Silk Road logo
If you find this page useful feel free to drop some coins 1BdvhDp78d3ez2cV7xkHPy5JqD8f2cJV9W

Last update: February 2, 2019 - The trojan skull.

You will find below information related to the Silk Road websites and forums.
Since the original work some of the hyperlinks are dead due to the original Silk Road forum shut down. However, the screenshots are still valid and should hopefully provide enough understanding of the context and accurate information.

Silk Road Timeline

Credit: @thegrugq who came up with part of the time line below. His original work is available in two parts "Dread Pirate Roberts - extortion timeline" and "The Maryland Indictment Timeline".

Timeline of events surrounding Silk Road rise and fall (work in progress):

Maryland Indictment and Investigation New-York Complaint and Investigation Chicago Homeland Security Investigation San Francisco Criminal Complaint Silk Road forum Media DPR Journal Blockchain

On "The Employee" staged assassination

22/10/2013

Based on the Silk Road Maryland indictment, in April 2012 an Undercover (UC) Agent started communicating with Dread Pirate Roberts (DPR). The UC claimed to be a drug smuggler who specialised in moving large quantity of drugs. During the following weeks DPR and the UC will stay in touch. The 7th of December 2012, the UC complained about Silk Road buyers wanting "very small amount" and "it really isn't worth it for him to do below 10kg". DPR offers to look around to find a buyer for a large quantity of drug. He mandates someone known as "The employee" in the indictment to solicit Silk Road's top sellers to find someone who could move large quantity of drugs from the UC. In the indictment the employee seems to have been hired sometime in November 2012 and is paid to respond questions and complaints from buyers and sellers, resolve disputes between buyers and sellers, and investigate possible law enforcement activity on Silk Road.

In May 2012, the following users have high privileges on Silk Road forum and are able to carry administrative tasks:

DigitalAlch will eventually "resign" the 16th July 2012 and thus let the forum administrator position vacant. It is not clear at this point if someone else inherited the position or not. If seniority and knowledge of Silk Road was to be taken into account chronicpain would be a candidate of choice, as he is one of the oldest account and already administrator of the Wiki. However we haven't found anything suggesting that any of the other global moderators (or anyone else) replaced DigitalAlch as Administrator.

The 3rd November 2012 a user, flush, registers an account on the forum and few days later starts to be active as what looks like a Silk Road support role. I haven't found official statement about flush role but its different posts (screenshot 1 and screenshot 2) on the forum strongly suggest that he has advanced privileges on the forum as well as on the Silk Road site:

Flush last connection on the forum is dated 26/01/2013, which is also the date DPR informs UC agent that "The employee" got busted.

Based on the information from the Maryland indictment, flush looks like a good pick for the "Employee" role in the assassination plot:

It is not really clear how flush got into that position after only few days active on the forum. It looks like his account was created on purpose for his support role. Maybe an active user creating a new account for the support role only in order to not mix it with his current account? Who knows...

Assuming Flush is "the employee" mentioned in the Maryland indictment who could be the undercover agent? We don't know much about him except that he plays the big dog by introducing himself as "a drug smuggler who specialised in moving large quantity of drugs", minimum 10kg type of guy. Suppliers selling in bulk or high quantity doesn't seem to be that common on Silk Road, so people have a tendency to remember them. One guy who seems to have attracted (screenshot) a lot (screenshot) of attention (screenshot) and questions (screenshot) for his listing of kilos (screenshot 1 and screenshot 2) goes by the name of "nob". Some users on the forum even thinks the low enforcement scam (screenshot) is too big to be true (screenshot). In light of what will follow the latest assumption might be relevant.

On the 12th of February 2012, a vendor going by the name googleyed1 posts an enigmatic message on the Vendor forum warning other vendors and DPR to not deal with nob:

Unfortunately, we do not have access to the vendor forum and the previous message was taken from a quote posted on one of the numerous threads related to nob. Access to the thread, the quote was taken from on the vendor forum, would probably clear up some of the mystery. If anyone with access to the vendor forum roundtable could get the information it would be really useful. Backups of the vendor roundtable seems to be floating around, if you managed to get your hand on them, please consider sharing.

Updated 08/11/2013: Access to the thread on the vendor roundtable mentioned previously confirms googleyed1 warned other vendors not to deal with Nob. Most of them took the piss somehow arguing it was so obvious Nob was LE that googleyed1 deserved to loose money. In an interesting comment googleyed1 stated Nob had the full backing of DPR. However it seems googleyed1 didn't get asked by DPR directly but from "one of the MODS" who said DPR asked him to look around for big vendor with an interest to work with a big vendor. As noticed by another vendor, in theory it could have been the "MOD" who took the incentive to back Nob, however in another enigmatic message googleyed1 doesn't rule this possibility and says "yes this is true, but there have been some other things I don't want to talk about" (screenshot 1 and screenshot 2).

This nob guy could be a good pick to play the part of the undercover agent (Would you say it passes the duck test?).

Few days after the arrest of DPR, a thread starts on the forum where users speculates on the identity of the "Employee", the "Vendor" and the "Undercover agent". A vendor, googleyed1 (remember the one sending the warning on the Vendor forum about Nob), replied to the thread in order to "clear some things up" (screenshot) and makes the following statements: Googleyed1 being based in the UK, it is possible nob didn't want to ship in Europe. As chronicpain was involved from the beginning, googleyed1 probably asked him to act as his re-shipper, offering him a cut on the delivery. Chronicpain would have then shipped the whole product in the UK for googleyed1 or sell it through the US on behalf of googleyed1. In any case it looked like Googleyed1 was quite confident the deal will go through and started advertising its new product on the forum (screenshot).

It might be surprising to have chronicpain involved in this deal as flush ticked all he boxes to be "The Employee". However looking at the timeline and other particularities of both accounts one could extrapolate the same person managed both handles :)

Googleyed1 is 100% confident chronicpain was the "Employee" who got busted. It could be explained by the fact that chronicpain was using his "chronicpain" handle to communicate with googleyed1 and his "flush" handle to communicate with UC/nob.

The assassination plot seems partially solved according to this theory. However some questions remain unclear:

Opiates, Poker and Cocaine

30/10/2013

Ross Ulbricht, who was arrested the 2/10/2013 and is allegedly Dread Pirate Roberts, seems to have made some obvious mistakes online regarding his real identity which helped law enforcement to identify him and arrest him. Plenty has been said about his bad "opsec" and there isn't much to add about it for the moment.

However there are still some really interesting "characters" in this story. "The Employee" is one of them which has not received much attention despite the fact he played an important part in the "first act" of the DPR investigation. In the following lines we will try to find out a bit more about him and if the theory of chronicpain/flush being "the Employee" exist as already discussed in "The Employee assassination plot" above. What follow is not a parallel construction and the observations are based on a timeline following our findings.

The only information we've got about "The employee" can be found in the Maryland indictment. Following our theory of chronicpain/flush and the Employee being the same person, another set of information we can rely on are the posts from chronicpain and flush on the Silk Road forum1. We've compiled below a list of "quotes" and "facts" extracted from various posts of chronicpain 2 (The posts from flush being minimalist).

"I am in charge of a web site that sells products and takes credit cards every day. I do go thru authorize.net"
"I am very opiate tolerant"
"Opana is not oxycontin, It's much much stronger"
"Opana is Oxymorphone not hydrocodone"
"Most of you know that Im all about harm reduction"
"Im not a smoker"
"I was a paramedic for 20 years and went through nursing school. Like I said in another thread, I couldn't finish due to an accident."
"Experience with Drupal? I have made my last 2 sites with it and absolutely love it...Easy to manage, change things, etc.."
"That's exactly what happened to my wife. It took a 3 month stint in jail to get her sober. She has been clean and awesome for over 10 years."
"There are a lot of other forums, like poppies.org, opiophile, bluelight, etc that is in clearnet (they talk about much more and with much more detail than here) I have never heard anyone get into trouble."
"My daughter (who just got married) had her mail returned because she used her married name instead of her maiden."
"In fact when I was getting adderall, when they first went generic on the ER"
"Technically, an 80mg oxycontin is equal to 40mg of opana ER. TAKEN ORALLY!! Now, if you snort them, 40mg of opana is 2 or 3 times the strength vs a snorted 80mg oxy. IV its about 3-4 times the strength. Would you consider getting an oxycontin 80mg for 15 or 20 bucks? thats basically what you are paying if you buy an opana 40mg ER for around 60 bucks."
"I could barely make a profit with my lost luggage delivery service. I would get paid between 20-100 bucks a bag, depending on where it had to be delivered. with only one airline, I had about 10 vehicles and there was no way I could go more than a couple hundred miles away from the airport. I eventually had to give it up because I was losing too much money. I guess you could get a taxi network going. Have one taxi hand it off to another taxi, etc. but the costs are going to be so high, it just wouldnt be worth it. Plus, with usps/fedex/ups how can you compete with their prices and delivery times?"
"For those under 45 years old"
"Luckily I got a position with my dads company"
"Used to be in the movie business. I couldn't stand when the actors had to use the clove cigarettes."
"Used to live in the costa del sol.... Gotta love Malaga, Motril, Jaen, Granada.... I liked Sevilla as well, but Cadiz, and Malaga were my favorites....... (the summer is very hot) but the winters are mild and the spring and fall are just superb......"
"When i used to be a manager at high very popular cell phone chain"
"Are you getting the the OP 80s or the old school 80's"
"I usually get Mallincrodt brand roxies."
"I have gotten this message a few times. I never say ok. but it does come up every once in a while. Its not silk road either, I just tried to send an email with hushmail and got the same message not 2 minutes ago.."
"Never say " I have ten pounds of such an such, How do I iv it?" instead, you would say "I've heard that you can do such and such with this, is this correct? any advice?" That way you aren't implicating yourself in anything. there are a lot of other forums, like poppies.org, opiophile, bluelight, etc that is in clearnet (they talk about much more and with much more detail than here) I have never heard anyone get into trouble. (not saying that nobody has) just don't implicate yourself or others. Never mention any specif items that could identify you or others in any way. It's not that hard."
I will get a touchpad for sure, ill just keep looking, dont want to pay more than 200 bucks for one.. the one I found was 250
"I am a semi-pro poker player. I used to be a full on pro poker player. Since I can't play online in the states anymore its made it much more difficult."
"I have cashed in 2 WSOP events and many other events".
"I have started to gamble a bit in sports.. If you know what your doing and have control, you can make a lot of money..."
It isn't much but we can already draw a low hanging fruit profile of the dude (assuming whatever he says is true).

A quick google search on his nickname does not help much as it returns way too many results on chronic pain symptoms, management treatment and relief. We need to narrow the search scope.

The boards and forums mentioned previously look like a good start to limit the scope of the search. Searching for the nickname "chronicpain" has the annoying effect of returning large unrelated results on chronic pain treatment and relief. "Flush" also has that really frustrating habit of returning all sort of things that can be flushed somewhere.

We need to focus on the content of the posts which could help us match the profile of chronicpain rather than an unlikely look-a-like nickname.

The method we followed here is:

We're not going to go through the long and boring process of the combined searches but it was possible to isolate an interested profile named pokergooch.

One of the early forum pokergooch subscribed is bluelight.ru in 2006. Few years later in 2009 he will be an active member of another drug related board opiophile.org. They are both quite famous drug related forums which have also been mentioned several times by chronicpain (screenshots) on Silk Road.

From his different posts on both forums we can see a quite deep knowledge and interest in pharmaceutical drug and how to used them for pain relief (preferably without using intravenous method), characteristics also shared with chronicpain. As chronicpain, pokergooch has a wife and a daughter of whom he likes talking about. Pokergooch first post on opiophiles.org (screenshot) is actually about his wife and how she is drug tested on weekly basis and got tested positive for methamphetamines. Through several posts we also learn that both pokergooch's daughter as chronicpain's daughter is under Adderall (screenshot).

Digging further other interesting similarities between chronicpain and pokergooch can be highlighted 3. They both:

We certainly don't have enough to assert pokergooch and chronicpain are the same person, but it looks like we are on a good path.

Pokergoosh as his nickname implies is also a keen poker player which, according to his sayings, makes must of his incomes playing poker at a pro/semi-pro level (screenshot). Interesting enough it is another particularity he shares with chronicpain (screenshots). Extending the search of "pokergooch" on different search engines returns extremely interesting results:

Now switching focus on that Curtis Green guy we found out that he is as well a poker player and has participated and cashed in in two World Series Of Poker (WSOP) events (screenshot). Do you remember when chronicpain was bragging about having "cashed in two WSOP events and many other events" (screenshot)?

For some reason the Curtis Green listed on the Hendon Mob website player profile is marked as coming from Itasca, Illinois. It is probably a mistake since the official WSOP website for the 2010 WSOP event in Las Vegas lists him as coming from Spanish Fork, Utah (screenshot).

If you Google image search "Curtis Green Utah" there's a pic of the Silk Road logo which leads to the Twitter of a certain Curtis Green (@ilovepoker). For some reason there isn't any trace of this picture on his twitter account. The image must have been indexed and cached by google before it was deleted from the twitter account (screenshot). (h/t @FranBerkman)

On what looks like Curtis Green Facebook page he "Likes", amoung other things clandestine chemistry (as 199 other people), the World Series of Poker and mentioned a WSOP cash in in 2010, Bitcoins and TouchPads which we know both chronicpain and pokergooch were fan of (screenshot). Credit: YaHtZeEarmadillo

If you still have doubts on the correlation between chronicpain, pokergooch, the "Employee" and Curtis Green, what comes next should finished to convince you:

Curtis Green

On January 17th 2013 at 14:16 Curtis Clark Green is arrested in Spanish Fork, Utah, for possession of cocaine by the Utah County Major Crimes task force (UCMC). Does the date sounds familiar? Going back to the Silk Road timeline and the Maryland indictment, on January 17th 2013 "undercover federal agent delivered one kilogram of a mixture or substance containing a detectable amount of cocaine to The Employee".

The 18th of January 2013, Curtis Clark Green is released on bail.

From this moment, there isn't much traceable activity (we didn't look much further yet) from neither chronicpain/flush nor pokergooch. We haven't been able to access potential court documents, indictments on Curtis Clark Green, if any exist, so it is difficult to say what are the real charges against him and if he cooperated with law enforcement.

Updated 07/11/2013: Curtis Green's case was filed in Salt Lake County the 08/05/2013, 4 months after his arrest, terminated the 16/09/2013 and is now flagged as CLOSED. No other documents have been made availaible so far. We've search Utah's inmate registry where he doesn't seem to have been incarcerated.

What follow is speculation and food for thoughts:

It is a good story so far, but we've decided to keep what we consider the best part of it for the end. The final chapter of this act. It is at the end for the simple reason that we missed it while investigating the relationship between chronicpain and pokergooch. While reviewing some of the notes and links to complete this part of the story we found an amazing post on opiophile.org that for some reason we've missed before. I'm still not sure how we missed that but it is definitely a must read. The original post can be found here: "Plea and abayance is over! My brush with LE" (screenshot). Yes, you are reading the title correctly.

TL;TR
Curtis Green and his wife got busted back in 2006 for some weird insurance fraud involving what appear to be a misunderstanding and a dodgy doctor in Las Vegas easily giving scripts away. The FBI got involved and pressure Green and his wife to involve the Vegas doctor. Green's wife turned CI in Vegas as part of the deal to get the doctor arrested. This news article covers part of the story, from a different angle.

Harm reduction

07/11/2013

The 07/11/2013, Curtis Clark Green pleaded guilty to a drug charge in Baltimore, Maryland. The following article of the Baltimore Sun seems to confirm the theories disscused previously. We still don't know the extend of Curtis Green LE cooperation if any as according to Ian Duncan who covered the hearing for The Baltimore Sun, Green's court records are currently sealed. Duncan also reported that the hearing wasn't scheduled in advanced.

However the plea agreement reveals that CCG agreed the following facts are true:

An important element from the plea agreement is that Curtis Green confirmed his exact role and privileges as a Silk Road's employee. It is probably safe to assume LE has had access to the exact same information for an unknown period of time starting in or about the 17/01/2013. Assuming DPR closed "The Employee" account on the day he was made aware of the arrest, when he contacted the UC agent the 26/01/2013, LE still had ~9 days to use Curtis' account and access lot of information which includes but might not be limited to: Most of the questions asked in the previous paragraphs are still unanswered but the identity of "The Employee" along with the context of the arrest have now been clarified.

Curtis Green will be sentenced in February 2014, facing up to 40 years of prison.

Tony76 Silk Road Adventures

22/11/2013

A lot has already been said about Tony76, one of the biggest scammer on Silk Road. You can read about him on @EileenOrmsby post "the great 420 scam", @chobopeon's "ballad of Tony76" and the excellent page of @gwern, Silk road Theory & Practice. In the following lines we will go as well through Tony76's Silk Road Adventures for archiving purposes and maybe add couple of elements, which might happened to be useful for another tale.

Tony76 registered an account on Silk Road the 10/01/2012 and an account on the forum on the same day (screenshot). As a Canadian wannabe vendor he advertises the products he will be selling which happen to be heroin (his flagship product, allegedly the best heroine on Silk Road) and MDMA. As a good salesman he doesn't miss the opportunity to fish for potential interest on Ketamine and Meth which he can get fairly easily if needed. Apparently short on Bitcoin, he asks for the help of a fellow vendor to pay for his vendor account. The business angel will be rewarded with a "special locked in price of 200/g of H and 50/g of MDMA for life". That's how he rolls Tony (screenshot).

The lucky winner of the life long H&M deal is a vendor named foxymeow (screenshot).

The start of Tony on the Road are a bit slow, he doesn't seem to know how to get attention and trust from the regulars but bold statements about the quality of his product, 20 years experience in the business, great communication skills and attractive prices quickly drag the interest of buyers (screenshot 1 and screenshot 2). Tony has now his own thread on the forum and is ready to ship. "Let's do this baby" (screenshot).

Great customer support for legitimate issues and worried buyers (screenshot), freebies here and there (screenshot), regular new offers (screenshot), Tony is working hard to please his growing customer base and customers satisfactions is #1 for Tony (screenshot). They know how to return the favour: 5/5 feedbacks (screenshot). Yes, Tony knows feedbacks and reputation are life and death for a vendor on the Road (screenshot).

To celebrate his new success Tony decides to treat is customers. sales, discounts, Tony's special (screenshot). The prices are incredible, Tony is "pretty much giving away his product for free". However, in order to do this favour to the community, Tony will require his customers to finalise early (screenshot), which is always a risk for the buyers but It's OK it's Tony and Tony is a trusted vendor now (screenshot). The life of Tony is now made of praising and love from happy fans all over North America. "Tony is the best" and so much love and attention mean a lot for Tony (screenshot).

But success also brings jealousy and soon enough scammers, liars, haters will come and try to destroy all the hard work Tony put together (screenshot). It makes Tony really sad and tired that people try to scam and destroy him. Is he really thinking about quitting? NO! Tony can count on his loyal puirsuivant in arms to wash his honour and defend him when need be (screenshot). Tony doesn't have anything to prove anyway, his reputation speaks for him (screenshot). Tony is the KING.

The high mass of the 4/20 sales is coming and Tony must show the world he deserves the Silk Road throne. For the first time he opens his listing for international shipping (screenshot), however as always he will accept only early finalisation (screenshot). But It's OK it's Tony and everyone trust the King (screenshot). The court is really excited, order in mass and cannot wait for the kingly goods to arrive (screenshot).

As always the faithful bless the yet to arrive ostie (screenshot) and the unbelievers complain about late packages or moan about the quality (screenshot). Tony seems to be busy and less involved than usual. Things are different, and even the most pious of them are slowly but surely questioning their faith (screenshot). What happened to Tony? Where is Tony? No, Tony wouldn't do that to us, we made him King.

Yes, he would. Tony is gone and took with him his crown and all the bitcoins of his "whoreshippers" (screenshot).

This was the story of one of the biggest known scam on Silk road. As already explained by different people the scam is quite elaborate in the sense that it was ran over a few months period (assuming the idea was to scam from the beginning) but really efficient and simple in the same time, mainly relying on a well known weakness of the system, the early finalisation (or FE, Finalise Early). For various reasons vendors can require or offer the option for buyers to release their funds in "escrow" before the good is delivered. The advantage for the vendor is obvious as it helps cash flow going by ensuring an early payment whatever happens. For the buyers it is always a bad idea to enter early finalisation but one can see an advantage to access goods which wouldn't be available otherwise. Vendors quickly learnt how to take advantage of FE: In Tony's case it didn't seem to bother many buyers to FE and it allowed the scam to be successful, at least money wise, because a lot of other bits and pieces helped secure the sting (That's being said, if FE wasn't accepted by buyers, the scam wouldn't have happened at such a level).

The scam clearly happened in four different steps:

The third point is really interesting as it is a behind the scene type of job, there isn't anything to notice just yet as there isn't any reasons to expect anything special to happen. However it allows some type of conditioning to happen which will help maximise profits and prepare the exit.

In march 2012, Tony76 lobbied to have the stats feature (screenshot) of the forum removed (screenshot), for good reasons as it allows close observers to estimate the amount of time a logged in user spend on the forum. When enabled this feature can also be used to guess a timezone a user is living in or allow an observer to correlate information about multiple users and their time of presence on forum, which wouldn't be a good thing if one want to preserve multiple identities for example (screenshot).

On the 03/04/2012, few days before disappearing from the forum, Tony76 asks other vendors if they are considering a 0 refund policy because of "a surge of suspicious 'no package' claims?". Nothing out of ordinary seems to have been noticed from the other vendors except few complaints from buyers trying to get freebies. Strangely enough Tony asks the question but doesn't follow up with any other comments, as if he wasn't really interested anyway. However it is a good preconditioning for future complaint which might occur at a later stage. In case complaints happen, vendors or RS staff will probably delay there suspicion and blame delays accusations on scammers trying to get refund. The 30/04/2012, when everyone else seems to have accepted that good old Tony scammed them badly, another vendor posts a sarcastic and angry reply showing some understanding of Tony's reasoning behind the request (screenshot).

When listing his product for the 4/20 sales, Tony accepts for the first time international shipping (screenshot). It is pretty obvious he did it to attract new customers and get as much as possible orders. However, it is also interesting to wonder why he wasn't shipping outside North America in the first place. At first glance shipping internationally might be more subject to lost and delayed deliveries which will directly affect the reputation of the vendor, and is probably a parameter Tony has taken into account, but not only. By restricting shipping to some part of the world he also creates a need from those buyers, which will eventually see daily great review of his products and be more incline to buy directly when he opens his listings. It would have been interesting to see the percentage of international buyers during the 4/20 sales.

Starting around March 2012, Tony kind of changes tone with his customer in a very distinctive way. Whereas before this date he was full of "Thanks Brother", "Love" and other mark of reassurance, his behaviour and writing style change and become much more direct and unfriendly, as if he was acknowledging his reputation is now solid enough (screenshot). From this time onward there will be as well much more arguments about shipping delays, scammers and other nonsense which until then where reduce to a bare minimum. Another interesting phenomenon marking this change is the almost identical and systematic reaction of Tony's fan base to any negative comments, valid or not, towards Tony. It is like they were all their to protect him from malicious outsiders (screenshot). Tony's bot. They have been well trained.

A good example of the preconditioning we mentioned earlier is the reaction of a user called lvlbrained, who is questioning the legitimacy of people complaining about missing packages in the following term: "so is this the smear campaign? alot of real low post people suddenly showing up with missing packages. obviously no proof they have any actual orders unless Tony confirms. i guess have to wait to see what Tony says" (screenshot). That user, and he is not the only one, has obviously followed the thread where Tony is warning whoever that a smear campaign will be organised against him so his customers must expect "a bunch of bullshit to be posted" to discredit him (screenshot). Be ready soldiers, they're coming.

Tony achieved its goal as it is exactly what will happened over and over again for the following few weeks creating a strange confusion. It is now a mix of denial of reality, trolls, fanboys attacks, gentle reminder to never FE, murder conspiracy, discussions about the internals of the canadian postal service, law enforcement and karma prayers (screenshot). Divide ut regnes

To add to the general confusion, Tony has sold (with hindsight we can safely assume on purpose) "weak" batches of products creating more and more arguments between pro Tony and unbelievers (screenshot).

Everything is becoming so chaotic that a group of users decide to get a poll out to get statistics about who received their shipment from Tony. 87% of the 123 voters didn't received their packages. The 5 dudes who received their shipment are likely Tony's accounts or/and trolls, all the others have been scammed for over a month without even realising it. There is a bizarre denial of the reality floating around (screenshot).

Another part of the sting which helped Tony to increase trust from buyers and disguise the scam is the T-Mart or Tony's market. On or about April 2012, Tony sent a private message to "his loyal" and "best customers" to inform them they were invited to a "secret" and "exclusive marketplace" where one would buy Tony's products at a cheaper price, since SR fees didn't apply (screenshot). Tony explicitly asked people who received the message not to discuss anything related to this secret market place. It is another great move from Tony. Most of the buyers who received the invitation must have felt so special having Tony trusting them to keep his secret that there was no reason to question Tony's trust and betray him by disclosing their little secret. It also surely played a role to support Tony's effort to ensure the vigilantes will fight the soon to come anti-Tony propaganda.

As on SR, Tony76 requested early finalization on his shop for the same effects and consequences as no buyers will received products ordered through Tony's marketplace. T-mart seemed to have operated in a simple way compared to Silk Road and listed only Tony's product available for shipping. Unfortunately we didn't managed to access Tony's shop as the hidden service (http://fvemnf53ie7iwd5c.onion) was shutdown around the 02/05/2012 (screenshot).

By having his own market place Tony also had to manage its own wallet, which a Silk Road user, DaMan, attempted to trace. It might have been Tony's only "mistake" so far. We are not Bitcoin tracing expert but it is an interesting excercise which should have been pushed further and with more transparency (screenshot).

Another obvious trick Tony76 relied on to achieved his goal is the use of fake accounts. One episode which gathered a lot of attention from Tony's customer is the alledged attempted of scam by a vendor going by the name ObamaGirl (screenshot). ObamaGirl apparently posted bad review of Tony's product under fake names to discredit him and sent several private messages to Tony to try to extort him. Tony76 posted on the forum different messages from ObamaGirl which made him appear as a victim but also as a great scammer hunter protecting the community. Tony's fan are always really supportive (screenshot).

A particular message from ObamaGirl is really intriguing in the way it somehow seem to provide a quite accurate description of the yet to be scam, and, even if targeted at Tony, with the hindsight, one could also interpret the message as a premonitory post, which would be absolutely genius and we do want to believe the message was posted by Tony76 (screenshot). It is quite difficult to identify with certainty the different accounts Tony76 used to support his plan but ObamaGirl was definitely not the only one. We believe several throwaway accounts and aliases were used by tony76 to bless his products and create confusion when needed. It is also safe to assume some other accounts where used in a rightful way in hope to pull other scams using what would look like a legitimate vendor which has been around for a while, with good statistics and a clean sheet. Mostly for entertainment purposes and because we wish those troll accounts were operated by the real Tony76, you can follow threads with messages by tigger and Antonio76 (screenshot)..

As we tried to demonstrate, Tony76 put together a simple scam mainly relying on the infamous early finalization. However in order to achieve his goal and succeed in his operation, a lot of sophisticated "behind the scene work" has taken place for months to ensure maximum profit and success. It has been said Tony76 disappeared with over $100.000.

Lucy in the sky with Tony?

05/12/2013

Few months after the whole Tony scandal, Silk Road was once again victim of an infamous scammer, Lucydrop. Lucydrop scam followed a similar pattern than Tony76 and some even suggested they were the same person. We're not going to go through all the timeline of the scam but only highlight similarities and see if the suggestion of Lucydrop and Tony76 being the same person is plausible. @chobopeon has written about Lucydrop scam and we are not pretending to add breaking news here. The following is more of a contextualisation exercise for archiving purposes and our own understanding. If you haven't done so yet, you might want to have a look at Tony76 Silk Road Adventures before continuing your journey.

Lucydrop started on Silk Road offering LSD as a flagship product (screenshot). In a similar way than Tony76, shipping is restricted to certain countries. In Lucydrop's case, the restriction applies to the US. The "official reason" given for this restriction is to avoid to "end up with a life sentence" (screenshot). It seems a bizarre choice for a vendor located in Canada as it is probably one of the easiest "international" location to ship to from Canada and LSD is odourless and fairly easy to hide. We assume that for similar reason than Tony76 it is to create a need from US buyers when opening the market for "the grand finale" scam.

Lucydrop followed the same "tactic" than Tony76 to attract customers, advertising a relatively cheap and good quality product, specical offers from time to time (screenshot) and not hesitating to provide freebies when necessary (screenshot 1 and screenshot 2). The reason behind it, is obviously to have as many customers as possible providing good feedback. A particularity of the LSD market on Silk Road, compared with other products, was the presence of the LSD Avengers, which were sending vendor's LSDs to labs for quality testing and posting the review on the forum for the Silk Road community. More than buyers' feedbacks having the LSD Avenger vouching for your product is definitely an edge on the market. Lucydrop got a good review (screenshot) from the LSD Avengers (allegedly one of the highest quality reviewed by the Avengers at the time (screenshot)) and even a member of the LSD Avenger as an admirer (screenshot) to back up the quality of his LSD. As expected after the LSD Avengers review, orders started kicking in and more and more buyers praised Lucydrop's LSD and posted great feedbacks and reviews on the forum (screenshots).

Quality product at a fair price and good customer service are the ingredients to build a solid customer base and Lucydrop customer support hadn't much to envy to Tony76. Lucydrop was always prompt to reply to worried customers, solve issues (screenshot), be polite even with "rude" customers (screenshot) or provide information about its product to ensure a good reputation. Lucydrop's customers loved him and as Tony he made sure to give some love back (screenshot).

Beside the financial aspect, the advantage of having a strong customer base is that it also brings the usual fans who will blindly support and defend the vendors against winds and tides. Tony76 understood it in its time and the recipe seems to work also for Lucydrop. As the scam kicked in more and more users complained about weak products 4 being shipped (screenshots) the Ludydop's army will be at work defending him (screenshot).

An another interesting comparison between Tony76 and Lucydrop is they both seem to have a poor knowledge of LSD. Tony started selling LSD few weeks before disappearing from Silk Road but didn't know much about it. In a slightly different way, Lucydrop, for whom LSD was the main product, contrary to Tony, did rookie mistakes when promoting the product. It might look like minor misunderstanding but the terminology confusion didn't seem to impress much the buyers and the excuse of having a different lingo with his mate didn't make it more legit either (screenshots).

As Tony76, Lucydrop lobbied to have the possibility for vendors to provide feedbacks for buyers, feature which didn't exist on Silk Road. In several threads he tried to push for a proper feedback system which will not only be at the advantage of the buyers. With a certain irony, the system is supposed to prevent vendors from getting scammed repeatedly (screenshots). In one post, he pretends as well to be a vendor on SR for 8 months, which is likely a lie since in his first post on the forum, exactly 2 months before, he's saying he just started as a vendor (screenshot). Bold, but as Tony76, Lucydrop relies on a pseudo seniority vendors can vouch for him and therefore establish his reputation.

From a writing style point of view, as other already highlighted there are some more similarities:

Last but not least, both vendor shipped from Canada. Several people told us they were both from British Columbia, but without much evidence other than what they remembered from various "sources". We only found a "public record" of this claim on a Reddit thread which is also a statement without back up. We can't confirm the information, however British Columbia beeing a well known hub for drug production and distribution it wouldn't be surprising.

Like Tony76 before him, Lucydrop will open shipping to a once restricted and order-free country, the U.S.A, before ending his Silk Road Adventures with buyers approximately short of $100.000.

As much as we would like to see Lucydrop be Tony76, the similarities provided are too thin evidences. There are definitely some common pattern and likeness in both stories but nothing that would put the final nail in the coffin and shows that Lucydrop and Tony76 are the same person. Nonetheless, Lucydrop and Tony76 might still be linked as we will see next.

Friendly who? and red and what?

06/12/2013

A month after having tried to get Curtis Green killed, Dread Pirate Roberts engaged in another bizarre murder for hire plot targeting an alleged Silk Road vendor named FriendlyChemist (FC). This episode has been one of the most commented and discussed event following Ross Ulbricht arrest. As for the "Employee" assassination plot, the attempting murder resulted in a fake murder letting DPR believe the ordered hit had been successful. To add to the confusion, no one on Silk Road seem to remember FriendlyChemist, neither as a vendor/buyer nor a user of the forum, which add mystery and interest to this episode. We will share some tin foiled ideas and theories here after on this murder-for-hire event.

The original description of the events appear in the New York criminal complaint of the alleged DPR, Ross Ulbricht.

On or about the 13/03/2013, an alleged Silk Road vendor, FriendlyChemist, contacted DPR through the Silk Road's private message system stating he had a list of names and addresses of Silk Road vendors and customers. He threatened to leak the valuable information on Internet unless DPR paid him $500.000. FriendlyChemist justified the blackmailing by explaining he needed to pay off his narcotics suppliers. DPR and a FriendlyChemist supplier, going by the name redandwhite (R&W), got in touch and DPR put a bounty on FC's head and provided FriendlyChemist contact details to the hitman. The suppliers allegedly killed FriendlyChemist and got paid 5 1670 BTC for the killing by DPR. However, the FBI investigation showed that no one going by the name provided by DPR existed in the area and even more disturbing no body was found in the area the murder is supposed to have happened.

Following the release of the complaint several theories have been discussed about the identity and the role played by FriendlyChemist and redanwhite. The main ones being:

The involvement of law enforcement (LE) seems really unlikely to us, however it has been one of the most discussed theory. We do not know if it is because there is some confusion with the first murder for hire, already discussed in the "The Employee staged assassination", which indeed implicated LE or if it is because redanwhite is also suspected of having provided fake IDs later on in time and luckily intercepted and confiscated by the U.S Custom and Border Protection which tightened the trap around DPR and eventually partially led to his arrest.

In any case, we are more inclined to believe DPR was the victim of an elaborate scam ran by Silk Road vendors. The main argument to back up this statement is the fact that Ross Ulbricht hasn't been charged of attempted murder in the NY complaint.

The complaint mentions the blackmailing episode which led to the fake murder of FriendlyChemist only to provide solid evidence that DPR is willing to use violence to protect his interests in Silk Road. We find extremely difficult to believe the FBI would miss the opportunity to charge DPR of attempted murder, as it was the case in the Maryland indictment, if they had undercover agents or privileged witnesses in the front-row seats ready confirm DRP hired a hitman to kill someone. One could argue the alleged DPR, Ross Ulbricht, is already charged with attempted murder in Maryland which could be "enough" for the prosecution to which we would reply there are not enough charges for a high profile target like DPR. Moreover the FBI wouldn't conceal evidence of an attempted murder if they had been "hired" by the suspect to carry the hit. Once again, it is important to keep in mind that Ross Ulbricht is not charged of any murder attempt in the NY complaint.

Parallel construction aside, the FBI might only have learnt about the murders attempt after they imaged and analysed a Silk Road server in July 2013, which allowed them next to access DPR and other users private messages and find evidences of the plot.

Now that we have the law enforcement theory out of the way let's have a look at the other one where Silk Road vendors might have colluded to extort DPR. You probably want to wear your tin foil socks and gloves at this point as the hat might not be enough. Also to avoid misunderstanding, we do not claim what follow is how the events occurred and we're only sharing some of our thoughts about the context of the murder-for-hire and the pseudo-identities of the different players.

While reading about the Lucydrop scam, we couldn't help noticing how some late events of the scam were fitting conveniently in the FriendlyChemist and Redandwhite timeline.

The first contact between FriendlyChemist and DPR occurred a week after Lucydrop was last active on the forum, at this occasion FriendlyChemist began threatening DPR to leak customer data he fraudulently acquired by allegedly hacking a vendor computer unless DPR pays him the sum of $500.000. The threats will continue for the next couple of days, period during which FriendlyChemist provides to DPR samples of customers names, addresses, orders information as well as the username and password of the vendor he claimed to have "hacked". The threats will stop the 15/03/2013. It is not specified in the complaint if DPR ever replied to any of FriendlyChemist messages so far so we will assume he didn't. The first reply from DPR to FriendlyChemist will only occurred 5 days later, the 20/03/2013.

Meanwhile, in a very convenient timing, the Lucydrop scam took an interesting twist.

The 15/03/2013, on the same day FriendlyChemist threats stopped, a user, RealLucyDrop, registered an account on the SR forum and posted a message claiming to be the "real" Lucydrop and that his account had been taken over few month earlier by his partner (screenshot 1 and screenshot 2). In this message, RealLucyDrop, explained how his partner took advantage of the fact he was in prison, to operate his Silk Road account, to ship weak/fakes products, to steal his work computer and to disappear with customers' money. As a result, RealLucyDrop is now trying to get in touch with DPR to have his "legitimate" Lucydrop "account shut down immediately and freeze all the funds in the account".

The 17/03/2013, RealLucyDrop says he finally made contact with DPR and seems confident that DPR will be able to confirm his identity and the alleged account take over (screenshot). As far as we known, there isn't any public record of DPR confirming any of RealLucyDrop claims. Nevertheless, couple of days after RealLucyDrop got in touch with DPR, the 20/03/2013, DPR, this time initiating the communication, contacts FriendlyChemist and ask him to tell his suppliers to contact him "so he can work out something with them".

If we put aside Lucydrop's scam and take the point of view of the extortion timeline we have the following succession of events:

The timing and succession of events are really interesting here, as just after FriendlyChemist provided DPR with samples of the "hacked" customers data, RealLucyDrop appears and explained how his "partner" took over his Silk Road account. With this context in mind one can easily imagine that when RealLucyDrop contacted DPR to have his legitimate account closed and the funds frozen RealLucyDrop told the full story with more details and how the friend of the family, fucked him over, scammed his customers, eventually stole the "work" computer (screenshot) and by extension got access to all his customers data. At this point DPR must have paid attention.

Searching for Lucydrop posts on the forum we can see that the infamous "partner" is mentioned few times. As a matter of fact he seemed to have been the one who refused to ship to the USA in the first place as he "was not comfortable" with it and also the one who agreed "after much discussion" with Lucydrop to open up to the USA (screenshot 1 and screenshot 2). In what could just be a coincidence Lucydrop named his partner the "chemist" couple of times here and there (screenshots).

This sudden and unexpected apparition of RealLucyDrop definitely provides credibility to the vendor hack claimed by FriendlyChemist and must have put DPR into an uncomfortable situation as he is now dealing with a wild dog, over whom neither RealLucyDrop nor DPR seem to have control, threatening to leak a lot of customer data, putting the whole Silk Road at risk.

Yes, we think FriendlyChemist is Lucydrop's "partner".

Let's rewind a bit, speculate about what might have happened and streamline the succession of events

Unfortunately, we don't have any solid evidences (should we say no evidences at all?) to back up our theory but the timing of the blackmailing, the "arrival" of RealLucyDrop and the story of the rogue partner looks like more than simple coincidences.

Now, what about the role of Lucydrop, who came back under the name "RealLucyDrop"? Is it a genuine call for help and was his account really hijacked by his partner? As briefly mentioned earlier, we believe the only purpose of the RealLucyDrop account was to have DPR buy the FriendlyChemist story and provide credibility to it. From the timeline, it appears it took few days for DPR to reply to FriendlyChemist and we don't really know if there was exchanges between them other than FC threats. Considering the lack of reaction of DPR, it was maybe decided to bring RealLucyDrop into the game. It might have been obvious for a majority of people but with hindsight we do know now that DPR lacked a bit of perspicacity in some situation to say the least. Another element makes us believe RealLucyDrop is part of the scam, the fake FriendlyChemist dox.

After DPR got in touch with redandwhite he provided him with a name and a place where FriendlyChemist apparently lived in White Rock, British Columbia. According to the fact that no one on Silk Road (site and forum) seems to remember or know FriendlyChemist neither as a buyer nor as a vendor, we wondered how come DPR had his address and knew he was living with a wife and 3 kids.

We know from the New York complaint that however DPR got FreindlyChemist's dox, it was incorrect information as Canadian law enforcement "have no record of there being any Canadian resident with the name DPR passed to redandwhite as the target of the solicited murder-for-hire. Nor do they have any record of a homicide occurring in White Rock, British Columbia". The important point here is the provided name was inaccurate.

If the information was obtained from a genuine and honest SR vendor it is likely at least the name and address would match and exist, simply for shipping purposes. Also, DPR doesn't provide a complete address and asked redandwhite "if it would be helpful to have his (FC) full address" as if he didn't have the complete information but could get it if necessary. Surely if the information was coming from a vendor who shipped to FriendlyChemist, he would have provided the full address (street, postcode) at once.

The privileged relationship and the private message snooping are just there for multiple choices purpose and very unlikely (I hear someone saying "like the rest of the nonsense I'm reading...", yes maybe).

It leaves us with the possibility of a third-party whoever it might be (friend, family, business partner etc.), who knows FriendlyChemist well enough or has a special relationship with him. The only person on our radar which fit the profile and could have the required information, or put differently, be legitimate enough to pretend to have correct & accurate information about FrendlyChemist, is once again the "real" Lucydrop. We are inclined to believe personal details about FriendlyChemist were provided when RealLucyDrop contacted DPR the first time, on the 17/03/2013, about his rogue partner and/or during the following days. If the "real" Lucydrop had really been scammed as he pretended on the forum, the FriendlyChemist's dox would have been at least partially correct, considering FriendlyChemist is a friend and family friend (screenshot). However, in this case fake contact details were provided which makes us think Lucydrop is part of the scam as well.

What about redandwhite...? He is presented as the supplier FriendlyChemist owes money to and the one DPR commissioned the murder of FriendlyChemist. His nickname implies he is part of a well known organisation, the Hells Angels Motorcycle Club, and it seems to be what DPR thought as well has DPR mentioned in his "diary" (wtf?), "talking with large distributor (hell's angels)". It is probably another attempt from the Canadian Scammer Crew to give credibility to the whole scam, hook DPR and somehow makes him feel impressed he is dealing with an high profile organisation. Is redandwhite really part of the Hells Angels? Probably not, we don't imagine the Hells Angels would use a nickname with such a strong connotation for real, moreover in an online scam, but it is difficult to say. However, would "someone", who is obviously aware of the strong involvement of the Hells Angels in the drug trade in Canada, risk to impersonate the Hells identity? It could be a risky bet, specially if that person is also based in British Columbia and also strongly involved in drug dealing as it seems to be the case. The Hells Angels are known not to appreciate people invoking their name when there is no formal association with the bikers (If you are interested in the Hells Angels and other British Columbia gangs you might want to read more on Gangsters Out and its associated blog. This particular page compile a comprehensive list of "known" gang members in Surrey and the Metro Vancouver Area. We never know... ).

Whatever the truth is about redandwhite pseudo-identity and affiliation the scam worked like a charm and it is fairly obvious he is part of the swindle as shown by the murder-for-hire of FriendlyChemist, where he sent a fake dead body picture to convinced DPR the job was done.

To summarize a this point:

On the 21/11/2013, Ross Ulbricht was denied bailed. One of the reason invoked to keep Ross Ulbricht behind bars is the attempted murder of our old friend Tony76 and three other people he sells products with as described in the U.S. Department of Justice bail response letter.

Following Friendlychemist fake murder, redandwhite told DPR that before killing FriendlyChemist they questioned him and he "spilled everything he knew" and "had identified another individual located in Surrey, British Colombia, who had been working together with FriendlyChemist on this scheme to blackmail" DPR, "and who had been running scams on Silk Road". Redandwhite said "the users went by the username tony76 on Silk Road", and provided a purported true name for the individual.

Tony76 back in business. It is a nice and sexy twist in the story but only half a surprise. From the look of it and assuming we are even partially right on th fact the whole extortion, murder-for-hire plot is a scam, it makes no doubt the alleged revelation of FriendlyChemist to redandwhite involving Tony76 are 100% false. Not that Tony76 is not part of the blackmail scheme but the information about Tony76 involvement has certainly not been retrieved from a dying FriendlyChemist. The choice of accusing Tony76 to be part of the plot is deliberate and destined to trigger a reaction from DPR. It didn't fail as DPR paid another 3000 BTC (approximately $500K at the time) for the assassination of Tony76 and his 3 mates. With Tony76's history on Silk Road it was pretty sure it would hook DPR a second time. Redandwhite (or whoever came up with the idea) was obviously aware of tony76's previous scams.

Was Tony76 involved in the scam? If we consider a possible link between Tony76 and Luccydrop then it is highly probable, but as most of what we've discussed so far it will need more evidences. If somehow Tony76 involvement in this scam could be confirmed it would be an absolute killer and pure genius.

Looking at the Bitcoin address 1MwvS1idEevZ5gd428TjL3hB2kHaBH9WTL used by redanwhite to receive payment from DPR, there is one particular transaction which makes us think there is maybe more to be revealed in that story and we could expect more "revelations".

It is not clear yet to which event this payment is tight with but another Silk Road drama wouldn't really be a surprise.

Redandwhite Bitcoin address also provides solid evidences law enforcement were not involved in the murder-for-hire operation. As highlighted by Nicholas Weaver on twitter, if redandwhite was a law enforcement officer or confidential informant the coins would not have been sold/transferred by mid-august but kept as evidence until the case was closed, whereas here the coins are going through multiple addresses with a clear will to "wash" them.

We've tried to described the best we can some of the ideas and theories we have on that FriendlyChemist and redandwhite business trying to come up with a story which could make sense and explain some of the events of the timeline but we have to admit it is not an easy task with the available information and as of today it might sound like musings of a slightly confused person. Hopefully time will tell... If you want to discuss further this story you can do so on the following Reddit thread.

The 中文 Connection

07/05/2014

Timeline of events surrounding the investigation and arrest of individuals involved in large scale importation of Methylone from China. An archive of the relevant court documents discussed below can be downloaded here

District of Maryland (Marco Polo Task Force): GEORGE HANDEL KENNEDY

Eastern District of Virginia: BROWN SCROGGINS HADDOCK BAKER MOORE WALSH TAYLOR JONES TUTWILER

Middle District of Florida, Orlando Division: SALZMANN MAYELL

Western District of New York: BUERMAN VIERA YOUNG

District of Alaska: GATTIS

District court in and for Payne County, State of Oklahoma: JOHNSON

Misc: Silk Road forum Media Misc court document Blockchain

Over the past few months we've been looking at different sides of the Silk Road fallout. We first got interested in the identity of "The Employee", mentioned in Ross Ulbricht's Maryland indictment, then at the Tony76's scam and his potential involvement alongside FriendlyChemist and redandwhite in Dread Pirate Roberts murder-for-hire episode partially described in the New York complaint. Our goal was, and still is, to provide meaningful and contextual information surrounding the Silk Road investigation leading to Dread Pirate Roberts arrest. With the same goal in mind we've been looking in the past few weeks at a different side of the story focusing on law enforcements (LE) investigation and arrest of individuals involved in large scale importation of Methylone from China. For the readers not familiar with Research Chemicals (RCs), we would recommend, for once, to read that article from the Daily Mail, "The Chinese laboratories where scientists are already at work on the new 'meow meow", which should provide a bit of context for what will follow.

Before going in the Silk Road specific let's go back in February 2012, when Portsmouth Police Department's Special Investigations Unit (SIU) contacted Homeland Security Investigations (HSI) following a controlled purchased of suspected 3,4-methylenedioxymethamphetamine (MDMA) from an individual identified as Michael Casey Brown. Brown was suspected of importing MDMA from China. Upon his arrest, Brown waived his Miranda rights and stated "that during spring 2011, he received an email address from an acquaintance for a laboratory in China that could supply him with synthetic drugs. After verifying the email address on various internet forums designed to assert the legitimacy of synthetic drug wholesalers, Brown made contact with a particular laboratory, later identified as Kangshuo Biotech in Suzhou City, Jiangsu Province, China" from which he eventually received packages of Methylone in heavy duty plastic-type bags labelled as "Tungsten". Brown provided LE with all electronic communications he had with his contact, at the lab, named "Alice".

The modus operandi to pass the order was quite straight forward and common in most similar cases:

Brown will eventually be sentenced in October 2012 to 121 months in prison.

This somewhat "classic" police work was likely one of the starting point of investigations leading to many more arrest in the following months.

Few days after the search warrant at Brown's residence, "on February 15 2012, the United States Postal Inspection Service (USPIS) notified Hampton Roads Border Enforcement Security Task Force (HR-BEST) of multiple packages originating from Nanjing, China destined for an address on Sampson Place, Portsmouth, Virginia. These packages were identical to packages which had been identified in online purchases of Methylone and other controlled substances from another investigation". Those packages were shipped to an individual named Michael Haddock. The court documents don't provide much information about the Chinese labs the package originated from apart that the parcel contained sealed Mylar bag containing approximately 1kg of Methylone. At their arrival at Haddock's residence law enforcement were authorised to search the house and recovered "996.7 grams of Butylone, an analogue of 3,4-Methylenedioxy-N-methylcathinone (Methylone)1; 653 tablets of Dizaepam (which were not the FDA approved, prescribed medication); a total of 13.525 grams of 3,4-Methylenedioxy-N-methylcathinone (Methylone), a Schedule I controlled substance, and 0.840 gram of 4-Methylethcathinone, commonly known as 4-MEC, an analogue of Methcanthinone, a Schedule I controlled substance".

Couple of months later, the 19th April 2012 a message is posted on the research chemical board Euphoric Knowledge (EK) announcing the arrest of an administrator, w00t and inviting the members to leave the ship. Ten days earlier, on the 9th of April 2012 an affidavit was filed against Justin Steven Scroggins a/k/a "W00t", a/k/a "Dirk McDiggler" in the Eastern District of Virginia for conspiracy to Import an Analogue Controlled Substance. Scroggins was "initially identified by a Cooperating Defendant (CD#1) in this investigation". "On almost daily basis since March 16, 2012, Scroggins has been observed discussed his use, importation and distribution of various controlled substances to include but not limited to: Cocaine, Marijuana, and various synthetic drugs". On April 5th, 2012, LE monitored a recorded three-way video conference on Skype between Scroggins, CD#1, and an individual using the Skype name "reidtang", discussing importing several synthetic drugs from reidtang's laboratory in China. The drug would be ordered by CD#1, from reidtang's laboratory, on behalf of Scroggins. Scroggins agreed to send the money to CD#1 so he could place the order. On April 7th, Special Agent (SA) Brian R. Lewis intercepted a "package of U.S Currency being shipped to #CD1 from Scroggins at the Broad Street Post Office in Portsmouth, Virginia" with the tracking number "EI250466728US". Scroggins will be arrested the 10th of April 2012, and word of the arrest spread within the community few days later, enventually leading to EK shutdown.

Let's have a short review of the previous events before going further.

Brown, et al. seem to have been nailed due to a controlled purchase. A controlled purchase, as the name implies, is a buy controlled by the LE officers. Depending on the context, LE or an informant, under supervision of LE, will buy the controlled substances from the target and from there secure a search/arrest warrant. There isn't much information about the context of the purchase but we know it involves a Source of Information (SOI) or say in a simple way, an informant. The Scroggins affidavit is much more explicit, directly mentioning a Cooperating Defendant (CD). There isn't any doubt the CD in this case is Michael Haddock, as the package sent by Scroggins to the CD was signed by M. Haddock. We might never know for sure but to Haddock misfortune, he seems to have been a collateral damaged of the Brown's investigation. Indeed, Haddock's statement of facts says that the packages intercepted by the United State Postal Inspection Service (USPIS) were seized as they were "identical to packages which had been identified in online purchases of Methylone and other controlled substances from another investigation". At the view of this map and the fact both Brown and Haddock likely receive packages at the same post office it wouldn't be surprising.

Fast forward to another arrest and a criminal complaint filed in September 2013 against Joshua Buerman for possession with intent to distribute, and distribution of a detectable amount of Methylene, a Schedule I controlled substance, and a mixture and substance containing 4-Methyl-n-ethylcathinone, a/k/a "4-MEC", an analogue of Methcathinone, a Schedule I controlled substance, if intended for human consumption. Buerman first came under the radar of LE in the state of Michigan, in May 2012, when federal agents started investigating a website owned by Buerman, named "fantasiesworldwide.com" selling all sorts of research chemicals using the email address fantasiesworldwide@hushmail.com (screenshot) and described as a "profitable business of importing and distributing illegal controlled substances and controlled substance analogs", some of which was obtained, again, from China. Unlike other court documents this one provide interesting information about the chinese source of supply.

"On or about July 12, 2013, the Honorable Frank P. Geraci, Jr, United States District Judge, Western District of New York, issued an order pursuant to Section 2518 of Title 18, United States Code, authorizing the 30 day interception of electronic communications occurring over the electronic mail facility assigned to the address alicechoica@gmail.com (hereafter, "Target Account") an electronic mail (email) account that was created on or about June 2, 2007, under the Registered Account Holder name of Alice Choica. The Account Holder is believed to be living on mainland China. Those contacting this email address generally refer to the user as Alice. Electronic communications were intercepted between approximately 20:37 (GMT) on July 23rd, 2013 through August 22, 2013".

It is not clearly specified how the investigation on Buerman identified Alice as being Buerman's source of Methylone but alicechoica@gmail.com had already been under surveillance for a while. Indeed the criminal complaint mentions that "HSI SA Brian Lewis of Norfolk, Virginia (EDVA) was also investigating a Chinese source of supply of illicit chemicals using the email address alicechoica@gmail.com" and that as early as the 14th March 2012 "a federal search warrant was issued for the Target Account in the Eastern District of Virginia by United States Magistrate Judge F. Bradford Stillman. That warrant resulted in the production of several thousand email communications going to and from the Target Account, all of which clearly demonstrated that the individual utilizing the Target email address was actively distributing controlled substances and analogue substances throughout the United States". Careful readers will maybe have noticed few important details:

HSI possibly identified the email address alicechoica@gmail.com as a chinese source of supply of Methylone while investigating Brown and searching through Brown's emails. From there they requested a search warrant for the email address alicechoica@gmail.com.

In total at least three search warrants and one live interception of emails, in at least two distinct investigations have been issued for the "Target Account" alicechoica@gmail.com between March 2012 and July 2013:

For the latest known period of interception from July 2013 to August 2013 in "the Western District of New York local agents were responsible for disseminating all investigative leads to the appropriate law enforcement agencies in each affected jurisdiction. In other words because the Target Account routinely provided Tracking Numbers for shipped parcels, Customs and USPS officials were in many cases able to identify a particular mail parcel that was entering the United States thereby giving law enforcement a better opportunity to interdict the package" and coordinate nationwide interceptions and arrests. The tapping of the email address obviously facilitated live interception of packages (using USPS/EMS tracking numbers) and controlled deliveries. The search warrants on alicechoica@gmail.com were as important to collect Alice's customer information such as email address, shipping address, aliases, estimation of the quantity of imported substance etc.

We will note that two versions of the Buerman's affidavit have been published. A complete version, filed the 13th September 2013, and a redacted version, 10 days later, the 25th September 2012. The redacted version is now the "only" version available on PACER. The redacted version of the affidavit is stripped of all information helping identification of the source of supply. DEA agents clearly fucked up here and published much more information than intended or didn't think of the consequences for other "on-going" investigation as some people are as of today are still doing business with this supplier.

What about the Chinese labs?

Kangshuo Biotech - Brown affidavit mentions a laboratory "later identified as Kangshuo Biotech in Suzhou City, Jiangsu Province, China" as the source of importation. The "Contact Us" page, available on the website, contains a slight discrepancy regarding the laboratory address as two different addresses are listed.

The electronic contact details being similar and the same website being used it might also be because Kangshuo Biotech has two laboratories in different location. We will notice the name of the contact person, listed as Alicia while Brown's affidavit mentions ongoing correspondence with Alice and others link Kangshuo Biotech with alicechoica@gmail.com should convince us that one of the point of contact for this lab is alicechoica@gmail.com

In another case involving the importation of Methylone from China (also investigated by SA Brian R. Lewis in the Eastern District of Virgina between August 2012 and October 2012), United States of America v.Moore, Taylor, Walke, the affidavit says that in "a subsequent search of Taylor's vehicle, pursuant to the sarch warrant, several envelopes containing bank statements were retrieved. In reviewing these records, two wire transfers to Kangshuo Biotech's account at the Shenzen Development Bank in china were discovered. Kangshuo Biotech is the laboratory that was contacted by Moore an Taylor, and the same laboratory responsible for shipping packages of Methylone to Moore from China. A review of the traffic between mirandabailey@hushmail.com and Kangshuo Biotech shows that the bank wires correspond to orders of Methylone placed by Moore and Taylor". Kangshuo Biotech mentioned again as the chinese source of Methylone.

KaiKai Technology - Buerman court's documents don't clearly specify the name of the laboratory used as wholesaler however the operator of alicechoica@gmail.com instructs Buerman to do a Western Union transfer matching the address of a lab named KaiKai Technology. The contact page of Nanjing KaiKai Technology, as of today, display a different address, but older references of the address, as mentioned in Buerman affidavit, can be found here, here or there. You will also notice that two different contact persons are associated with the lab: Kevin Peng (kevin.pengchem@gmail.com, kevinpengchem@hotmail.com) and Alice Choi (which we can safely assume is the account holder of alicechoica@gmail.com).

Jiangyin Abigale Chemical - The recorded Skype conversation from the Scroggins affidavit involved, at least, (some says another Euphoric Knowledge administrator known as WipedOut might have been of the party), MrMike, w00t and an individual going by the name reidtang. Reidtang is easily associated with Jiangyin Abigale Chemical Company, Jiangsu Province, China. The lab is linked to the email address reidsales@hotmail.com and list reidtang as Skype contact. We also know thanks to the lovely "Tips tricks and tidbits from your husband: Mr. Mike" that Haddock was using at least 3 different suppliers. It shouldn't come as a surprise that one of the other lab Haddock ordered from as some point in the past is associated with good old alicechoica@gmail.com. Indeed MrMike reviewed alicechoica@gmail.com several times between May and December 2011. Unsurprisingly, w00t was also alicechoica@gmail.com's customer as shown by this comment from November 2011.

Shanghai Yidai Cosmetic - Shanghai Yidai Cosmetic is mentioned in Buerman's court documents in relation with two other cases. It is not really clear if it is a laboratory or just a company name used on the label of the packages. Robin Gattis' superseeding indictment refers to suppliers suggesting to "add a fake company name" which would tend to think it is common practice. In any case, "about February 7, 2012, a package arrived at the CBP Port of Entry (POE), Anchorage, Alaska, from SHANGHAI YIDAI COSMETIC CO LTD, Shanghai, China. The packages was addressed to Brad Vannater", Buerman's partner at FWW, in Michigan. "The package was manifested as containing matt hardener and had a listed weight of one (1) kilogram. The packages cleared CBP and was not seized. One day earlier, that is February 6, 2012, "another package manifested as 'matt hardener' was shipped from the same Chinese company, SHANGHAI YIDAI COSMETIC CO.LTD. through the POE, Anchorage, Alaska. This particular package was being shipped to Robin Gattis, Wasilla, Alaska. Unlike the package sent to VANNATTER, the package shipped to Gattis was actually seized and searched by CBP, pursuant to their border search authority. According to HSI Special Agent Ty Bishop (Anchorage, Alaska) the "matt hardener" tested positive for Methylone". The package seizure was followed by a controlled delivery and arrest of Gattis. Court documents shows that Gattis' Chinese source was using the email address rcsupplier0526@gmail.com. This email address has also been associated with a lab named defchem and other websites like http://www.ur144.net. Buerman's affidavit only mentions alicechoica@gmail.com as the source of importation of methylone. Does it mean Shanghai Yidai Cosmetic is also related with Alice or Buerman was using multiple labs. The latest would have our preference but it doesn't exclude the other possibility as well. MrMike and w00t were also linked to rcsupplier0526@gmail.com as shown here and there. Buerman's affidavit also says that "additional research conducted by CBP Officer Witt revealed that on March 29, 2012, CBP, POE Cincinnati, Ohio seized 504 grams of Methylene that was sent from the SHANGHAI YIDAI COSMETIC CO to a recipient unrelated to the investigation into Fantasy Worldwide. The shipment was also manifested as "matt hardener". Unfortunately we didn't manage to locate a case referring to this interception.

Anyway, by looking a bit more in details about the labs it looks like email addresses like alicechoica@gmail.com, rcsupplier0526@gmail.com and others act as "brokers" or "middle-man/woman" between the customers and the labs and are not necessary associated with one single laboratory. It is also obvious that the previously mentioned middle men/women were (still are?) extremely popular over the years and have been used on regular basis as main source of supply by multiple RC vendors. For example, the different email addresses and contact details of Alice, KaiKai Technology or Kevin Peng have of a total of more than 300 ratings and reviews on specialised websites. Last but not least, the labs are all located quite close from each other and seem to be settled around a specific areas in China, which greatly help package identification by law enforcement.

We started with that daily mail article and the self-proclaimed King of RC industry, Eric Zhang, we might as well close that chapter with him. If you wondered if Eric Zhang made it to Eric-99, you will be interested to know that he was apparently arrested, back in December 2012, in China and is still wanted in the US after having been indicted in June 2012. A winner.

Now, how everything we discussed so far is related to Silk Road? To be honest we don't really know but we thought it would be interesting to look at other cases involving the importation of Methylone from China since the known Silk Road vendors investigated by the Marco Polo Task Force and indicted in Maryland, namely Jacob Theodore George, David Lawrence Handel, and Sheldon Kennedy, share the common characteristic of having imported large scale of Methylone from China and sold it on the Road.

The Silk Road Travellers

07/05/2014

This chapter is a follow-up of "The 中文 Connection".

Jacob Theodore George IV a/k/a "Digitalink" is allegedly the first Silk Road vendor to have been arrested by the Marco Polo Task Force, sometimes in January 2012 (or maybe November 2011, depending on how much you trust what is being thrown around). One sure thing is Digitalink already had past history with law enforcement. After his latest offence in 2009 he was sentenced to 3 years of jail, in May 2010, which was suspended for some reason. The court only ordering him to "abstain from Heroin and illegal drugs".

Digitalink registered on Silk Road forum in June 2011, a month later, in July 2011, he received a "love letter" for a package containing Methylone seized by USPS. Despite the advices from other forum members to not claim the package and forget about it, Digitalink claimed ownership and got it re-delivered (original thread available here). Eventually, the 19th January 2012, after repeated recent arguments with customers he decided to close down his shop. You can read about Digitalink's Silk road "history" on Reddit or here if interested in more details.

Kennedy's indictment mentions a Confidential Source (CS) in Maryland which started cooperating with Homeland Security Investigation in November 2011. "Starting in November 2011, agents with Homeland Security Investigation conducted several interviews with a source in Maryland (CS-1). CS-1 had been selling illegal drugs on Silk Road. CS-1 explained how Silk Road worked to the agents, and voluntary provided access to CS-1's Silk Road accounts, email accounts, and Bitcoin account that documented CS-1's own involvement in Silk Road. CS-1's computer was also found to contain CS-1's "customer records", including names and addresses of hundreds of individuals (in the United States and other countries) that receive drug shipments from CS-1. Agents assumed the online identity of CS-1, including CS-1's Silk Road user account". The timeline, the fact Jacob Theodore George IV is from the Baltimore area and was described by ICE HSI Special Agent in Charge William Winter as "the first vendor on Silk Road selling illegal drugs to be arrested" would point toward Digitalink as being the CS. As much as we genuinely think the CS mentioned in the document is Digitalink, there are some things just not right the way it is presented in the court document.

Indeed going through Digitalink's forum posts, in November 2011, December 2011 and part of January 2012, it seems to be business as usual; giving away samples, putting up new listings, getting good feedbacks from customers, and no obvious complains. It doesn't really fit the profile of a law enforcement managed account. Surely if he was taking orders and not shipping the product, buyers would have complained as it actually happened at the end of January 2012 around the time Digitalink was arrested (18th January 2012, according to the indictment, thus a day prior to announce he was closing his shop on Silk Road).

Also, as shown in other indictments and affidavits, law enforcement doesn't hesitate to backlog as far as possible in time to get the maximum charges when they have the opportunity to do so (Buerman and Taylor cases being perfect examples). Digitalink was an early vendor on Silk Road, and started vending around July 2011 why would he be charged only from November 2011 as it is the case in the indictment? We first thought it was because Methylone was still legal in Maryland before November 2011, but that wouldn't work out well since the "Federal Analog Act" passed in 1986 and Digitalink would definitely not go away with "I was selling/buying methylone for plants, trust me mister officer it is not for human consumption". LE might just have ignored the July - November period as Digitalink cooperated during the investigation.

A footnote in Kennedy's affidavit says that "CS-1 was initially not truthful about being a drug dealer on Silk Road. CS-1 was also arrested because he continued to use illegal drugs after his first interview with agents. However, the information provided by CS-1 relied upon in this affidavit has been corroborated by agents' review of the CS-1's Silk Road and email accounts, and files contained on CS-1's computer", which we understand as the CS must have had interviews with HSI agents sometimes in November 2011 for an offence not immediately correlated with Silk Road (maybe related to the July seized package or another package intercepted) or simply unrelated with Silk Road (probation violation), walked free pending further investigation but continued vending on Silk Road until his arrest in January 2012. Jacob George's plea agreement seems to support this hypothesis as "In January 2012, the defendant voluntarily admitted to federal agents with Homeland Securities Investigations that he acquired and sold drugs as described above" and "The records corroborated his statement that he had received three shipments of methylone from China since November 2011, with a combined quantity totalling more than 570 grams".

Digitalink received three shipment of Methylone from China between November 2011 and January 2012. He refers to the "re-stock" openly in his vendor thread on the 19th November 2011, the 20th December 2011 and around the 30th of December. The fourth shipment didn't seem to have make it to its final destination and Digitalink suspected his package had been seized after it stayed few days in customs. Five days later he will be arrested by HSI Baltimore or what became the Marco Polo Task Force. If you've made it so far and peaked at some of the affidavits and complaints from other cases you should have an idea of what might have happened (the search warrants and analysis are provided below as examples and are NOT related with Digitalink case):

Another possibility that could explain the bizarre timing and how Digitalink potentially became a CS is his background in the "P2P scene". One of the first message of Digitalink on the Silk Road forum was about him being the "leader" of EP1C/T0XiC-iNK movie release group. In July 2011, to add insult to injury, Digitalink posted a message with a PGP key associated with the email address digital.ink@live.com, which can easily be linked to his P2P activities under the name iNK. In a nutshell, Digitalink was part of different release groups under the multiple nicks KoOlWaReZ, EP1C, T0XiC-iNK, iNK or DiGiTALiNK. Back in 2011 he got accused of having snitched on several other members of the scene. The highlight being the arrest of former partners, the iMAGiNE release group, in September 2011 when an "ICE joint operation got them" according to Digitalink. You can read about Digitalink background in the P2P scene here (screenshot) and will notice he was already kind of infamous back then. Not sure which way around it worked out, it is kind of irrelevant, but the iMAGiNE bust would have been a good enough reason to pay a visit to Digitalink due to his past relations with iMAGiNE regardless if he cooperated with law enforcement before September 2011 or not. To be honest it is quite difficult to find out the part of truth in this story, but we found the information worth mentioning regardless.

Digitalink forum account was active until the 26th of January 2012, almost 10 days after his arrest which would confirm what is being said in Kennedy's affidavit that "Agents assumed the online identity of CS-1, including CS-1's Silk Road user account".

Another individual reported arrested by the Marco Polo Task Force is David Handel. Kennedy's affidavit explains that "other individuals charged in the District of Maryland in connection with the Marco Polo task force include Jacob Theodore George IV (CCB-13-0593), Curtis Clark Green (CCB-13-0592), and David Lawrence Handel (CCB-13-0313)". A particularity of Handel court document, contrary to George or Kennedy for example, is that there is neither a reference made as Handel being a Silk Road vendor nor a nickname associated with its identity. The only element linking him to Silk Road is the Marco Polo Task Force, which as far as we understand its role, was/is dedicating resources to investigate drugs trade surrounding the hidden service. Handel seems to have been arrested around the 22nd of August 2012 and was charged for distribution and possession of research chemicals, namely Methylone, 2C-E and 2C-B. Another charge include "use and carry a firearm, that is a Glock 26, Serial Number SRP018, during and in relation to a drug trafficking crime" (the terms "use and carry a firearm" are different than "brandishing and discharging a firearm", see Bailey v. United States for more information, as the terms "use a firearm" seem open to lengthy discussions and interpretations). This second count in the indictment would suggest Handel was actively retrieving (or selling) the drug carrying a firearm, on him or in his car, rather than chilling home waiting for a disguised postman carrying a controlled delivery.

Going through the old Silk Road forum, we found an interesting vendor profile who shares similarities with what is known of Handel from his indictment and could be his Silk Road alter ego a/k/a davidd:

Like Digitalink and edgarnumbers profile page, which we know were arrested by the Marco Polo Task Force, davidd vendor page apparently modified to sell a kilo of methylone. Unfortunately we couldn't find davidd's kilo of methylone with a picture but we are incline to believe it was probably very similar to edgarnumber and digitalink "featured listings" picture with a transparent ziploc bag on a DEA/FBI/HSI evidence table, right?. Edgarnumbers and digitalink vendor pages were backed up by Stexo the 21st of June 2013 and we can notice that both vendors were "seen" the same day for digitalink and a day before for edgarnumbers, strongly suggesting both accounts were still active (will discuss edgarnumbers timeline briefly below, for the nerds out there who spotted an inconsistency). We don't have the information for davidd, but a different conclusion would be surprising.

Law enforcement obviously tried to make the most of the accounts they took over after an arrest, by listing bulk, which increases the chances to catch a reseller, and privately contacting other Silk Road user to secure deals privately, the goal in both cases being to get a delivery address to work with. Almost a month after davidd's arrest, limetless was contacted by what he thought was davidd for some MDMA business (full thread). The operator of davidd's account was slightly pushing to get limetless to send him a delivery address so he could send a sample of the product. Limetless almost fall for it, but luckily for him, a post on the "rumour mill" forum saved his ass (full thread).

Last but not least, Sheldon Kennedy a/k/a edgarnumbers was also investigated by the Marco Polo Task Force and indicted in the District of Maryland. As digitalink indictment, we would also defined this one as "bizarre" from a timeline point of view. LE apparently got edgarnumbers' shipping address and name using information provided by a confidential source (CS-1 likely being Digitalink, as already discussed), implying that CS-1 sold drugs to Kennedy and thus had his dox, which was probably found on CS-1's computer. From there LE agents went through a background and records checks on Kennedy, revealing for example that a package originating from China to Kennedy had been intercepted in January 6th 2012 and other information about Kennedy's online footprint found through online searches (social media and gmails accounts). The indictment also reveals buys made by LE from edgarnumbers, including drugs and weapons, part of the "100 individual undercover purchases of controlled substances from Silk Road vendors" between November 2011 and September 2013 made by law enforcement agents.

Problem with the affidavit version is we know that the packages intercepted January 6th 2012 mentioned in the affidavit was originating from China and shipped by one of the friendly Chinese lab discussed in The 中文 Connection and under close monitoring from LE starting (it could possibly be earlier) March 2012. It is not stated in the court document what happened to the seized package but Kennedy received a love letter a month after the interception, on the 3rd of February 2012. The way the affidavit is put together would make one think the interception resulted from the information provided by CS-1, where it is probably not the case as Digitalink (if being the CS-1) was likely not cooperating yet at the time. Agents in Maryland learnt about that interception during a background checks on Kennedy's name and address from CBP at a later point in time, sometimes in March 2012 would be an educated guess, which tells us that by February 2012 the Marco Polo Task Force probably neither knew Kennedy was vending on Silk Road nor that he was using the alias edgarnumbers, which would have otherwise probably resulted in a controlled delivery upon interception of the package and made him by the same occasion the first Silk Road vendor arrested in early January 2012, an occasion not to be missed.

Another element which raises questions about the accuracy of the affidavit is the execution of the search warrant at Kennedy's residence, which supposedly happened on the 28th of June 2013, more than a year and half after the intercepted package by CBP in San Francisco and a year after edgarnumber was allegedly seen "taking packages to the Post Office" which were again intercepted by HSI and USPS inspector on the 7th of May 2012. It doesn't make sense to spend time on surveillance, background and record checks through the first half of 2012 and execute a search warrant almost a year after, which would have been plenty of time for the suspect to clean up evidences. In our opinion, the search warrant was executed much earlier in time. It is possible it is an error/typo from the agent who wrote the affidavit and the search warrant was in fact executed the 28th of June 2012. Moreover, you would expect LE to want an informant and/or a vendor account to work with as early as possible in the investigation rather than later.

We've also searched for the Bitcoin transactions mentioned in the affidavit as it is said that "on or about April 5, 2012, and undercover HSI agent purchased a gram of cocaine from Kennedy, for 21.28 Bitcoin" and "on or around May 24, 2012" another "agent paid 151.08 Bitcoins" for a Glock 26. However, none of the transactions could be located on the blockchain. We've also looked at other close enough dates around the time frame without success (if you have more luck, feel free to contact us).

Few final, random, thoughts to wrap up:

As always, everything found on this page should be taken with a pinch of salt, you have been warned.

Silk Road 2.0 Timeline

Credit: Dehickensian (@secruedmh) for the great help with the timeline.

Timeline of events surrounding Silk Road 2.0 rise and fall (work in progress):

Defcon New-York complaint and investigation DoctorClu Western District of Washington search warrant and complaint Silk Road forums Media

Trawling the flotsam of the Silk Road Shpwrck

04/01/2015 - Thanks to Dehickensian and imposter for the help on the research.

Man overboard

After the arrest of Dread Pirate Roberts (DPR), the administrator of the online black market Silk Road (SR), and the chaos that follows, former Silk Road vendors and moderators, despite warnings and doubts about the legitimacy of the whole endeavour, decided to regroup on what would become the Silk Road 2 Forums to organise the rise of Silk Road 2.0. A new Dread Pirate Roberts who was quickly dubbed DPR2 and many whispered was the well known SR user StExo, emerged to captain the old SR crew and sail the replacement site to calmer waters. SR2 would successfully open on the 6th of November 2013 and operate without many troubles until the 19th of December 2013. On this date, three former SR administrators and moderators Inigo, Libertas and SSBD are arrested in an organised law enforcement (LE) operation which should have shut down Silk Road 2.0 for good. Much to the surprise of many observers, the arrest didn't affect the trust of the vendors and buyers in the marketplace and shortly after a new administrator, going by the username Defcon, took over the " management" of the site with a new team of moderators. However, from there it was all down hill with myriad scams, thefts, hacks and other drama. Eventually LE seized both the Silk Road 2.0 marketplace and the forum with the arrest of alleged administrator Blake "Defcon" Benthall. Upon release of the complaint against Blake Benthall additional information was published regarding the role of an Homeland Security Investigations Undercover agent (HSI-UC) who infiltrated the administration staff of Silk Road 2.0 and aided in the investigation leading to Blake's arrest.

While there existed several individuals working in an undercover capacity to aid various government agencies seeking to shut down the original Silk Road, one undercover agent played a central role in the arrest of Ross Ulbricht. In order to confirm that Ross was at least someone who could assume the DPR1 moniker, the FBI organised an undercover agent to initiate an online chat with DPR1 at the same time that they planned to arrest Ross. While many have speculated about the identity of this undercover agent it remained an open question as to whether they were a member of the SR1 crew or not. As the past year progressed it became clearer that this undercover agent was in fact a member of the SR1 crew and that they were the same UC who was heavily involved in the take down of SR2. The first trail of breadcrumbs broke off in the complaint against Benthall where we learned that:

"On or about October 7, 2013, [The HSI-UC] was invited to join a newly created discussion forum on the Tor network, concerning the potential creation of a replacement for the Silk Road 1.0 website. The next day, on or about October 8, 2013, the persons operating the forum gave the HSI-UC moderator privileges, enabling the HSI-UC to access area of the forum available only to forum staff. The forum would later become the discusson forum associated with the Silk Road 2.0 website (The "SR2 Forum")."

Indeed, the above discussion forum, which was later to become the SR2 Forum, was created on the 7th of October 2013. It would be a reasonable assumption to believe that only very trusted and vetted members, especially those trusted enough to be provided with moderator privileges, were initially invited as suggested in the complaint. Beyond the now obvious fact that SR2 was infiltrated by LE from day 1 (we could even say day 0 since the UC was instrumental in the planning), it is very likely the account operated by the HSI-UC was involved in the original iteration of Silk Road.

When SR1 was seized on the 2nd of October, 2013, five users had administrator and/or moderator privileges on the market place and/or forum: DPR1, Libertas, Inigo, samesamebutdifferent, and Cirrus. A couple of days after "opening" the SR2 forums, on the 9th of October, 2013, DPR2 posted on the forum a list of the current Silk Road staff: "Libertas, Cirrus and Sarge are all global moderators. Dread Pirate Roberts and Inigo are administrators." It wasn't until a few weeks later that the list was updated throwing three new usernames into the mix "Administrators: Dread Pirate Roberts Defcon; Global Moderators: Libertas Synergy Cirrus Inigo Sarge; Newbie Guide: ChemCat". Since the HSI-UC was given global moderator privileges on October 8, 2013 according to the Benthall complaint the undercover agent must have operated at least one of the previously mentioned accounts.

Reddit Cannonball

Fast forward to the 20th of December, 2013. Everything seemed to be sailing smoothly on "the Road" but a reddit post was about to disrupt the pleasant calm. The post, titled "SR admin and mod just got arrested....my boyfriend" and by a user claiming to be the girlfriend of an administrator/moderator, warned the subreddit that her boyfriend had just been arrested: "I'm not sure what his login name was, all i know is that apparently he was an admin and then a mod and that he also ran the book club". Of course, given the constant trolling the Silk Road subreddit was subject to, many users were skeptical. It wasn't until she posted a partially redacted search warrant as well as a card belonging to the indefatigable Special Agent Christopher Tarbell, infamous amongst the computer underground for his arrest of computer hacker "Sabu" and the earlier take down of SR1. The information was later confirmed in an FBI press release announcing the arrest of three individuals in the U.S.A, Ireland, and Australia, for their roles in running silk road website. These individuals were later identified as the original SR moderators: Inigo, Libertas, and SSBD. Following the arrest of the three moderators/administrators, DPR2 hand ed over the market to Defcon and disappeared. At the same time, another moderator, Sarge, quits his position as he doesn't "wish to be a person of interest any longer" leaving Cirrus and Chemcat as the remaining moderators.

As the damage from the attack on SR2 was being assessed, a Tormarket forum post was slowly drawing increased attention by the community. In it, a user, purporting to be an SR2 vendor, quotes a post made to the SR2 vendor roundtable (a restricted forum area for vendors only) by another SR2 vendor to alert vendors that they had been arrested. The arrested vendor further explained that while being interviewed by LE they were shown numerous Bitcoin (BTC) transfers and private conversations undertaken on the site that pointed towards LE having administration access to the SR2 marketplace and/or moderator access to the SR2 forum.

Mutiny

Given the realisation that LE were staying one port ahead of the Silk Road crew, many people started turning their attention to members of the crew and evaluating which captain they truly served. Eventually though, after the Defcon arrest, few doubts remained that the UC was Cirrus Soon after, the Daily Dot obtained a list of evidence the prosecutors planned to present during Ross Ulbricht's trial. Among the pieces are: This evidence shows that while chatting with DPR1, Cirrus took screenshots of the discussion for law enforcement themselves or LE had taken over Cirrus' account in order to take the screenshots themselves. Either way, any doubts that lingered over them were lifted and the UC was unmasked, it was Cirrus all along.

The route taken on the Silk Road Journey

A question that remains from the both Silk Road investigations is whether the UC was the result of a long and successful infiltration of Silk Road by law enforcement or a silent arrest of Cirrus who was persuaded to act in an undercover capacity or had their account taken over. In order to find out we will have to dig up the Silk Road archives and try to learn more about Cirrus.

The Cirrus account was created on the Silk Road forum on the 11th of July, 2013. That same day, DPR1 made an announcement on the forum to introduce the "new" full-time moderator. It should be obvious that Cirrus must have had another identity before being promoted moderator and the introduction of a new username was to separate Cirrus from their previous username. Luckily, the previous username of Cirrus was an open secret and it was "known" they were previously Scout. There are various theories behind Scout's username change to Cirrus but most of them agree that some type of disagreement/argument happened with DPR1 which resulted in Scout being temporarily stripped of their moderator privileges before being reintroduced as Cirrus upon the request of the other moderators/administrators who were in need of additional help. Those interested in an account of the events can read about it here or here.

The Scout account was created on the Silk Road forum on the 12th of July, 2012, however, Scout's first post on the forum would only happen almost exactly 6 months later on January 13, 2013. At this point, Scout apparently already had moderator privileges on the forum as they were able to move a topic from one place in the forum to another. Furthermore, that very same day, Scout is introduced as a "new" member of staff by Nomad Bloodbath. Luckily, we know Scout had a vendor account on Silk Road before changing to the Scout account and must have been using another username as a vendor.

The swashbuckler

We have to say that we're guilty of having overlooked some of the notes that we took when investigating the original "Employee" story involving chronicpain/flush as at the time the previous nym of Scout had been recorded as "moderator", but it wasn't directly relevant to the murder-for-hire story it wasn't added to the SR1 time line until months later.

Anyway, before being promoted as moderator, Scout was operating a bitcoin exchange service under the name CaptainMal. Identifying CaptainMal is a little bit tricky since the account was deleted soon after Scout was announced as a moderator. Luckily, multiple quotes of CaptainMal survived the account deletion and provide enough context to document the role CaptainMal played on the marketplace and forum. Further study of the timeline and similarities between CaptainMal and Scout are left as an exercise for the reader.

It's likely CaptainMal started as a vendor offering a Bitcoin exchange service in October 2012, providing a way for Silk Road buyers to obtain bitcoins through different payment methods Moneygram, Western Union, Moneypak, Bank transfer (Bank of America, Wells Fargo) and even cash in mail. They hepled other vendors cash out by buying their Bitcoins and sending them cash through their method of choice, including Western Union or directly in the mail. In addition to this, the contribution CaptainMal made to the community was not limited to Bitcoin exchange either, they were also an active participant on the SR1 forum providing guidance on the different methods available to buy and sell bitcoins as well as helpful advice for new members on how to best use SR1. This led to CaptainMal quickly becoming a respected member of the Silk Road community.

As reported by several users on the Silk Road forum, CaptainMal was active from October 2012 until January 2013 when promoted moderator. Following the promotion, CaptainMal remained active for a very short period of time before switching accounts to Scout and eventually deleting the CaptainMal account. The deletion is referenced by Scout in an effort to uphold the name and reputation of CaptainMal after a scammer tried to capitalise on CaptainMal's good reputation be creating an almost identical accounts following the deletion of the original one from the forum.

From the payment methods accepted it wouldn't be surprising if CaptainMal became a low-hanging fruit arrest target of law enforcement as the use of Western Union, bank transfer, cash in mail, for illicit activities are difficult to scale (i.e., achieve in increasingly larger amounts) while at the same time keeping tight operational security (OPSEC) practices. Furthermore, all those payment methods are traceable transactions leaving long "paper trails". At the time, some BTC exchange "vendors" operated under the wrong impression that buying and selling bitcoins facilitating drug trafficking was a totally legit business as long as they remained wilfully ignorant of the origin of the funds. Unfortunately, as learnt the hard way by Charlie Shrem and Robert M. Faiella (a/k/a BTCKing) this isn't the case and operating a BTC exchange knowingly facilitating the purchase of bitcoins for drug trafficking isn't as safe as they might have thought (genuinely or not).

From reading the criminal complaint against BTCKing, it shows that undercover agents, posing as SR1 buyers, had been buying bitcoins from Silk Road's BTC exchange service vendors on regular basis. They then issued search warrants to ascertain email accounts associated with the payment method used, owners of bank accounts used for bank transfer, Money Transfer Control Number (MTCN) information for Western Union transfers, and any records held at third party Bitcoin exchanges used by the vendors. Also since on or about August 2013, LE were in possession of the Tormail Email server, a Tor Hidden Service (Tor HS) that was the preferred Email provider of many miscreants involved in cybercrime. Tormail was also the email service associated with CaptainMal email addresses were they operated both 'captainmal@tormail.org' and 'captmal@tormail.org' accounts.

Following the information remaining in quotes of CaptainMal's posts on Silk Road forum, we noticed multiple references to bitcointalk.org (which isn't surprising considering it is the main Bitcoin forum available) so we thought it could be a good place to start finding an alter ego for CaptainMal, since other open source searches on the nym CaptainMal didn't provide interesting results. To narrow down the search we looked at accounts active on the Bitcointalk forum from October 2012 to January 2013, which coincided with CaptainMal's presence on SR1. To cut a long story short, we eventually identified an interesting profile using the nym c0dex (screenshot).

There are several reasons why we decided to look closer at this profile, reasons which may seem obscure but nonetheless proved helpful:

A short while after c0dex joined bitcointalk.org they were cheated in a BTC for PPUSD scam (archive). In mid-November 2012, c0dex tried to sell ~$555 worth of Bitcoins via PayPal but later posted that they were cheated by someone, who ironically, may have wanted BTC "to go buy drugs on Silk Road for "festival enhancement"". Unfortunately, some posts in the thread have been heavily edited, while others have been deleted completely. It's not clear how the BTC transaction was organised since we weren't able to find any posts by c0dex at the time advertising Bitcoin exchange but that shouldn't discount the possibility they were using another account. One top of this, the thread shows that c0dex was at least aware of SR1 at this time. For the next few weeks, c0dex will try to get her money back by chasing after the scammer with the help of a group of like minded "Bitcoin avengers." Towards the end of the month, PayPal notifies her that they will dispute the chargeback that the buyer had initiated and c0dex promises to keep the thread updated with her progress recovering her money. Almost a month later on the 27th of December, 2012, c0dex returns to post that the buyer won the dispute and that they were effectively robbed of $580. Meanwhile, on the 10th of December, while c0dex was in the process of waiting for the chargeback decision to be made, CaptainMal over on the SR1 Forum mentions that one time they tried to sell Bitcoin for PayPal and that they were STILL trying to make up the money they lost from it. In the same post, captainMal warns a user they are replying to that no BTC exchange in its right mind would accept Paypal payment for BTC on Silk Road. The same advices will be given by Scout the following month.

On November 9th, 2012, two threads, respectively on bitcointalk.org (screenshot) and Silk Road forum, discuss BitInstant being down and transactions not going through. This particular succession of messages shows, in our opinion, with a very high probability another link existing between CaptainMal and c0dex. The quotes are listed in chronological order (you might want to have a look a the complete threads linked abbove).

You'll find out by reviewing other topics that BitInstant's fraud filter issue is discussed only three or four times in the whole bitcointalk.org forum in the BitInstant context. On Silk Road, the BitInstant's fraud filter topic will be discussed in 11 different threads. 9 times out of 11, "fraud filter" is either mentioned by CaptainMal or Scout but yet it affected two users from two different forums, on the same day, at the same time with each user complaining on their respective forum (attentive readers will also notice the way the "X+ hours" is written by both CaptainMal and c0dex in a similar fashion). CaptainMal further stated that "another person at bitcointalk had the EXACT same problem tonight". It is not only "another" but the only user, which will prove to be CaptainMal himself. C0dex posts in the BitInstant thread will eventually be stripped of their content to be replaced by a single dot in February 15, 2014. An afterthought?

We see simultaneous posts again by c0dex and CaptainMal (Now working under the username Scout) on February 6th, as blockchain.info (screenshot) had issues affecting login capabilities. Within less than 30 minutes interval, both CaptainMal (now scout) and c0dex (screenshot) highlighted on their respecive forum the 3 hours downtime they experienced.

Moving forward and searching for c0dex on other Bitcoin related websites we found on bitcoin-otc.com another profile with the same nym c0dex, registered on October 10, 2012 (screenshot), the same day the c0dex profile was created on bitcointalk.org (screenshot). Even if the c0dex account hasn't been used for trading on bitcoin-otc.com, the operator took the time to create a PGP Key (screenshot) associated with the email address c0dex@tormail.org (screenshot). Another bitcoin-otc profile, packt (screenshot), created the following day is quickly found to be also associated with the same email address (screenshot), however using a different nym and PGP key (screenshot). Contrary to the c0dex account packt has several transactions associated with the profile and traded cash to btc, btc to paypal, coffee or moneybookers. At the opposite of Silk Road where transaction are meant to be anonymous, bitcoin-otc rely on a web-of-trust network with pseudo-anonymity where people conduct over-the-counter trading, so it isn't uncommon to rely on its real identity to facilitate the transaction as well as the rating received from previous transactions. This is one of the reason trading of BTC for PayPal for example is "safer" than on Silk Road. The link between c0dex and Packt being the same person is also confirmed by the user elevateddownfall in c0dex's PayPal scam thread, addressing c0dex as "Yo packt" for an "opportunity to make few coins" (screenshot).

Packt being at the time an active user on bitcoin-otc, some IRC logs are still available revealing interesting information. We didn't mention this point of commonality between CaptainMal, Scout and c0dex earlier as we wanted to introduce packt first in order to not be too confusing but all of them are using the same MOTO: "Buying / selling Bitcoins is legal" or "Bitcoins aren't illegal" depending of the situation. We will also find in the logs the mandatory South Park reference, packt's marital situation and hints at being a cat lover. Packt leaked its location couple of time and is likely from Texas as shown by the IP addresses used when authenticating on #bitcoin-otc (ExoneraTor will show none of the IP addresses used were part of the Tor network on those particular dates). Furthermore, packt mentioned on October 23, 2012 that he "went to a godspeed concert recently". Indeed, the band happened to have played in Austin and Dallas couple of weeks before, suggesting again packt being Texas based.

A shipwreck in the mist

Using the previously discovered pieces of information and a bit of social engineering we managed to get packt's email address and name associated with a "Verified PayPal Account". Open source searches on the username shpwrckd shows the identity information linked with the PayPal account to be likely accurate as a similar name is being used on different online profiles associated with the alias shpwrckd. A lot of the search results (screenshot) are related with websites vending "artists" photos, prints, canvases and other type of crafts on which the website takes a cut upon selling the "art". Most of those profiles seems to belong to the same Tracy O. identified previously. Apart from the artwork shop account you'll find very few social network accounts of interest associated with the username shpwrckd or the previously existed ones have been deleted. There is a flickr account (screenshot. The account was initially active but was deleted after we tried to contact the owner. The profile now redirect to an error page indicating that the member is no longer active on Flickr), a shady twitter account (screenshot), the account was initially active but was deleted after we tried to get in touch with the operator on December 28, 2014 or a travel website (screenshot) with an account shpwrckd, from Dallas, Texas, but that's about it. However we suspect a clean up was done and shpwrckd profile on several websites were deleted. The artwork websites (screenshot), selling shpwrckd's pictures are taking so much space and seem to be so unrelated with the relations we are trying to established that it is a bit confusing at first. Going through the flickr account we do find some matches with packt profile like kitten and dogs pictures (screenshot) or pics from gigs in Austin (screenshots) and Dallas (screenshots) but nothing remotely related with a BTC exchange service operator and Silk Road moderator.

One particular account initially discarded was shpwrckd from the website North American Motoring, but it will happen to be very useful. If you've looked through the flickr account you would have notice couple of albums with Sport Utility Vehicles (SUV) pictures (screenshot). At first glance the posts of shpwrckd on North American Motoring forum aren't providing much information of interest as some of the posts have, again, been removed or edited (screenshot) and the others don't seem to match the previously discussed profiles. Well, that was until we looked closer at that (screenshots) particular posts and the attached pictures (screenshot). On one of them we clearly see a SUV (referred as a 4runner by shpwrckd in the post) parked behind an Austin mini in front of a building (screenshot). The 4runner has a Texas licence plate and looks very similar to the SUV on the flickr picture (screenshots). A closer look at the picture by analysing the exif data will provide GPS coordinates (screenshot) and the associated address [redacted], Dallas, Texas. Further research on the address reveals a company named CRYPTOCURRENT LLC registered on December 7, 2012, [redacted], Dallas, TX and managed by a Theresa O. (screenshot).

CRYPTOCURRENT LLC, was an anonymous (read no questions asked) bitcoin currency exchange which "had been operating since August 2012 informally, with its first publicity occurring on March 11, 2013. The service closed in May, 2013" according to bitcoin.it. Multiple references of the service and its operator JonSnow (screenshot), can be found on bitcointalk.org. Cryptocurrent will also be promoted and praised multiple times on Silk Road from, what appear to be only, happy customers. Even Scout posted to set the record straight about cryptocurrent in order to avoid confusion and keep the business reputation. Cryptocurrent seems to have operated in the background for a while as the first mention of the service pre-dates the official Cryptocurrent thread on bitcointalk.org in March 2013 (screenshot). An early reference to Cryptocurrent can be found on Silk Road in February 2013 advertised as a BTC seller accepting Cash in Mail, Bank of America and Wells Fargo cash deposit and bank wire. Cryptocurrent will eventually stop operating sometimes in May 2013 with an official announcement posted on Cryptocurrent twitter account.

The sunken bitcoins

Before wrapping up, we're going to have a look at some bitcoins transactions that should hopefully further link shpwrckd a/k/a c0dex a/k/a JonSnow with CaptainMal a/k/a Scout a/k/a Cirrus. Back in November 2012, FuckingAce (a/k/a "Ace"), from the ScurveyCrew, asked on the Silk Road forum for a BTC loan in order for them to open shop and get a vendor account on the marketplace. CaptainMal will eventually offer to fulfil the loan and transfer 13 BTC to an address provided by Ace. We can actually verify the transaction occurred on November 28, 2012, few minutes after Ace provided the BTC address. The sender, CaptainMal, transferred the fund from the address 1CUQkPVFY33ubCoibB8xX8JQdo8oP1dVwL, which is part of the wallet [04c5687390]. Looking at other BTC transactions associated with the wallet [04c5687390] it is obvious the owner of the account is using Silk Road on regular basis, which is consistent with CaptainMal operations.

On March 3, 2013, JonSnow, from bitcointalk.org, did a payment of 0.045 BTC to another user from bitcointalk.org. JonSnow address, 13XZMGjAXhh9n5wPkh8LrPiGdhd18rM2vD is part of wallet [05725b9fef]. Same wallet, different user, c0dex this time, received some funds at the BTC address 16EdwPraZ3akWJfHZPHFGxENydPEBZmycn, from what seems to be a payment from a BTC Casino/Games affiliation program (screenshot). The payment was as well made to an address belonging to wallet [05725b9fef]. You will also notice from this wallet some transactions to Silk Road.

On April 3rd, 2013, JonSnow is expecting a large 20K transaction from her "Bitcoin supplier", but the amount was sent to an expired "one-time address" requiring the help of blockchain.info support to push the coins to her wallet. If you look at the transaction on the blockchain you'll notice the bitcoin supplier has wallet [00991efbe2] and is sending 150 BTC to the shared coin address 16SpPDDeTVzeqLQ6W4un8Qn2EoQkTopFFz. The interesting part here is the address 1LDq7K5S3pqVFCEwvPiNNd5PdXisxfZH7G used to send the BTC to JonSnow. This address appears on regular basis on the blockchain as sending "round numbers" of BTC to the wallet [04c5687390] which was previously established as belonging to CaptainMal:

At the look of the transaction incoming from wallet [00991efbe2] one can see most of the transactions are coming from Silk Road, then later on Silk Road 2 and Agora market places, heavily suggesting that particular wallet belongs to a vendor (another wallet of interest sending BTC to CaptainMal's wallet is [f7401fb791]).

Finally, the last transaction from CaptainMal's wallet, [04c5687390], which follows a series of transaction with BitcoinFog, is sent to the address 1AQb7RsfMsXpdErHUKvuFEDFiDS43pNzPA, which belongs to c0dex/JonSnow's wallet [05725b9fef]. Considering the really small amount of the transaction we can assume that it was a simple way to get rid of the left overs coins and empty the wallet.

Letter of marque and reprisal

As discussed at the beginning of this post, it is highly possible that Scout got under law enforcement radar due to her bitcoin exchange service activity, at first under CaptainMal nym then via Cryptocurrent, since it was clearly used by Silk Road buyers/vendors to buy and sell bitcoins. When CaptainMal was promoted moderator under the nym Scout, it became de facto a target of interest. There are several accounts of Dread Pirate Roberts requesting from his staff 100% commitment on Silk Road, and not tolerating other side activities, which could explain (other than obvious OPSEC reason) why CaptainMal stopped her BTC Exchange service on Silk Road, or at least pretended to.

We haven't really answer the original question asked at the beginning of this post "is the undercover agent the result of a long and successful infiltration of Silk Road by law enforcement or a silent arrest of Scout (or Cirrus) which resulted in an account take over"? but based on the information we found we would be more inclined to believe the latter, where CaptainMal a/k/a Scout a/k/a Cirrus, was silently arrested and the account taken over by an HSI-UC agent (or maybe Scout/Cirrus acting as a Cooperating Witness for a while and still operating the account herself). It is also very difficult to say when the arrest occurred. We didn't notice a clear shift of behaviour in Scout/Cirrus posting on Silk Road and if we know Cirrus was in good company when Ross Ulbricht was arrested, (the different screenshots of her chatting with Dread Pirate Roberts during and after Ross Ulbricht arrest), it doesn't provide a time frame for the arrest. However it is very likely that law enforcement planned to arrest Dread Pirate Roberts logged in on his laptop so they might have arranged for Cirrus to engage in a discussion with DPR. This scenario would have required Cirrus to be flipped beforehand. The "emailgate" mentioned previously is definitely an event of interest but it is also difficult to recognize the truth of the forgery. An FBI agent contacting Scout via email to offer her money to infiltrate Silk Road doesn't really sound plausible and more like a desperate move. It could also have been a way for the FBI, assuming Scout had already been arrested, to try to re-enforce trust in their newly acquired moderator account by reporting a "fake" law enforcement attempt to approach a moderator. The plot might not have worked out as expected, DPR demoting Scout, and the FBI eventually got lucky to get re-integrated within the staff. Not having any ways to verify the accuracy of the story, that's only speculation from us. The next days and Ross Ulbricht trial will likely cast some light on it.

One sure thing is the Cryptocurrent Twitter operator had some flair on the day Silk Road 2.0 was seized. Can it just be a simple coincidence?

Variety Jones or the old guard back in harness

26/02/2015 - Thanks to Dehickensian for the help. H/T Eileen Ormsby.

I've always been a powerful figure in the scene, but the last 11 days have made me realize just how much power I wield. It is quite a burden, but I bear it with pride. However, some day, and that day would come, I would start to see that power as a right, and not as the result of honesty, integrity, and hard work. And I'd start to silence those that disagreed with me. And I would become all that I hate. Plural of Mongoose

Ross Ulbricht trial revealed, through a set of chat logs found on his laptop, the existence of an individual going under the name "Variety Jones a/k/a cimon". Dread Pirate Roberts' journal shows that Variety Jones and his alter ego cimon became "a real mentor" for Ulbricht in the early months following the creation of Silk Road in 2011. After reporting a major security vulnerability, in bitcoind, to a then hesitant Silk Road administrator, Variety Jones provided guidance on other technical matters like servers configuration, security review, but also advised on how to improve the communication with the community and interact with customers. Variety Jones influence "behind the scene" got bigger as the marketplace grew in size and popularity, slowly empowering, his newly named, Dread Pirate Roberts to start his own legend. But who is Variety Jones?

Variety Jones registered an account on Silk Road forum on June 27, 2011. From the information available on his vendor page he was selling exclusively cannabis seeds, shipping from the UK, and according to the website "Down the silk rabbit hole" as of November 03, 2011, Variety Jones had the highest number of items listed on Silk Road, 231. Outside of Silk Road, open Internet searches on the alias "Variety Jones" don't immediately produce results. There is an account Variety Jones, with only 8 posts, dating from 2002, on the forum uk420.com, which looks relevant but doesn't provide much information.

More interesting, a reference of a Variety Jones can be tracked back to February 2006 and an individual using the alias Plural of Mongoose. Plural of Mongoose presented himself as a respected member of the legendary cannabis grow site overgrow.com (OG), but was also involved on a larger scale in the cannabis seeds community through various online shops selling cannabis seeds for breeders, most prominently seedsdirect.co.uk. However, before getting into the specifics we need to take a trip down memory lane, stopping first at OG.

Overgrow was originally created by a group of cannabis activist from the weedbase forum in April 1999 (screenshot). Soon after, the troop was joined by what will become the technical backbone of overgrow, Vancouver based, coder and administrator the mighty ~shabang~ a/k/a overgrow (screenshot 1 and screenshot 2). Along the way, another Canadian using the nym Richard Calrisian a/k/a RC got involved by paying for the cost of running the forum and promoting his own seed bank Heaven's Stairway. ~shabang~ stayed the main administrator and developer of the forum, until 2004 when RC copied the site and redirected the domain overgrow.com from ~shabang~'s Vancouver based server to a server located in Montreal and owned by RC. The change of ownership created a split within the community and raised the question of who had the legitimacy to run the site. Overgrow will eventually shutdown in 2006 after it was reveal that RC, whose real name was revealed as Richard Baghdadlian, had been busted by the Royal Canadian Mounted Police (RCMP), leaving it's members in doubt and somehow fearful of more arrests and seizures (screenshot).

It is in this context that Plural of Mongoose (a/k/a PoM) will appear. Through a series of posts on the now defunct planetganja.com, PoM will go into the behind the scene which led to the shutdown of overgrow.com. While apparently revealing an insider and informed view on the situation, PoM created complex intrigues with wild accusations involving several vendors, breeders, members of overgrow and revealing their respective connections to each other (screenshot). In one particular post of the series, dated February 21, 2006, PoM describes a visit to a good friend of his, Variety Jones.

Plural of Mongoose: In early 2004, a few weeks after leaving Seeds Direct, I left England to spend some time with a good friend of mine, Variety Jones. VJ was my editor for about two years, but so much more than just that in all the time I've known him. I met VJ when I was just a pup, and he had always been my counsel. If I started getting to big for my britches, I could always count on him to take me to task. There is nothing I knew that I didn't share with him, and he was a sounding board and confindante like no other. His beautiful house lay in a tranquil country setting, a perfect location to meet people and get to know them. My favorite memory of such events has to be an evening at VJ's house with Kif Richards and his lovely wife. You couldn't ask for a nicer group of people.

While there, I flew ~S in to spend 24 hours with VJ and myself, and have a little meeting, face-to-face. First off, let me say ~Shabang~ was a joy to spend time with - we were all sorry it had to be such a short meeting, but needs must, eh. I hope that someday the three of us can get together and share another spliff. But enough of that sentimental crap.

From the quote above, we can see that Plural of Mongoose has a very high opinion of Variety Jones portraying him, with admiration, as a "counsel" and a friend he can count on. This description of Variety Jones somehow echoes the words in Ross Ulbricht's journal in an interesting way. The extract also hints at PoM, Variety Jones and ~shabang~ (or ~S) knowing each others, not only from their online ventures at overgrow.com, but also "in real life". PoM goes further in their relationship explaining how few years before the fall of overgrown.com he bought 50% share of overgrow that ~shabang~ owned, adding "I trust ~S with my life".

~shabang~ was the main coder and administrator of OG, and also developer of the karma reputation system for vbulletin. He built the foundation of what will become one of the biggest vbulletin board at the time, 100 000 members strong when the RCMP pulled the plug. Since then, he became a legend, some sort of Keyzer Soze of the cannabis boards, appearing on and off in between shabatical, as he liked to call his period of absence from the scene. Every marijuana forum, worthy of the name, created after the demise of OG, had the shadow of ~shabang~ hanging around and their administrators called out as ~shabang~ at some point.

It will be half a surprise to learn that ~shabang~ was also member of Silk Road. He registered an account on June 27, 2011, the same day as Variety Jones. His account was last active August 05, 2013. There are very few posts of ~shabang~ on SR considering he was "active" for over two years (27 under this nym). Despite the low post count, we can form a quick idea of his profile as being tech-savvy, security and privacy minded, which would certainly fit the ~shabang~, administrator of OG. Variety Jones will eventually wonder if the person operating the ~shabang~ alias on Silk Road also happen to be his old pal from the OG time. Silk Road moderator Nomad Bloodbath, in what is likely a positive answer, confirmed to Variety Jones that it is the same ~shabang~. Couple of month later Variety Jones will acknowledge their past affiliation with overgrow.com.

In December 2011, Ross Ulbricht, known then as "Silk Road", changed the hidden service URL to the vanity onion address "silkroadvb5piz3r.onion" but didn't let the previous URL point to the marketplace, creating some confusion on the forum. A technical discussion with Variety Jones will follow to find a solution to configure multiple .onion addresses to point to the same site. The exchange shows the technical limitations of Ross Ulbricht on the topic as well as a more advanced knowledge from Variety Jones. ~shabang~ also chimes in to the conversation a few minutes later to provide advices on hidden service configuration and criticizing Silk Road poor choices. Acknowledging his lack of technical ability in the field Ross Ulbricht will send ~shabang~ a private message to learn more about the recommended setup. ~shabbang~ will eventually delete his post, which we can only read thanks to "Silk Road" reply quoting ~shabang~ message. This is somewhat bizarre since ~shabang~ post doesn't seem to contain particularly sensitive information. We believe this exchange might have been one of the early one which eventually led to further collaboration between Ross Ulbricht, Variety Jones and ~shabang~.

In April 2012, according to the early feedback on his vendor page, ~shabang~ was selling Yubikey devices, for two-factor authentication, intended to improve the security of the buyers and sellers accounts on the marketplace. The listing describes the Yubikeys as being currently beta-tested on Silk Road which is consistent with a post from ~shabang~ where he explains that he is an "alpha tester" of the solution and that "Silk Road is currently beta testing their own Yubikey authentication server". Also in April 2012, the Silk Road expense spreadsheet, found on Ross Ulbricht's laptop by the FBI, lists a purchase of $37,000 of Yubikeys. At the same period, in May 2012, Smedley, who seems to be the main developer of the marketplace, also mentions the Yubikey project during a chat with DPR, in what we think is not a coincidence and show Dread Pirate Roberts will to develop a Silk Road branded Yubikey solution (GX-231C).

Smedley started contracting as a developer toward the end of January 2012 as one can deduce from the chat log between DPR and Variety Jones (GX-226I). From the same excerpt, it looks like Variety Jones introduced Smedley to DPR or at least played the intermediary between the two. Few days later, on February 2nd, 2012, the Silk Road expense spreadsheet shows a first payment of $15,000 labelled "payroll (sr2.0)". Seven similar payments, also labelled "payroll (sr2.0)" will occur over the course of the next six months for a total of $185,090. In May 2012, DPR and Smedley will have a catch up discussion about the development process and the progress made so far (GX-231C). Eventually, on July 22, 2012, Dread Pirate Roberts announces a new version of Silk Road, which we think was the internally named "Silk Road 2.0" since the associated payment labelled "payroll (sr2.0)" will stop shortly after. Unfortunately no release of the two-factor authentication solution despite the investments and efforts from the development team and ~shabang~ to promote the technology.

The Silk Road Sales Data exhibit (GX-940), which summarizes the transactions that were in the SR databases at the time the servers were seized by the FBI, lists 23 transactions of Yubikeys for a total of $1,728 (฿222.75) and a total commission of $114 (฿16.06). It clearly shows the project didn't succeeded as initially planned but also indicates that the $37,000 on DPR's expense spreadsheet were likely used as a funding for ~shabang~ to promote the Yubikey devices rather than a purchase from a Silk Road vendor. Considering the $37,000 Yubikey investment from Dread Pirate Roberts, ~shabang~ Yubikey business, his technical background and close ties with Variety Jones it sounds reasonable to speculate that he might have been involved not only by reselling and beta testing the Yubikey devices but also working closely with Smedley on the development side to implement this new feature. Additionally, for the reckless tin foil lovers amongst us, it is possible that ~shabang~ may even have been operating the Smedley account.

Coming back to the intriguing posts from Plural of Mongoose it became more and more apparent, as the story unfolded, that the main reason of PoM's posts was not directly related to overgrow busts but a means to achieve a vengeful vendetta against another interesting character named Glyndwr Foster a/k/a Gypsy Nirvana. Gypsy Nirvana, who borrowed his name from his ex girlfriend Tattoo parlour, has been part of the online cannabis scene for what seems to be forever selling seeds through several ventures, the most notable one being Gypsy Nirvana Ltd, owner of seedsdirect.to and International Cannagraphic Magazine at icmag.com. In the 80s, before getting into the seed trade, Gypsy Nirvana had a mildly interesting actor career in Hong Kong, giving birth to movies like Bionic Ninja. Anyway, Plural of Mongoose and Gypsy Nirvana used to be business partners in the UK and the Netherlands based seed shop seedsdirect.to. Plural of Mongoose was eventually fired by Gypsy Nirvana after he and Gypsy's ex were accused of data-mining/harvesting customer and breeder information and sending it to a third party in Canada. The relation between Gypsy Nirvana and Plural of Mongoose got worst and, according to Plural of Mongoose posts, eventually reached physical assault, death threat and Gypsy Nirvana allegedly contracting a Calgary based hitman to get Plural of Mongoose killed, "Crazy shit, murder and international intrigue, going on in real-time!" as PoM will describe the situation when posting the story.

Along the way, Plural of Mongoose with the help of, Gypsy Nirvana's ex-girlfriend and co-owner of Gypsy Nirvana Ltd, Nicky, took over "Gypsy Nirvana ltd" and its affiliated cannabis forum and magazine www.icmag.com (screenshot) . The love birds modified the status of the company by appointing Plural of Mongoose Director and an interesting "Mr Jones" as Secretary. After a complaint through the UK Companies House Gypsy Nirvana will eventually get his company back, under his own name and control. The legal procedure resulted in the identity of Plural of Mongoose to be revealed as Thomas Clark a Canadian citizen, born in 1961 and living in Surrey, UK.

What about Variety Jones? Well, we got hold of the documents associated with the company "Gypsy Nirvana ltd" showing that the Mr Jones registered as the company Secretary is an English citizen going under the name "Peter Robert Jones", assuming that person even exist and used his real name it could be an interesting lead. However, we could not find anything linking a Peter Robert Jones with the breeder community and even less with Silk Road. Is Variety Jones from Silk Road Peter Robert Jones? Probably not.

Another theory, which has become a favorite of ours, involves Plural of Mongoose in the role of Variety Jones. It is obviously difficult to say with certitude, and we suspect a twist might spice up this story, but there are definitely some parallels between PoM and Variety Jones from Silk Road as we will try to show below.

In one of the posts made during the "Plural of Mongoose - Gypsy Nirvana drama" following Overgrow bust, Plural of Mongoose published a statement (thread) which appears to be intended to law enforcement and sum up the threats from Gypsy Nirvana he was allegedly subjects to. At the very beginning of the statement he claims to suffer Motor Neuron Disease as well as having been diagnosed with multiple sclerosis (MS).

Statement of Thomas Clark, Tuesday, 26 April, 2004

To help put this situation in perspective, I think it's important to have a little background first. I weigh under 10 stone, and have Familial Motor Neuron Disease. This means the motor signals don't travel correctly to my muscles, which leaves me with inefficient muscle control, and constantly weak. I was also recently diagnosed with MS as well, which adds to general weakness of my extremities. In short, any 7 year old kid in a playground could beat the heck out of me, without having to put down their ice cream. The two men, Mr. Foster and Mr. Edwards, who tried to kill me, are well aware of this fact.

Going through Variety Jones threads on Silk Road forum we find couple of posts mentioning the use of cannabis for pain relief (screenshot 1 and screenshot 2). Furthermore, in a chat with Dread Pirate Roberts Variety Jones tells him that he "had zero sleep last night due to leg/muscle cramps" and seemed to be quite please to have just received 1oz of weed from ~S (~shabang~) as a good pain relief (GX-226I). Main symptoms of motor neuron disease includes "muscles wasting away, muscle cramps, spasms or twitching" and usually occur first in the arms or legs. We can safely assume in that particular case the leg/muscle cramps are not from running a marathon.

In another post Variety Jones makes a direct reference to multiple sclerosis. The quotes can't be assigned directly to Variety Jones as he seems to be only giving examples of reason to grow cannabis but, with the hindsight of his condition, the quotes might not just be random examples.

In a lighter way, Pural of Mongoose and Variety Jones have a certain lyricism when talking about marijuana. In a post on Silk Road forum titled Flavoured Marijuana, Variety Jones starts by comparing wine and cannabis before going with passion into the different "flavours and aromas" of his favourite cannabis strains. The vocabulary used for the description is not dissimilar to some of Plural of Mongoose reviews in the overgrow's strain guide. In the excerpt quote earlier, relating his meeting with Variety Jones and ~shabang~, PoM says that Variety Jones used to be his editor. His mundane strains descriptions and his imaginative Silk Road story "A tale of Darren Jones, vendor on the Road in the year 2450", would certainly fall within the skills of a word-smith.

Surprisingly for someone being in the marijuana seed business for so long, Variety Jones seems to exclusively get weed from other vendors. He makes multiple references of his buys on the Silk Road forum but we couldn't find a single reference of him discussing selling weed or even growing his own seeds, corroborating Gypsy Nirvana's idea of a Plural of Mongoose never having grew a seed crop in his life and matching the description of one of PoM previous nym "NotAGrower" (screenshot).

In 2008, Plural of Mongoose and a Seeds Direct associate, Gene Barker, travelled to Thailand and the island of Koh Chang. They took back with them to the west a marijuana strain which happen to be only available on this island and was named after it. Seeds Direct used the Koh Chang seeds as freebies for customers and an associated thread was created on PG to discuss PoM and Gene trip to Thailand as featured by a local blogger. In a chat with DPR (GX-226I), Variety Jones hints at being familiar with Thailand and having travelled over there, "I love thailand for the weather, the people, and the weed ain't bad either" he says.

Then we have the chat logs and screenshots presented as exhibits at Ross Ulbricht's trial. Most of the chat logs were private messages extracted from the Silk Road servers or TorChat log files recovered from Ross Ulbricht's laptop, like those with Variety Jones (and cimon). Exhibit GX-215 for example shows a snapshot of the TorChat log files when the FBI seized Ross' laptop. The files tv32wkhirljvcb4f.log and u7y2e2c3rbfqzjfe.log contain respectively DPR conversations with Variety Jones and cimon. We can learn from that same exhibit that DPR last chatted on TorChat with Variety Jones on July 16, 2012 and cimon April 4, 2013. The chat log with cimon is also the last file modified in the .torchat folder, suggesting the use of a different platform of communication after this date as we know DPR and cimon continued communicating after April 2013. Cimon installing the chat client pidgin, the mention "we are all on a more secure chat channel" by DPR to Cirrus along with the instruction file explaining how to configure a new XMPP account and add the user Dread as well as the multiple screenshots of DPR use of Pidgin confirm the hypothesis of TorChat being dropped in favour of a XMPP hidden service. One of the screenshot, published by the US government as exhibit GX-201G, shows Dread Pirate Roberts' buddies on Pidgin. His contact list contains the usual and known crowd, "Libertas", "Inigo", "smed", "nod" but interestingly neither Variety Jones nor cimon. From the "unknown" contacts two individuals have their original Jabber identifiers and one user was renamed with the alias "mg". The same "mg" also appears on a screenshot, sent by Ross Ulbricht, of a Pidgin window (GX-317), and was online and chatting with DPR when Ross Ulbricht was arrested in the library (GX-201H). In our opinion "mg" is a shortened alias for "mongoose" which would then explain the absence of the VJ and cimon aliases from DPR's contact list. Another possibility is that "mg" is the nym used by "Ace" of the Scurvey Crew who noted in an interview with Vice that they were chatting with DPR when he was arrested. Although, it is possible "Ace" and DPR were not communicating through XMPP but via PM on the SR forum and marketplace.

Last but not least, in one particular chat log between Dread Pirate Roberts and cimon (a/k/a Variety Jones) cimon tells Dread Pirate Roberts that his real identity could easily be found if only DPR spent a bit of time searching for... "Plural of Mongoose" (GX-227H).

Cimon: You know - I post up, and give you shitloads of info that could if you tried just a bit (fuck, Plural of Mongoose alone should do it!) that you could determine exactly who I am. I did that to make you feel comfortable.
This confession is a pretty good give-away and seems consistent with our independent findings and the links we think exist between Plural of Mongoose and Variety Jones.

In an article from High Times magazine dated July 2006, the journalist Chris Bennett, who covered at the time the overgrow arrests, gives an interesting description of the "megabyte megalomaniac" Plural of Mongoose:

PoM was like a puppet master, and it was eerily intriguing watching him pull the strings on the forums that made people dance in the real world: Business transactions fell apart, people retired nicknames and dropped from view, court dates came and went - but when the chance arose to interview PoM, I decided to pass. By that time, I had it from a reliable source that PoM deposited things on people's PCs via e-mail that gave him access to their personal desktops and files. Frankly, PoM scared me, and I didn't consider him a reliable source of information anyway. So why feed his fire?
In February 2008, Gypsy Nirvana recovered his company "Gypsy Nirvana Ltd" in the High Court of London but was also cleared of the assault charges and what seems to have been fake accusation of Plural of Mongoose, giving weight and credit to Bennett's view of PoM (screenshot).
Gypsy Nirvana: [They] even conspired to get me into criminal court on fake assault charges....one I was found not guilty of and the other one (after 2 years) [PoM] dropped the charges due to the fact that he lied so much in his witness statements that he would have been found guilty of perjury if he took the stand.
It was later revealed, among other bizarre intrigues, that PoM blackmailed Gypsy Nirvana and his staff at icmag.com, threatening to turn over breeders addresses to law enforcement (LE), if he wasn't given administrative access to icmag.com, addresses he probably gathered while working for seedsdirect. It is difficult to verify the claims of Gypsy Nirvana and his mignons and they may as also be rewriting history to their advantage. However it could also show that, once again, Plural of Mongoose is living by the maxim he used as signature at planetganja.com, "The last fucking thing you want is my undivided attention...™ ".

Considering LE investigation and arrests surrounding overgrow.com and the online breeder community and the extensive Silk Road investigation we find it difficult to believe an attention seeker like Plural of Mongoose managed to fly under LE radar while being part of the scene for so long. If PoM's allegation that he gave Dread Pirate Roberts a lot of information about himself, during their endless chats, as the Plural of Mongoose nym freebie would tend to show, the 1400 pages of chat logs must have provided LE with more than enough information to locate him wherever he is, especially since he was doxed back in 2008.

According to some rumours, PoM left Canada in the early 2000s after the police found a grow room of his in the remains of a building that catch fire. The incident led to a court case which didn’t look too good for PoM and he felt that leaving Canada would be a safer option. He asked his then online friend from Overgrow, Gypsy Nirvana, if he could come to the UK and lay low for a while. Gypsy Nirvana agreed and PoM eventually ran to the UK where he started, among other things, working as Gypsy Nirvana's IT kind of guy and helped run seedsdirect website, until their fall. A similar story is being told with PoM leaving the US for Amsterdam and then work for Gypsy Nirvana. The word being that PoM "is on the run forever from Uncle Sam" or the Canadian authorities depending which version of the story is to be believed.

PoM best enemy, Gypsy Nirvana was arrested in August 2013 in the Philippine where he is awaiting extradition to the US on drug trafficking charges for allegedly manufacturing, exporting, and importing marijuana, and money laundering "after several informants, who were Nirvana's former associates, tipped off US authorities about his activities". While part of the community seems to agree on an individual named Rezdog as being one of the informant, since he fully cooperated with law enforcement, others also see PoM's spirit as being involved in the arrest of Gypsy Nirvana. However, like the obscure story of the growing room in flame, it is close to impossible to verify (screenshot 1 and screenshot 2).

The same characters have been crossing path over the past 15 years on various cannabis boards and in real life to eventually reappear on Silk Road after years unheard of. Variety Jones and ~shabang~ accounts were registered on Silk Road forum the same day, on June 27, 2011, within 30 minutes interval. With hindsight and understanding of their past relation with Plural of Mongoose it does sound like a very lucky coincidence to say the least. The old guard back in saddle with Variety Jones the "counsel" and "confidante like no other", and ~shabang~ whom PoM would "trust with his life". Even if it is difficult to know with a high level of certainty who operated the account Variety Jones on Silk Road, the evidences presented above and common sense would tend to lead to Plural of Mongoose rather than to a copycat version who would have disseminated hints of being PoM, over the course of couple of years, to a Dread Pirate Roberts, along with anyone else around, who would have never heard of Plural of Mongoose before anyway. We don't have much information on the erstwhile Variety Jones since most of the boards where he is said to have been active under this nym are now gone. We know that he was a cannabis breeder and seems to have been a different person than PoM but that's about it. His reincarnation lived in the UK, sold cannabis seeds on Silk Road, has an IT background, a gifted silver tongue and Plural of Mongoose paw prints all over.

Then we have ~shabang~, who also has both, the technical background and a deep knowledge of the scene, to be a hand in the shadow driving the operations but hadn't been seen in the recent years, at least under this nym. Interestingly ~shabang~ also worked for seedsdirect.to around 2000, Gypsy Nirvana's seed bank PoM also worked for. Indeed, ~shabang~ created an early version of seedsdirect.to as shown by the footer and the source code of the site, further establishing the long, entrelaced and very confusing connection between PoM, ~S and Gypsy Nirvana. In one post on the Silk Road forum Variety Jones after a long period of time without posting comes back and says that he "just returned from an 8 month sabattical, and SR sure is wicked fast today!". As anyone who has been around OG will know, having a "sabbatical" is heavily associated with ~shabang~ which he sometimes calls a "shabatical" and seems to have been a hobby of his at OG. The difficulty here is to establish if the ~shabang~ account was also operated by PoM or not. Shared handles are common practice within the cannabis community and it isn't unheard of that a single account is used by several people or that a "known and respected" moniker is registered by someone else, creating interesting trolling opportunities. In any case, as we suggested earlier, the Yubikey project heavily hints at ~shabang~ being involved much more than his public posts would let one imagine at first glance.

The events surrounding the demise of overgrow.com and its associated characters seems to have been pillars of the shadow history of Silk Road, establishing in the same time the beginnings of a Canada-UK connection who almost ten years later saw emerge shady and intriguing characters who wrote some of the darkest moment of the Silk Road marketplace. It is clear that, unlike Ross Ulbricht, the likes of Richard Baghdadlian, Gypsy Nirvana, ~shabang~, Plural of Mongoose, and so on and so forth, knew the ins and outs of the game far better than Ross ever did. Having been part of the cannabis scene for a very long time, they all have been through the blackmailing, busts, scams, undercover operations, snitching, sock puppet trolling and fake assassination drama before, nothing new but history being replayed with Dread Pirate Roberts this time singing lead vocals. While Ross Ulbricht idea of creating Silk Road wasn't even yet an embryo of concept, Plural of Mongoose was publishing series of article on how to protect its privacy online warning 56K modem users for the length of the page, another era.

We tried to put together pieces of the puzzle surrounding the mysterious Variety Jones, but it does involve quite a complex web of underlying identities and history difficult to untangle as the original forums (OG and PG) where all those guys were active have been wiped from the Internet and seems to be available only through private backups. There is however one person that should be able to shed light on the incestuous relations of Variety Jones, Plural of Mongoose and ~shabang~ but he has been sitting in a cell in Manilla since the end of August 2013.

The trojan skull

02/02/2019

On May 29th, 2015, after 13 short days of trial, Ross Ulbricht a/k/a Dread Pirate Roberts (DPR) is sentenced to life in prison without the possibility of parole for his role in creating and running the online black market, Silk Road (SR). At trial, the U.S government key witness was Homeland Security Investigations (HSI) Special Agent Jared Der-Yeghiayan (JDY). JDY infiltrated Silk Road staffs by taking over the Silk Road moderator account Cirrus. This undercover account will eventually be used to collect evidence against DPR and ensure he would be online when arrested. JDY was asked several time about the circumstances he took over the Cirrus account. When first asked by the government when he started operating the Cirrus account JDY vaguely replied "July 2013".

TURNER: And what was the name of your support staff account that you eventually took over?

JDY: The name was Cirrus.

TURNER: When did you take that account over?

JDY: It was July 2013.

Later on, again during direct-examination, JDY is asked another time when he took over the Cirrus account and he gave this time a slightly more precise answer, "Late July 2013"
TURNER: What was the username associated with the support staff account that you took over?

JDY: It was cirrus.

TURNER: How do you spell that?

JDY: C-I-R-R-U-S.

TURNER: And approximately, when did you take over the cirrus account?

JDY: It was late July 2013.

Few minutes later, JDY is asked again, by Judge Katherine Forrest, when he first took over the Cirrus account and he provided this time a time frame.
THE COURT: What was the approximate date when you took over the account, sir?

JDY: Approximately July 26, 27th of 2013.

JDY confirmed that he took over Cirrus account on or about July 26, 27th of 2013, implying that he had by then full access to the account. During cross-examination this time, Joshua Dratel, Ross Ulbricht's attorney, presses further along the same line of questioning about when the Cirrus account was taken over.
THE COURT: That's all right. That's okay. I didn't know if I needed to look at it. I have the witness'. Let me take a quick look. All right. As of August 2, 2013, were you cirrus?

JDY: August 2, I was; yes.

THE COURT: All right. And how about July 23?

JDY: I was not.

THE COURT: You were not cirrus on July 23rd?

JDY: No.

As some of the readers might know, the date of July 23, 2013 is an important date in the Silk Road timeline, as it is the date the Silk Road Server 193.107.86.49, in Iceland, was forensically imaged by the FBI. Unsurprisingly, JDY was also cross-examined by Dratel about the support he provided to the FBI to successfully image the Silk Road server.
DRATEL: Did you tell the FBI a specific time that would be a good time to take down the servers?

JDY: I did.

DRATEL: And that was because you said there wouldn't be a lot of administrative work on the site and so that -- is that right, there wouldn't be admins?

JDY: There wouldn't be administrative action on the site, yes.

DRATEL: That was because you wanted it to be done in a way that nobody could notice, right, if possible?

JDY: I would think, yes.

It looks pretty clear from the excerpt above that JDY was in a privileged position, or at least a "good enough" position by July 23, 2013, to provide guidance to the FBI New York about when would be a good time to image the Silk Road server. According to law enforcement briefs and news reports, the different agencies investigating Silk Road had from time to time an unhealthy cooperation and inter-agency information sharing didn't seem to be the norm. As context often matters, one might wonder why would the FBI NY relies on information provided by an HSI Special Agent based in Chicago, as it was clearly the case according to JDY testimony, if he wasn't operating a privileged account? Any agent part of the FBI/HSI Silk Road task forces would have been able to pick a date if it was just a matter of choosing "a right moment" to image the server from a "normal" user point of view, but that's not what happened. The FBI specifically requested JDY opinion as when it would be the "right" moment to image the server because he knew "there wouldn't be administrative action on the site" minimizing the risk of the work to clone the server being noticed by Silk Road staff.

There is however a small and rather interesting discrepancy in JDY's explanation because at the time the server was imaged, on July 23, 2013, JDY previously testified that he was not operating the Cirrus account. If he wasn't operating Cirrus account how did he find himself in a position to pick a date to image the server "knowing" there wouldn't be administrative action on the site at this period?

In order to find out we need to take a step back and get things in context. In a previous story, Trawling the flotsam of the Silk Road Shpwrck, we speculated that Scout had been raided due to her Bitcoin services activity or that she gave up her account voluntary to the HSI undercover agent "mr.wonderful" but things might have played a bit differently.

Following Ross Ulbricht's arrest, investigators found on his laptop a file, "LE_counterintel.txt", containing information that appeared to have been based on insider knowledge of the federal investigation into Silk Road. One of the source of information, identified by the alias East India Traitor (EIT), contacted Dread Pirate Roberts via the Silk Road forum to provide him with intelligence that he allegedly gathered from being interviewed by law enforcement agents after doing 6 months federal time in a DRAP program for SR related crimes. Interestingly, Ross Ulbricht's defense says that they have determined the identity of EIT, without revealing it, but that it could also have been the rogue DEA agent Carl Force IV. It is difficult to assess the veracity and accuracy of the information provided by EIT however we might be able to shed some light on EIT's background.

EIT created an account on the Silk Road forum on July 27, 2013, followed by a somewhat cryptic "Welcome to the show fuckers" post about Silk Road security. Based on his 44 archived posts and the information he privately shared with Dread Pirate Roberts, EIT appears to have a good understanding and knowledge of Silk Road. However, despite his operational security pro-tips he managed to leak enough info to link his East India Traitor account to what we believe to have been his main account since Silk Road inception.

Through his forum posts and private discussion with DPR, EIT disseminated few personal information. We learn for example that he is a graphic designer and that his favorite strains of weed is the "Pre98-Bubba Kush". In DPR's "LE_counterintel.txt" file, he is quoted comparing Silk Road to a "revolution" and a "pseudo-revolution". Another interesting bit of information we learn from EIT is that he has knowledge of the "old timers" from the Open Vendor Database (OVDB) days. Doing some research on the Silk Road forum archives for users with those characteristics and our own informed understanding of the Silk Road ecosystem and users, one single profile stands out, the former Silk Road moderator Nomad Bloodbath.

Nomad Bloodbath joined Silk Road in the early days after having heard of the marketplace on 4chan in December 2010. Few month later, around June 28, 2011 he is offered a moderator position after he, and other members, decided to create an FAQ thread on the Silk road forum for the newcomers. With over 4000 posts Nomad Bloodbath was one of the most respected member of Silk Road, bringing heart and soul to his moderator job and contributing to the Silk Road revolution. The story goes that Nomad felt undervalued by Dread Pirate Roberts for all the work he achieved to maintain the forum in good shape and over time a toxic relationship grew between Nomad Bloodbath and DPR, resulting in Nomad allegedly quitting his moderator position sometimes in late 2012, early 2013 (a conservative date being around January 2013 but no formal post was ever made about Nomad quitting).

Reading through the thousands of posts of Nomad Bloodbath one can notice similarities with East India Traitor. Nomad's "all time favorite" cannabis strains also happen to be Pre98 Bubba Kush. Like EIT, Nomad often referred to the "Silk Road revolution" even dubbing himself "Silk Road Revolutionary" on his forum profile. Having been on Silk Road since the beginning Nomad was also familiar with the Open Vendor Database (OVDB) and some of its vendors, like Envious and Enelysion, whom, like EIT, Nomad misspells "Eneylsion". As for the graphic designer it was no secret that Nomad was Silk Road's artistic touch selling designer and custom designed artwork in the form of collectible toys on his vendor page.

Nomad last post on the public forum is dated April 1, 2013 but he will eventually come back and post on the vendor restricted area of the forum, the vendor roundtable, two months later, on May 24, 2013, announcing a vacation break. "Currently my IRL time is filled with much more important personal things and frankly my politics simply do not align with Silk Road's pseudo-agenda" ("pseudo-revolution" anyone?). However, before leaving for good he offered Silk Road vendors his famous chalkboard skulls for 50% off and free shipping. On that same day he also decided to get rid of his two-years old PGP key and silently change it on his vendor page with a new one. How do we know? The last PGP key available on his vendor page was also created May 24, 2013 as shown by the metadata:

gpg: armour header: Version: GnuPG v2.0.17 (MingW32)
pub 2048R/B999A8A9 2013-05-24 nomad bloodbath < email address >
sig B999A8A9 2013-05-24 [selfsig]

To summarize, we have one of the most trusted member of the Silk Road community and ex-moderator, Nomad Bloodbath who comes back, after months without posting, to announce he is about to take a "vacation break" from Silk Road. After 2 years and half using the same PGP key he decides to "silently" change key to sell... toys and chalkboard skulls. It does look like the perfect plan for law enforcement to gather vendors' and moderators' addresses upon delivering one of those harmless toy. And yes, we believe that at this point Nomad Bloodbath account was compromised and controlled by law enforcement.

One of Nomad Bloodbath lucky customer who ordered and seem to have received a skull following Nomad's announcement is forum moderator samesamebutdifferent (SSBD). On June 20, 2013, more or less a month after Nomad's "vacation break" post, SSBD posted that he had "one [skull] in transit". If Nomad's account was indeed compromised, it could explain why, when the indictment against the Silk Road moderators and administrators, Inigo, Libertas and SSBD, was unsealed on December 20, 2013, SSBD was the only one who had his other aliases listed, as "samesamebutdifferent" a/k/a "Batman73" a/k/a "Symmetry" a/k/a "Anonymousasshit". Inigo and Libertas had also been known and obviously used other aliases, however none of those other aliases appeared in the indictment hinting at SSBD's background having been further investigated. We do not know, if SSBD provided his personal address or a drop, however it surely provided LE with his buyer account(s) and a geographic location to organise surveillance.

Another interesting document, which re-enforces our theory about Nomad having been compromised and SSBD's identity early uncovered and seems to have been overlooked, is Exhibit 7, part of a Reply Memorandum of Law submitted on behalf of defendant Ross Ulbricht in support of his motions for a new trial. It's a copy of an email exchanged between JDY and one of his HSI colleague discussing their investigation and how not to look like "complete fools" due to the "HSI Baltimore Gang" behaviour.

The email is dated September 20, 2013 (emphasis added):

Baltimore can have a few vendors of our choosing - as well as the ability to say they "helped" ID some of the admins by "allowing" NY to use OUR UC account to identify some of the lower admins, and they can have sloppy seconds on DPR for their murder for hire. They can also have some info on other bitcoin companies that MK might name is shady after we get done with him.

That's the best that can be given and they should consider themselves lucky for getting anything close to that. Or we can just stall, and Baltimore gets nothing and we contributed to the other two admins getting away [redacted]. We'll get no HSI banner on the site, and will probably get no cooperation from NY with any information related to MK. If DPR names MK in the interview and we didn't help them get the other admins when we had the chance - NY will leave us out of it and tie him into their conspiracy. We will then be left dealing with HSI Baltimore's tears and them then trying to take [redacted].

At the time of this exchange between HSI Agent JDY and his colleague, the known Silk Road administrators/moderators (both terms being used loosely here) were Inigo, Libertas, SSBD, and the undercover account Cirrus, operated by Special Agent Jared Der-Yeghiayan. The wording of the first redacted sentence seems to imply that prior to the arrest of Ross Ulbricht and the discovery of the staff IDs on Ross' laptop, only two staff members were still not clearly identified. The use of "The other two admins" in the sentence also hints at JDY including all members of staff under the "admin" umbrella, since only Libertas and Inigo were administrators on the market. We believe that by September 2013, when the email exchange occurred, at least one other staff member had previously been identified (we're not including Flush and Scout for the obvious reason that we know both had already been raided). For reasons explained above it is highly likley that SSBD had already been identified by law enforcement prior to DPR arrest, only letting the identity of "The other two admins", Libertas and Inigo, to be determined.

The main LE investigation teams working on the Silk Road case were based in Baltimore (DEA/HSI), Chicago (HSI) and New York (FBI). Can we speculate on which team took over Nomad Bloodbath account? It seems that JDY, again during Ross' trial, might have provided part of the answer when Dratel questioned him about the circumstances he took over Scout's account (emphasis added).

DRATEL: One of your challenges in getting Scout to relinquish her account and give you access to Scout, and then ultimately to Cirrus, was how to convince Scout that you were law enforcement and that DPR was tricking her -- him you thought at the time but her and that her better option, or Scout's better option was to go with the law enforcement, you had to do that online in a way that didn't impair the investigation, correct?

MR. TURNER: Objection to form.

THE COURT: If you understand the question, you can answer it.

DRATEL: I --

DRATEL: I will break it down.

JDY: I guess the response is that I wasn't -- I didn't portray myself as law enforcement to Scout. That was another agent that did that. I had another account at that time that I was utilizing to talk to Scout that they did not know -- I wasn't portrayed as law enforcement.

DRATEL: But that was a challenge for the investigation, correct, as a whole?

JDY: A challenge, I'm sorry, to?

DRATEL: To convince Scout, whether it was you or a colleague of yours, to convince Scout that DPR was tricking Scout and that Scout's better option was to essentially align with law enforcement?

JDY: That was another agent's goal with another account that they were utilizing. My particular goal with the account that I was utilizing was to try to get Scout to buy something from me which would then result in exchanging their name and address.

DRATEL: Right. That is ultimately what happened, right?

JDY: That is what happened.

DRATEL: I'm saying, the other agent's challenge was this other aspect of trying to do something online that would convince Scout to essentially relinquish her account to law enforcement?

JDY: Correct.

Here we go. We learn from JDY cross-examination that he was using an undercover account, not portraying as law enforcement, to talk to Scout trying to convince her to buy "something" that would result in obtaining Scout's name and address. We believe that it eventually happened and led to Scout being raided at some point in June/July 2013. We previously thought that Scout had been identified due to the Bitcoin exchange she was running on Silk Road, under the alias CaptainMal, however we didn't find at the time any confirmation that she kept her Bitcoin exchange running on Silk Road after she was promoted forum moderator.

With the new theory discussed above we would now be more inclined to believe that Scout arrest was the result of providing her name and address to JDY operating Nomad Bloodbath's account, the same way SSBD did. Scout was appointed forum moderator after Nomad Bloodbath requested some help to moderate the forum and it is easy to imagine that a certain degree of "trust" grew between them while working together on the forum.

Unfortunately we can only speculate as what happened as we didn't find any reference of Scout ordering a skull or other toys from Nomad. However, Nomad being arrested and his account taken over by JDY to reach to the other Silk Road moderators (Scout, SSBD) fits the investigation timeline nicely.

Last, but maybe not least supporting this theory, the PGP keys.

We've mentioned earlier Nomad Bloodbath' sudden change of PGP key in late May 2013. We found another PGP key that could also be associated with Nomad Bloodbath, or someone trying to impersonate Nomad Bloodbath, and was created couple of weeks later, on June 12, 2013. Analysis of that key yields an interesting result. Indeed, as defined by RFC 4880 some constants are specified by the OpenPGP format, like the public-key, symmetric-key, compression and hash algorithms, among other parameters, to be used by PGP implementations. It is then more or less up to the implementation to decide which algorithm will be implemented and used by default. In a nutshell, depending on the PGP software used, its version and the underlying operating system a set of parameters will be used by default when creating a PGP key, regardless of the key size.

For example, Nomad Bloodbath key created in May 2013 has the following preferences and characteristics:

The public key was likely created using a Windows operating system, as suggested by the version header, MingW32, which is consistent with Nomad Bloodbath's 2011 public key as well as his use and recommendation of GNU Privacy Assistant (GPA) on Windows.

gpg: armour header: Version: GnuPG v2.0.17 (MingW32)
The next block represents the "metadata" of the key:
:signature packet: algo 1, keyid 8F806FCE994525F0
version 4, created 1304617333, md5len 0, sigclass 0x13
digest algo 2, begin of digest 81 03
hashed subpkt 2 len 4 (sig created 2011-05-05)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 8F806FCE994525F0)
The metadata can be explained as follow:

We can also note that the key doesn't have expiry date.

In comparison Nomad Bloodbath PGP key generated few weeks after, June 12, 2013, has the following preferences and characteristics strongly indicating that it was generated using a different software, version of PGP and/or operating system.

:signature packet: algo 1, keyid 30D1715931717798
version 4, created 1371038457, md5len 0, sigclass 0x13
digest algo 10, begin of digest 7a 83
hashed subpkt 2 len 4 (sig created 2013-06-12)
hashed subpkt 27 len 1 (key flags: 2F)
hashed subpkt 9 len 4 (key expires after 4y1d0h0m)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 30D1715931717798)
Despite, the version header not present, further research on a set of Silk Road users' public keys tends to show that public keys with those previous preferences and characteristics seems common to keys generated by MacGPG2 for MacOSX users. From the several screenshots disclosed during Ross trial we know that JDY was also using MacGPG2 for MacOSX and in what might not be a coincidence, the other known JDY's undercover account, Cirrus, used a PGP key with very similar metatada and key properties as Nomad Bloodbath's June 2013 PGP key. The metadata below being common to both.

Cirrus and Nomad bloodbath PGP keys

We believe this further link JDY being behind both, Nomad Bloodbath and Cirrus, undercover accounts.

What about July 23, 2013, the date the server was imaged? How did JDY know when it would be a good time to image the Silk Road server if he wasn't controlling the Cirrus account? He might have get the information from Nomad but it seems very unlikely that Nomad would still be familiar to the admin team rota months after leaving. Scout? JDY testified he wasn't in control of the account until after the Silk Road server was imaged. However, this doesn't mean LE hadn't raided scout yet. Going undercover and infiltrate with a moderator account the biggest darknet market of the time requires a bit of preparation. BBC documentary "Silk Road: Drugs, Death and the Dark Web" provides us with a bit of context about how the account take over took place.

JDY explains that after scout was raided he spent three or four days with her for a complete debriefing learning how to communicate as scout, how the moderators operated and other intel. Having access to cirrus personal messages and restricted area of the Silk Road forum surely provided useful information to the FBI and when it would be a good time to image the server as "there wouldn't be administrative action on the site".

Does it mean that JDY "lied" about the date of the account take over by pretending it happened at a later date? Not necessarily; and our best theory is that it might be the result of administrative delays and when the account "officially" became a registered HSI undercover account handled by JDY. The arrest of scout was certainly a big achievement and other agencies probably tried to claim the account for themselves as well, delaying the whole process. We have very few information about when scout was raided and her account eventually taken over. A potential date could be June 19, 2013, logged in the HSI investigation timeline as the day HSI Chicago and HSI Baltimore "gang" conducted a joint search warrant based on a new target developed by HSI Chicago.

-On June 19, 2013, During a joint SW conducted by HSI Chicago and HSI Baltimore based on a new target developed by HSI Chicago SA McFarland spoke with SA Der-Yeghiayan about the Target A and SA McFarland stated that he had complete control over AUSA Kay and he was the one to decide whether or not Target A would be interviewed. SA McFarland stated that he would honor SA Der-Yeghiayan's request to not pursue or interview Target A.
This would fit the timeline nicely as Scout last connection on the Silk Road forum is June 18, 2013, what would have been a day before the raid. However, due to what is sometimes referred as "emailgate" or the operation "mr. wonderful", it is almost certain that on June 19, 2013 scout had already lost control of her account to DPR and Cimon, which complexify the timeline even more.

During the period of interest, between May 2013 and July 2013, multiple events linked to each other happened more or less simultaneously making the timeline very confusing. Probably also confused by all the shenanigans DPR didn't log his weekly criminal activity in his journal for the period of time that interest us. We know now that JDY was actively using Nomad Bloodbath identity approaching vendors and moderators trying to sell his skulls that an undercover LE agent was approaching moderators using the account "mr.wonderful", which eventually resulted in scout being demoted and locked out of her account by DPR while a rogue LE agent, under the alias "alpacino" was providing DPR with alleged internal knowledge to the LE investigation (will keep this one for another time).

The speculative and annotated timeline below tries to streamline the series of events discussed above.

Annotated timeline

We have few accounts of "mr.wonderful" being operated by an HSI agent with hints of the DEA playing a role in the background.
JDY: "Mr. Wonderful was operated by another HSI agent."
alpacino: "initially it was a DHS (HSI) or CBP gig but the account is no own by someone at DEA (with few cooks in the kitchen)."
East India Traitor: DEA visited/visits me twice a month... asks me shit, then they brag about their shit. Such as the mt gox bullshit a couple months ago, asking if SR members would go for paid informant work, I sent them on wild goose chases just enough to get them to come share with me more than they could get from me. I in no way snitched out anyone, they are currently trying to get into your staff forum mods esp .. .i suggest they change usernames every month start posts counts back at zero. I suggest you relocate outside usa ... if not already, they are foaming at the mouth which branch of the LE gets credit for your arrest.
Clearly, the "mr.wonderful" operation was a HSI Baltimore business. That description Nomad Bloodbath is making of the DEA agents visiting him and the questions related to the paid informant work matches what we know of the "mr.wonderful" operation. Carl Force IV was probably too busy trying to defraud DPR to be directly involved with this one. If we had to guess who was operating the "mr.wonderful" account we would go for SA McFarland, considering he had been reassigned the HSI Baltimore case in 2012 because they needed a certified undercover agent, according to the HSI Investigation timeline, which makes him a good candidate. At this point Nomad Bloodbath account was compromised and operated by HSI Chicago according to JDY testimony.
JDY: That was another agent's goal with another account that they were utilizing. My particular goal with the account that I was utilizing was to try to get Scout to buy something from me which would then result in exchanging their name and address.
Nomad account will eventually be used to compromise scout and SSBD. It's unknown how Nomad Bloodbath was arrested but considering he had very poor OPSEC he probably ended up being a low hanging fruit control delivery. He actually told DPR, using his alias "East India Traitor" that he "did 6 months federal time in a DRAP program for SR related crimes", which led to him meeting the Baltimore gang. The "someone" mentioned by DPR is "mr.wonderful". Two weeks after "mr.wonderful" created an account on the SR forum and started approaching the forum moderators DPR is made aware that an alleged LE is trying to infiltrate his staff. This is the premise of "emailgate" and will result in Scout and SSBD being demoted for engaging with "mr.wonderful". DPR will then ask Variety Jones/cimon to investigate. The quote above appears in DPR's diary but the date is unclear. Between June 5th and September 11th, 2013, DPR hasn't dated his journal precisely. The entry above is the first sentence of a blob of text describing events between June 5th and September 11th. DPR likely backlogged his entries at this point and that June 5th date should probably not be taken too literally and one can assume the "counter-intel" operation happened, for more than a couple days, sometimes in June 2013.

To "counter intel on DEA's mr.wonderful", DPR took over scout and ssbd email and forum accounts, going as far as pretending to be scout online. We can find the credentials of both accounts in DPR's "le_counterintel.txt" file where he kept information leaked to him related to LE investigation into Silk Road. He probably read over private messages, engaging with "mr.wonderful" to try and get information. From his own words it hadn't been successful.

scout's tormail where he is talking to mrwonderul:
username: scoutsr
password: b311amOn

Symm's tormail talking to mrwonderful:
symmetry2
bjBTrmPzUBhmN3uH

scout, forum
username: scout
pass: nlNlaGKUb1r6sqYY

In a "funny" twist, the "mr.wonderful" operation jeopardised HSI Chicago own investigation by preventing JDY to access scout forum and email accounts as a growingly paranoid and suspicious DPR fired scout and changed her accounts' details, locking JDY out of her accounts. DPR continued posting with scout's forum account so it would seem she was still around. JDY acknowledged at trial that "mr.wonderful" operation was a challenge for his own investigation.
DRATEL Did you go back and read posts having to do with Mr. Wonderful?

JDY: I didn't have access to the Scout account to go back to read that. I only had access to the Cirrus account.

Another side effect of the operation mr.wonderful, ssbd, who had just been promoted admin on the main site is moved back to the forum by a DPR in prevention of "mr.wonderful" approaches on its staff. Yeah right? If even JDY find it difficult to know who is controlling which account we have little chances. It does however shows the general confusion at the time as highlighted at trial by JDY.
DRATEL:. And, in fact, there were times when you taught that DPR might be operating some of the other administrator accounts, right?"

JDY: There was, yeah, there was times that we didn't know who was operating what accounts.

JDY: Specifically in this period of time there was multiple things going on with multiple accounts.

DRATEL: And that's June of 2013?

JDY: That was June 2013, yes.

At his point DPR had already confiscated scout's account and it is very likely the latest posts from scout were actually made by DPR. He eventually stopped posting on June 11th. Background activity on the account will however continue until June 18th. As already discussed above this could be one of the PGP key used by JDY to impersonate Nomad Bloodbath. The last connection of "scout" on the forum, happened a day before the joined search warrant on what we believe could be a possible date for scout raid. However, again, it is very likely that at this point the "scout" account on the forum was controlled by DPR and/or "cimon" trying to counterintel "mr.wonderful". Funny enough the "mr.wonderful" operation likely prevented JDY to access "scout"'s forum account and associated inbox. monik3r is thought to be another alias of scout she used on IRC among other places. Weirdly enough we couldn't find when the account was created and only have access to few sporadic posts across the forum. Was the account operated by "scout" at this point isn't very clear and it could as well have been used by JDY as a "training" account while debriefing scout. As often things are a bit unclear and we were told that DPR having found out that no secret was made that "monik3r" and scout were one and the same, also took over "monik3r" account on the SR forum. It could explain the "surreal" exchange between "mr.wonderful" and "monik3r" where mr.wonderful enquiries about scout whereabouts and receives an answer from "monik3r" invoking a "new assignment". Unless JDY was operating the "monik3r" account at this point? Who responded to "mr.wonderful"? The real scout, DPR or JDY? Following strong lobbying from the moderators/admins (Libertas, Inigo, SSBD) to have scout back in the team, DPR agrees to reinstate scout as global moderator under a new name, Cirrus. Unknowingly, DPR accelerated his downfall by allowing HSI agent Der-Yeghiayan as part of his staff. The quote above, dated July 14th, 2013 seems to show, again, that scout/cirrus account was taken over before the "official" date, with scout already fully debriefed by JDY and very likely sharing the cirrus account as well as insight on the admin team. Using its "privileged" position as forum moderator and the information debriefed from scout, JDY provides intel to the FBI NY as when it would be a good time to image the Silk Road server as "there wouldn't be administrative action on the site".

It is pretty clear from the timeline above that scout account was taken over by LE much earlier than previously discussed at Ross Ulbricht trial, where the date of July 26, 27th, 2013 was mentioned by JDY. Scout was fully debrief by LE prior to the Silk Road server being imaged and cirrus account accessed and used by JDY earlier than previously thought, which explains why JDY was in a "privileged position" to pick a date to image the server "knowing" there wouldn't be administrative action.

Ross Ulbricht Trial

Trial Notes

You will find below relevant news and articles about the Ross Ulbricht Trial.

Government and Defendant Exhibits List

A summary of the pre-trial exhibits list is available here (Thanks to Patrick O'Neill)

Torrent of the archive containing all the evidentiary exhibits introduced during Ross Ulbricht's trial available here (Thanks to gwern and Fran Berkman)

The table below summarizes some of the Government and Defendant Exhibits List in Ross Ulbricht trial.

GOVERNMENT & DEFENDANT EXHIBITS LIST U.S. v. Ross Ulbricht, 14 Cr. 68 (KBF)
GX & DX Description
102B Screenshot: match between seizure and listed drug:"Black Kiss Microdots 160 mics [5 pcs]"
113 Screenshots: HSI process in order to purchase bitcoins
113A Example of how a Silk Road payment would be conducted
114 Screenshot: Silk Road orders placed by HSI during undercover purchases
118C Cirrus private messages inbox
119 Screenshot: SR Buyer's guide
120 Screenshot: SR Seller's Guide
121A Screenshot: SR account wutang56567 taken over by Jared Der-Yeghiayan in May 1, 2013
121B Screenshot: SR Seller contract
123 Dread Pirate Roberts' profile page on Silk Road forum, May 9, 2013
126A Private messages between DPR, samesamebutdifferent, inigo, Libertas, and cirrus
re: cirrus joins the team
126C Screenshot: SR marketplace: cirrus' account history
126D Private messages between cirrus and DPR re: DPR gives cirrus bitcoins
127 Private message from DPR to cirrus re: instructions for joining secure chat channel
127A Screenshot: Dread Pirate Roberts forum and chat login status
127B Chat from 7/29/13 between cirrus and dread re: errors moving bitcoins
127C Chat from 08/19/13 between cirrus and dread re: post flagging system
127D Screenshot: Silk Road support screen
127E Screenshot: Silk Road discussion page flagged posts support screen
127F Screenshot: SuperTrips, vendor discussion page
129A Screenshot: DPR's connection status after Ulbricht entered library
129B Screenshot: Cirrus entire screen at the time when Dread Pirate Roberts came online.
129C Chat log between Dread Pirate Roberts and Cirrus just before the arrest
129E Screenshot: chat window on Cirrus computer approx 5 hours after arrest
130 Papers recovered from trash bin of Ulbricht residence
131 Screenshot: Forum posts of Dread Pirate Roberts discussing the feedback and the buyer ratings
132 Screenshot: Silk Road homepage on October 1, 2013
133 Screenshot: Dread Pirate Roberts' Silk Road profile with PGP public key
134 Ross Ulbricht's passport
150 Screenshot: silkroadmarket.org domain information
200A Ulbricht laptop Drive/Image verification
201A Photograph depicting chat with Cirrus on Ulbricht
laptop
201C Photograph depicting Ulbricht laptop logged into SR
support panel
201D Photograph depicting active programs on Ulbricht
laptop including active chat with Cirrus
201G Photograph depicting "Dread Pirate Roberts" icon on
chat program
201H Photograph depicting active programs on Ulbricht laptop
including active chat with Cirrus (close-up)
201K Photograph depicting SR support panel
DX J PHP Script: support.php (Defendant's Exhibit)
201M Photograph depicting admin panel login screen
211 Screenshot: /home/frosty/ subdirectory on Ulbricht
laptop
212 Screenshot: /var/www/market/ subdirectory on Ulbricht laptop
212A Screenshot: /var/www/ subdirectory on Ulbricht laptop
212B Screenshot: /var/www/market/application/views/mastermind/mastermind.php file
on Ulbricht laptop
213 Screenshot: /var/lib/mysql/market/ subdirectory on Ulbricht laptop
214 Screenshot: /home/frosty/.bitcoin/wallet.dat Bitcoin wallet file on Ulbricht laptop
215 Screenshot: /home/frosty/.torcchat/ subdirectory on Ulbricht laptop
216 Screenshot: /home/frosty/backup/reference/IDs
222 Torchat log with sSh
222A Torchat log with sSh (April 20, 2012 through April 21,
2012)
223 Torchat log with flush
224 Torchat log with h7
225A Torchat log with scout
225B Torchat log with scout
226A Torchat log with vj
226B Torchat log with vj
226C Torchat log with vj
226D Torchat log with vj
226F Torchat log with vj
226G Torchat log with vj
226I Torchat log with vj
227A Torchat log with cimon
227B Torchat log with cimon
227C Torchat log with cimon
227D Torchat log with cimon
227E Torchat log with cimon
227F Torchat log with cimon
227G Torchat log with cimon
227H Torchat log with cimon
227I Torchat log with cimon
228 Torchat log with r
229A Torchat log with inigo
229C Torchat log with inigo
229D Torchat log with inigo
229E Torchat log with inigo
231A Torchat log with smed
231B Torchat log with smed
231C Torchat log with smed
232A Torchat log with da
232B Torchat log with da
232C Torchat log with da
DX E Chat between "Dread Pirate Roberts" and "DeathFromAbove"
XXX Torchat log of communications between Dread Pirate Roberts, nob, inigo and cimon
discussing the bitcoin theft and Curtis Green assassination
XXX Torchat log of communications between Dread Pirate Roberts and Variety Jones
discussing investment of Silk Road profit
240A 2010 journal recovered from Ulbricht laptop
240B 2011 journal recovered from Ulbricht laptop
240C 12/29/2011 journal entry recovered from Ulbricht laptop
240D 01/01/2012 journal entry recovered from Ulbricht laptop
241 Silk Road Log, 3/20/2013 through 9/30/2013
242 Silk Road Weekly Report for week of January 4, 2013
243 DPR's "LE_counterintel.txt" file
250 Silk Road Expense Report, starting in July 2010
251 Net Worth Calculator Spreadsheet
254 Silk Road prospective employee interview question list
255 Silk Road Weekly To Do List
256 Andrew Jones Driver’s License
264 Servers spreadsheet
268 Silk Road down for maintenance message
269 DPR pgp key
270 Email correspondence between Ulbricht at Arto, dated 9/15/2009,
regarding tor hidden services
271 Manual entitled "The Construction & Operation of Clandestine Drug Laboratories,
Second Edition"
272 2 Photograph of narcotics and white board with message stating
"PROOF SILK ROAD SEPT 20, DPR <3"
273 Scanned copies of Ulbricht's passport and Texas identification card
274 Webcam photograph of Ulbricht
280 Instruction to install Pidgin and add user dread
290 Commonwealth of Dominica Economic Citizenship Program
291 Government of Dominica disclosure form
295 Richard Page alias
296 Silk Road pgp private key and GPG Key Chain Access
297 Screenshot: Files stored on Ross Ulbricht's 16 gig thumb drive
298 Silk Road Log, 3/20/2013 through 9/30/2013 PARTIALLY UNREDACTED VERSION
XXX Silk Road Log, 3/20/2013 through 9/30/2013 UNREDACTED VERSION
317 Image of Pidgin window with smed and mg
501C Photograph of Ross Ulbrich laptop open chat session between Dread Pirate Roberts and cirrus
600 Seizure banner that replaced the contents of the Silk Road homepage
602 Picture of Silk Road backup server 207.106.6.25
607 Screenshot: Bitcoin address created for the government to seize all of the bitcoins from Ross Ulbrich's laptop.
FBI Address 1FfmbHfnpaZjKFvyi1okTjJJusN455paPH
620 Bitcoin transactions from Silk Road Marketplace to the addresses found on Ross Ulbricht's laptop
620C BITCOIN/US Dollar exchange rate
901 Silk Road server ssh authorized_keys for frosty@frosty and root@bcw
910 Screenshot: Silk Road homepage running on FBI server
911 Screenshot: Silk Road Drugs category
918 Screenshot: Silk Road support page
919 Screenshot: Silk Road "mastermind" screen
935 Private messages between shefoundme and KingOfClubs
936 Private messages between DPR, RealLucyDrop, FriendlyChemist and redandwhite
940 Silk Road sales data 02/06/2011 - 10/02/2013
940A Breakdown of Total Categorized Silk Road Sales
940B Sales of Fake IDs, Forgeries & Passports
940C Silk Road sales in Money-Related Categories
940D Silk Road Transactions January 2011- October 2013
940E Total Silk Road Sales of Selected Drugs

Notes

  1. A copy of the forum is available in the download section in case it is shutdown. [back]
  2. An extract of all chronicpain posts on the Silk road forum, thus including the quotes, is available in the "key users" archives [back]
  3. The exact links to the different posts discussed is left as an exercise to the reader. [back]
  4. Alleged weak LSD blotters ("the seeds of life print") shipped by Lucydrop beginning of February 2013. [back]
  5. redandwhite bitcoin address is 1MwvS1idEevZ5gd428TjL3hB2kHaBH9WTL. [back]
  6. The screenshot is dated Dec. 27, 2013, at the date of the creation of the account V didn't have any privilege. He was granted Global Administrator privileges Dec. 23, 2013. [back]
  7. The screenshot is date Dec. 27 2013, after Sarge resigned from his position of Global Moderator so at the time of the account creation the tag Global Moderator should have been next to his username, in place of the current Hero Member. [back]
  8. The screenshot is dated Dec. 27, 2013, at the date of the creation of the account DoctorClu didn't have any privilege. He was granted Global Administrator privileges Dec. 23, 2013. [back]
  9. The story went that DPR2 "mistakenly" signed a post on the SR2 forum using StExo's PGP key and as such proving himself to be StExo. The post was edited by DPR2 and the alleged signature removed. However we never managed to confirm that StExo's PGP key was used and not even that the message was electronically signed. Lots of people repeated that version of the story without trying to double check the facts or consider the alternate possibility that the signature was a simple text-based signature. [back]

Credit and Resources

Download