The quote above, dated July 14th, 2013 seems to show, again, that scout/cirrus account was taken over before the "official" date, with scout already fully debriefed by JDY and very likely sharing the cirrus account as well as insight on the admin team.
23/07/2013 - Silk Road Server, 193.107.86.49, forensically imaged by Law Enforcement. NY
Using its "privileged" position as forum moderator and the information debriefed from scout, JDY provides intel to the FBI NY as when it would be a good time to image the Silk Road server as "there wouldn't be administrative action on the site".
It is pretty clear from the timeline above that scout account was taken over by LE much earlier than previously discussed at Ross Ulbricht trial, where the date of July 26, 27th, 2013 was mentioned by JDY. Scout was fully debrief by LE prior to the Silk Road server being imaged and cirrus account accessed and used by JDY earlier than previously thought, which explains why JDY was in a "privileged position" to pick a date to image the server "knowing" there wouldn't be administrative action.
First witness, Homeland Security Special Investigation Agent, Jared Der-Yeghiayan, said he started investigating Silk Road after intercepting packages at Chicago O'Hare airport. During the course of the investigation he made an account on Silk Road ultimately making more than 50 purchases undercover from 40 Silk Road dealers in 10 countries. He also operated multiple law enforcement, undercover, accounts on Silk Road, including the account of a Silk Road staff member, until Ross Ulbricht arrest.
Week 1 - Day 2 - 14/01/2015 - DHS Agent Jared Der-Yeghiayan examination.
DHS agent Jared Der-Yeghiayan, confirmed that he took over the account of Silk Road administrator Cirrus, which helped the FBI trap Ross Ulbricht. The DHS Agent engaged in an online discussion with Dread Pirate Roberts in order to ensure he will be logged in as administrator on the Silk Road marketplace at the moment of his arrest.
Week 1 - Day 3 - 15/01/2015 - DHS Agent Jared Der-Yeghiayan examination and cross examination.
DHS Agent Jared Der-Yeghiayan explains how they arrested Ross Ulbricht in the San Francisco public library with his laptop open and connected on Silk Road as Dread Pirate Roberts. Following the arrest law enforcement searched Ulbricht's house and found, in the trash, Silk Road related notes about Silk Road vendors and the site feedback system.
Ross Ulbricht lawyer Joshua Dratel starts the cross examination of the witness.
The defense, during the course of the cross-examination, manage to get the prosecution's own witness, HSI Agent Jared Der-Yeghiayan, to admit that in 2012 and 2013 he had opened an investigation on Mark Karpeles as the suspected owner and operator of the Silk Road as well as Karpeles’ Mt. Gox, then associate, Ashley Barr as the voice of the Dread Pirate Roberts. An affidavit written in 2013 by Der-Yeghiayan, allegedly shows evidences of the involvement of Karpeles in Silk Road. He also shared by email with other DHS agents that he believed they have “built up quite a large list of information to lead” to Karpeles.
Evidences leading to Mark Karpeles involvement with Silk Road include the website www.silkroadmarket.org, registered by Karpeles's company Mutum Sigillum LLC, the enormous amount of Bitcoin held by Karpeles, as owner of Mt. Gox as well as information received from a federal informant working with Karpeles.
The witness also acknowledged, under Joshua Dratel questioning, that he thought the person operating the Dread Pirate Roberts account had change in April 2012, despite the same PGP key being used before and after the alleged change of leadership. Der-Yeghiayan shared this thought to other DHS Staff in an email. He will eventually be told the name Ross Ulbricht in September 2013 by SA Gary Alford from Internal Revenue Service.
In parallel of the witness investigation, another HSI team in Baltimore, were also investigating Karpeles, for violating laws on US money exchange and money transfers, which led, in May 2013, to the seizure of Mt. Gox subsidiary company Mutum Sigillum LLC. Despite Jared Der-Yeghiayan protest that it might jeopardise his own investigation, Baltimore HSI agent met with Karpeles' lawyers. At the meeting Silk Road was brought up and Karpeles offered to give the person, he thought was running Silk Road, in exchange of immunity from the other charges pending against him.
Day off - 19/01/2015
Prosecutors filed papers seeking to block the line of questioning started the previous week by Ross Ulbrich's lawyers when they cross-examined Jared Der-Yeghiayan, a special agent for Homeland Security, inquiring about the agent first thought that Mark Karpeles was a prime suspect in the investigation in order to not confuse the jury.
Following the government filing, Ross Ulbricht's lawyers filed their response to the government motion arguing that "Pointing to an alternative perpetrator is a defense that has been endorsed by the Supreme Court" and that they would like to introduce another suspect, whose name was provided to DPR in April 2013 via the Silk Road private message system.
Week 2 - Day 1 - 20/01/2015 - DHS Agent Jared Der-Yeghiayan cross examination
After a five-day break the trial continued with the prosecution and defense arguing about the type of evidences allowed regarding the alternate theories surrounding the identity of Dread Pirate Roberts. The judge ruled that the defense should avoid questioning the witness about his "beliefs" and "suspicions" in order to avoid any "hearsay".
DHS Agent Jared Der-Yeghiayan confirmed Marke Karpeles was once a suspect.
The defense questioned Jared Der-Yeghiayan about his investigation on Karpeles and three other men - alleged Mt. Gox associate Ashley Barr, Canadian Anand Athavale and a man named Richard Bates.
Another Silk Road undercover account operated by LE, "Mr.Wonderful", was also introduced to court. The defense kept trying to ask about Mr.Wonderful but gets objected to by the prosecution.
Week 2 - Day 2 - 21/01/2015 - Second witness, FBI computer scientist Thomas Kiernan, examination
The prosecution started the day with examining Der-Yeghiayan about the Karpeles link, telling the jury silkroadmarket.org was in fact setup by Ross Ulbricht using fake information found on Ulbricht's laptop. The defense didn't pushed further on Karpeles but instead asked about another suspect of the investigation team, mises.org forum admin "Liberty Student" a/k/a DixieFlatline. Der-Yeghiayan said this person was a suspect mainly due to similar writing style and political ideas with Dread Pirate Roberts.
FBI computer scientist Thomas Kiernan comes into play, explaining again to the jury how Ross Ulbricht was arrested and more importantly that he found logs and journal entries on Ulbricht's laptop, which were presented as evidences.
The prosecution then went through the very large amount of data pulled from Ulbricht laptop, which includes spreadsheets of Silk Road finances, years of TorChat logs with various people involved in the Silk Road operation, Silk Road organisation Chart, payroll document, daily logs of staff activities, old passport and driver's license, and the scanned IDs of Silk Road admins.
Ulbricht's laptop also contained diary, describing how he created Silk Road, daily logs of activity going back to 2011 until his arrest in October 2013. The prosecution read parts of the entries out loud for the jury, which were also shown on a screen in court.
For the first time, it is also revealed, from the journal entries and TorChat logs, that Dread Pirate Roberts had "behind the scene" staff hired (other than the known administrator) to help him with the site development. Two pro-eminent staff members were going under the nym "Variety Jones a/k/a Cimon" and "Smedley".
Richard Bates explained to the jury how in 2010 Ross Ulbricht approached him about programming advice while creating Silk Road. Bates became suspicious of all those questions, thinking Ross wanted to hack a website. Upon Richard Bates insistence, Ross Ulbricht confessed, in February 2011, just after the launched of Silk Road, that he was its creator.
When Ross Ulbricht was arrested in October 2013, investigators found a long list of Google Chats between Ross Ulbricht and baronSyntax showing Bates had provided coding advices at Silk Road inception but also afterwards. Richard Bates is testifying against Ulbricht in exchange for a non-prosecution agreement in order to avoid charges for helping Ulbricht to code Silk Road, occasional drug buys on the site and a Bitcoin exchange side project he was building with Ross Ulbricht, prosecutor said amounted to money laundering.
By November of 2011, Ross Ulbricht told Bates he sold the site to someone else, whoever the prosecution later produced a TorChat log between DPR and Variety Jones, where DPR says he told 2 people about Silk Road "but they think I sold the site and got out, and they are quite convinced of it."
Week 3 - Day 1 - 26/01/2015 - IRS Special Agent Gary Alford examination
Prosecutors questioned IRS Special Agent Gary Alford on what led the investigation to Ross Ulbricht. Searching Web references of "Silk Road" and ".onion" pre-dating January 31, 2011 led the investigation team to a post of a user named altoid, on bitcointalk.org forum, linking to the Silk Road Hidden Service and the Silk Road portal silkroad420.wordpress.com. The same user, altoid, also started a thread searching for "lead developer in a venture backed bitcoin startup company" where he posted the email addressrossulbricht at gmail dot com as a contact.
Alford obtained a search warrant for rossulbricht@gmail.com e-mail account, which contained data matching what was found on Ross Ulbricht laptop.
Week 3 - Day 2 - 28/01/2015 - IRS Special Agent Gary Alford examination and cross examination | VP of operations at Stack Exchange Alex Miller examination and cross examination | Special Agent with the DHS Dylan Critten examination and cross examination | Silk Road heroin dealer Michael Duch examination
Examination of IRS Special Agent Gary Alford continued, trying to forge ties between Dread Pirate Roberts activities through DPR's journal, chat logs and files found on Ulbricht laptop and Ross Ulbricht records from his Gmail and facebook accounts.
The second witness of the day Alex Miller, VP of operations at Stack Exchange, draw a timeline of Ross Ulbrich use of Stack Exchange and explained how the account Frosty is tied to Ross Ulbricht according to his company records.
Next witness was Dylan Critten from Homeland Security, who testified to intercepting a package containing nine fake driver's licenses intended to Ross Ulbricht. Critten also confirmed he never heard of Silk Road before and didn't know the IDs had been ordered through the marketplace.
Michael Duch, heroin vendor on Silk Road under the nym Deezletime, gave his testimony and how he got involved with the marketplace providing detailed explanation of what it is like to be a vendor on Silk Road, making $60,000 to $70,000 monthly incomes for a total of 3.18 kilogram of heroin sold on the road. Michael Duch insisted that he would have never started selling heroin without Silk Road.
The day was again really tense between the defense and the prosecution, Dratel complaining he was being "blocked from asking questions that aim to call into doubt the authenticity, reliability, and meaning of dozens of pieces of government evidence that suggest Ulbricht is guilty, as well as questions about the multi-agency investigation into his client". Must Rrad.
Week 3 - Day 3 - 29/01/2015 - Silk Road heroin dealer Michael Duch cross-examination | FBI agent Vincent D'Agostino examination and cross-examination | Former FBI agent Ilhwan Yum examination and cross-examination | FBI contractor Brian Shaw examination.
The defense continued Michael Duch cross examination, bringing up previous drug charges of the witness and highlighting inconsistencies about the how and when he started using and selling drugs.
Next witness, Vincent D'Agostino, explained the court with a video how he purchased a "Hack Pack" of Silk Road, intended to install malwares on targeted computer to steal password, and give the user remote access on infected computers. According to D'Agostino the software worked as advertised.
Government called former FBI agent Ilhwan Yum who seized bitcoins on Ross Ulbricht's laptop and Silk road servers. Ilhwan Yum explained how he traced 3,760 bitcoin transactions in which bitcoins moved from addresses associated with Silk Road to addresses associated with the bitcoin wallet found on Ulbricht's laptop, direct one-to-one transactions.
Final witness of the day, FBI contractor, Brian Shaw, who analysed the Silk Road serves seized by the government. The court basically heard of the bizarre murder-for-hire plot involving FriendlyChemist and redanwhite, which surprisingly (or not) seems to have happened the exact same way we described it in December 2013. We called it Yo!
Week 4 - Day 1 - 02/02/2015 - FBI contractor Brian Shaw examination and cross-examination. Three defense witnesses examination and cross examination
The court heard of the end of the murder for hire story and factual data analysed from the servers seizure by Brian Shaw. Silk Road it is 1.53 million transactions, 3,748 seller accounts, 115,391 buyer accounts, total revenue of 9,912,070 bitcoins, 642,455 bitcoins worth of commission.
Three defense witnesses were on and off the stand with Dratel's associate Lindsay Lewis handling about 30 minutes of examination. All of them were friends of Ross Ulbricht who have known him for over 15 years and described him as peaceful and non-violent. The prosecution argued despite having know Ross for years known of them knew he created Silk Road and was living under a fake name.
Two expert witness for the defense, bitcoin expert Andreas Antonopoulos and computer and internet security expert Steven Bellovin were also denied by the judge to testify. The reason given by judge Forest includes wrong tactical decision and missteps made by the defense not complying with Rule 16, which requires the defendant to sufficiently disclose the substance of the expert witness testimony in advance.
The defense case was really short and two witnesses appeared briefly in court, a private investigator and a former room mate of Ross Ulbricht.
The rest of the day was left for the prosecution and defense closing arguments and jury deliberation.
After three hours of deliberation, the jury found Ross Ulbricht guilty on all seven felony charges he faced, including drug trafficking, continuing a criminal enterprise, hacking, money laundering, and fraud with identification documents.
A summary of the pre-trial exhibits list is available here (Thanks to Patrick O'Neill)
Torrent of the archive containing all the evidentiary exhibits introduced during Ross Ulbricht's trial available here (Thanks to gwern and Fran Berkman)
The table below summarizes some of the Government and Defendant Exhibits List in Ross Ulbricht trial.
GOVERNMENT & DEFENDANT EXHIBITS LIST U.S. v. Ross Ulbricht, 14 Cr. 68 (KBF)
Screenshot: Bitcoin address created for the government to seize all of the bitcoins from Ross Ulbrich's laptop. FBI Address 1FfmbHfnpaZjKFvyi1okTjJJusN455paPH
The screenshot is dated Dec. 27, 2013, at the date of the creation of the account V didn't have any privilege. He was granted Global Administrator privileges Dec. 23, 2013. [back]
The screenshot is date Dec. 27 2013, after Sarge resigned from his position of Global Moderator so at the time of the account creation the tag Global Moderator should have been next to his username, in place of the current Hero Member. [back]
The screenshot is dated Dec. 27, 2013, at the date of the creation of the account DoctorClu didn't have any privilege. He was granted Global Administrator privileges Dec. 23, 2013. [back]
The story went that DPR2 "mistakenly" signed a post on the SR2 forum using StExo's PGP key and as such proving himself to be StExo. The post was edited by DPR2 and the alleged signature removed. However we never managed to confirm that StExo's PGP key was used and not even that the message was electronically signed. Lots of people repeated that version of the story without trying to double check the facts or consider the alternate possibility that the signature was a simple text-based signature. [back]
