Ross Ulbricht, creator and administrator of the infamous Silk Road website, was sentenced by a court to two life sentences. The minimum term that he could count on as a major drug dealer is 20 years. But he was found guilty on seven counts, including both drug dealing and money laundering.
In addition to running the site, Ulbricht is accused of trying to hire a hitman to "remove" one of his employees, whom Ulbricht suspected of stealing store funds. But the "hit man" turned out to be an FBI agent. This charge will still be considered by the court.
34. In the beginning, I spoke with another agent involved in this investigation (Agent-1), who conducted an extensive Internet survey to establish how and when the Silk Road website became known to Internet users. The earliest public reference found by Agent-1 is from a post dated January 27, 2011, posted on the online forum at www.shroomery.org, an information website for “Shroomery” fans. The post entitled "Anonymous online marketplace?" Was created by a user known only to his alias, "altoid". The message contained the following information:
35. In a post on Shroomery, "altoid" said that he "learned" about Silk Road through "silkroad420.wordpress.com", which claims that Tor users can be redirected through Tor to Silk Road. The address "silkroad420.wordpress.com" is an account on a blogging site known as Wordpress. According to records received from Wordpress, the account “silkroad420” was registered on 1/23/2011 - just four days before the post “altoid” appeared on the Shroomery blog. (The account was registered anonymously by a person who, judging by the IP address used, was connected to the Internet using Tor.)
36. After the Shroomery post appeared on 01/27/2011, the next mention of Silk Road on the Internet discovered by Agent-1 is a post posted two days later, 01/29/2011, on bitcointalk.org, an online discussion forum. dedicated to Bitcoin ("Bitcoin Talk"). This post was also posted by a person using the pseudonym "altoid". The post appeared in a long thread of discussion started by other Bitcoin Talk users regarding the possibility of a heroin store with Bitcoin settlements. In this message, "altoid" writes:
37. Based on my background and experience, the two posts created by "altoid" on Shroomery and Bitcoin Talk are attempts to generate interest in the site. The fact that "altoid" posted two similar posts about this site in two completely different discussion forums, two days apart, indicates that "altoid" during this time visited various discussion forums, the users of which could potentially be Silk Road is interesting, looking for a way to promote a site among forum participants - which, based on my training and experience, is a standard marketing tactic for new websites. What's more, the fact that altoid ends both posts with the phrase “Let me know guys what you think about this” suggests that altoid was interested in more than just sharing his experience with Silk Road,but also wanted to get feedback from other users, again in line with his intentions to promote and improve the site.
38. Upon further investigation of the Bitcoin Talk forum, Agent-1 discovered another message left by "altoid" on the forum on 10/11/2011, about 8 months after the Silk Road report. In this later post, posted on a separate and unrelated thread, altoid reports that it is looking for “IT pros in the Bitcoin community” to hire in connection with “a single startup project using Bitcoin”. In the message, interested participants were encouraged to send their proposals to the address "rossulbricht at gmail dot com" - indicating that "altoid" is using the email address "[email protected]" ("Ulbricht's Gmail Account").
39. According to user records obtained through Google, Ulbricht's Gmail account is registered under the name "Ross Ulbricht". Records indicate that Ulbricht has an account on Google+, a social networking service maintained by Google. After examining Ulbricht's publicly available Google+ profile, I found out that it contains a photo of him that matches the photo on Ross Ulbricht's LinkedIn profile, as mentioned in paragraph 33.
40. A visit to Ulbricht's Google+ page also revealed that it contained links to a specific website that DPR regularly quoted in its forum posts. In particular:
a. Ulbricht's Google+ profile contains a list of his favorite YouTube videos, which includes videos from mises.org, the site of an organization called the Mises Institute. According to her website, the Mises Institute considers itself the "world center of the Austrian School of Economics." The website allows visitors to register and create a profile. By researching the publicly available archived version of this site, I found a user profile named "Ross Ulbricht" that contained a user picture that matched that of "Ross Ulbricht" found on Google+ and LinkedIn profiles.
b. Based on my knowledge of DPR posts on the Silk Road forum, I know that the DPR user's signature on this forum contains a link to the Mises Institute website (one of two links included in his signature). Moreover, in separate forum posts, DPR cites "Austrian Economic Theory" as well as the work of Ludwig von Mises and Murray Rothbard, economists associated with the Mises Institute, as such who provide a philosophical justification for the existence of the Silk Road.
41. The investigation also established confirmation that in early June 2013, Ulbricht lived in San Francisco, California, near an Internet cafe from which a connection was established to the server used to administer Silk Road. In particular:
a. I studied the records received from Google and containing in the logs the IP addresses from which the Gmail logged in. Ulbricht's account from 01/13/2013 to 06/20/2013. The IP logs show that during this time the account was regularly accessed from specific IP address of Comcast. According to the records received from Comcast, this IP address at the specified access time was registered at a specific address on ul. Hickory, San Francisco, California. Another person is registered at this address, who, as I know, is Ulbricht's friend in San Francisco (hereinafter referred to as the "Friend"), with whom Ulbricht stayed when he arrived in San Francisco approximately in September 2012, as evidenced by a video posted on YouTube , in which both friends are removed in circumstances supporting these considerations.
b. Based on my research of DPR's private correspondence retrieved from the Silk Road web server, I know that DPR regularly specified the Pacific Time Zone when it was operating time. For example, in one personal message dated 4/18/2013, DPR tells another Silk Road user: “It’s about 4pm PST. I have some business to do. " Based on my training and experience, I believe this trend suggests that DPR is physically located in the Pacific Time Zone, which is of course San Francisco, California.
c. Further, based on the results of the forensic analysis of the Silk Road web server, I know that the server contains a code that was once used to restrict administrative access to the server, so that only a user with a specific IP address specified in this code can access it. Based on my training and experience, as well as understanding how access to the server is configured in general cases, I believe that this IP address belongs to the VPN server - in fact, a secure gateway through which DPR could remotely connect to the Silk Road web server from your computer. The IP address of the VPN server belongs to the server, which is hosted by a certain hosting company, which, by a court order, provided data regarding the specified VPN server. The records showthat the contents of the VPN server have been destroyed by the user renting it *. However, the records contained information about the IP address from which the user connected to the VPN server during the last communication with the server on 03.06.2013. This IP address belongs to Comcast, the records of which, obtained by court order, indicate the location - Internet cafe at Laguna Str., San Francisco, California. This cafe is located less than 500 feet from Druha's address on Ul. Hickory, from whom Ulbricht regularly connected to his gmail account - including, several times on 06/03/2013 according to Google records.whose court-ordered records indicate the location of an Internet cafe on Laguna Str., San Francisco, California. This cafe is located less than 500 feet from Druha's address on Ul. Hickory, from whom Ulbricht regularly connected to his gmail account - including, several times on 06/03/2013 according to Google records.whose court records indicate the location is an Internet cafe on Laguna Str., San Francisco, California. This cafe is located less than 500 feet from Druha's address on Ul. Hickory, from whom Ulbricht regularly connected to his gmail account - including, several times on 06/03/2013 according to Google records.
* The code containing the IP address of the VPN server was "commented out" on the Silk Road web server, which means that it was inactive as of 23/07/2013 when the server was imaged. As a result of studying DPR's private correspondence recovered from the Silk Road web server, I know that on May 24, 2013, a Silk Road user sent him a personal message warning that “some external IP address was leaked” from site, while it indicates the IP address of the VPN server. Based on my training and experience, I believe that in response to this message, DPR deactivated the code containing the IP address of the VPN server, then destroyed the contents of the VPN server, and then changed the way to access the Silk Road web server, which it used in the future ...
d. Based on my training and experience, this evidence confirms the presence of the Silk Road administrator, which is DPR, in approximately the same area as Ulbricht, at the same time.
42. The investigation also found that by July 2013 Ulbricht had moved to a different address in San Francisco, where he received a package containing several fake identity documents, while DPR was known to be looking for similar documents on Silk Road. In particular:
a. Based on the results of studying the investigation report received from the US Customs and Border Protection (CBC), I became aware of the following:
i. On approximately July 10, 2013, as part of the standard border check procedure, the TPN detained a packet coming from Canada. 9 fake IDs were found in the package. All of the forged documents were written in different surnames, although all contained a photograph of the same person. The package was intended for a recipient at an address located on 15th Street in San Francisco, California (“15th Street Address”).
ii. On or about 7/26/2013, agents from the Directorate of Internal Security Investigation (DIOI) visited the 15th Street Address for further investigation. In a residential area at this address, agents found ROSS WILLIAM ULBRICHT, also known as "Dread Pirate Roberts", "DPR", "Silk Road", the accused, the person depicted in the photographs on the fake IDs in the bag.
iii. The agents showed ULBRICHT a photograph of one of the seized forged documents, which was a California driver's license containing a photograph of ULBRICHT, his real date of birth, but the name of another person. ULBRICHT declined to answer questions regarding the purchase of this and other IDs. At the same time. ULBRICHT, on his own initiative, said that "hypothetically" anyone could go to the Silk Road website on the Tor network and buy any drugs or fake documents they wanted.
iv. ULBRICHT showed agents his real state-issued Texas driver's license. He explained that he was subletting a room at 15th Street Address for $ 1,000 a month in cash. ULBRICHT said that at the moment two people lived in the same house with him, who knew him under the assumed name "Josh".
v. The agents also spoke with one of ULBRICHT's housemates, who confirmed that ULBRICHT, whom he knew as "Josh," was always at home in his room at the computer.
b. From a study of DPR's personal communications recovered from the Silk Road web server, I know that DPR contacted other Silk Road users on multiple occasions in June and July 2013 expressing an interest in acquiring fake IDs. For instance:
i. In one exchange dated 7/8/2013, DPR informs another Silk Road user that he “needs a fake ID” which he intended to use to “rent servers”, explaining that he is busy “creating his cluster servers ". Based on my training and experience, I know that server hosting companies often require customers to verify their identity in one form or another in order to identify them. Accordingly, I believe DPR was looking for fake documents in order to rent servers under an assumed name.
ii. In another messaging, dated 06/01/2013, DPR and another Silk Road user "redandwhite", the same user DPR suggested to carry out a contract assassination as mentioned above. agreed to chat at a specific time in the Internet chat, while DPR tells redandwhite: "I have something to discuss with you." Four days later, on 06/05/2013, DPR sent a message to redandwhite: "Hi, I want to clarify where you went with your proposal for a fake ID." Redandwhite replies: "This is my man and he's in the process."
43. Ultimately, the investigation yielded evidence that Ulbricht was in control of the hidden Tor service, as well as confirmation of its association with specific programming code and a specific encryption key found on the Silk Road web server. In particular:
a. From my background and experience, I know that the “stackoverflow.com” (“Stack Overflow”) website is a website used by programmers to post questions about programming problems and get suggestions from other programmers with solutions. According to the posts obtained from Stack Overflow:
i. On 03/05/2012, a user registered an account on Stack Overflow under the name "Ross Ulbricht". Ulbricht provided Ulbricht's Gmail Account as an email address as part of the information required upon registration.
ii. On 3/16/2012 at about 8:39 PM PST, Ulbricht posted a post on the site entitled “How can I connect to the hidden Tor service using curl in php?”. Based on my training and experience, I know that "PHP" means a programming language used for web servers, and "curl" means a set of programming commands that can be used in this language. In the content of the post, Ulbricht lists 12 lines of code using "curl" commands, which he claims he used "to connect to the hidden Tor service ... using php", but he reports the code was returning an error. Based on my background and experience, Ulbricht's post suggests that he was writing custom code for a Tor hidden service web server such as Silk Road.
iii. When a user posts a post on Stack Overflow, their name appears next to that post. However, less than one minute after the posting described in the previous paragraph was published, Ulbricht changed his username from "Ross Ulbricht" to "frosty". Based on my training and experience, I know that criminals in their efforts to hide their identity online often use pseudonyms in order to make them difficult to identify. Thus, taking the timing into account, I believe that Ulbricht changed his username to "frosty" in order to disguise his association with the post he posted one minute ago, realizing that the post is publicly available to any Internet user and speaks of his involvement in the use of Tor hidden services.
iv. A few weeks later, Ulbricht also changed his registered email address to Stack Overflow, "[email protected]" instead of Ulbricht's Gmail account. According to centralops.net, a publicly available email lookup service, [email protected] is not a valid email address. Again, based on my training and experience, I know that criminals who seek to hide their identity often use bogus email addresses in online accounts. thus, I believe Ulbricht changed his email address on Stack Overflow to a fictitious one in order to completely eliminate any connection between his real email address and the message indicating his use of the Tor hidden service.
b. Based on forensics on the Silk Road web server, I know that the code on the Silk Road web server contains a custom PHP script based on "curl" that is functionally very similar to the code described in Ulbricht's Stack Overflow post, and contains several lines of code that are identical to the code given in the message. Based on my training and experience, it appears to me that the code on the Silk Road web server is a modified version of the code described in Ulbricht's post (the one Ulbricht was trying to find a way to fix because it was generating an error).
c. Further, also based on the forensic data of the Silk Road web server, I know the following:
i. On July 23, 2013, the Silk Road web server was configured in such a way as to allow the administrator, who was DPR, to connect to the server without having to enter a password, provided that the administrator connects from a trusted computer from the server's point of view.
ii. In particular, based on my training and experience, I know that this configuration involves the use of encryption keys with a connection via SSH (Secure Shell). To create such a configuration, the administrator must generate two encryption keys - the "public" key, which is stored on the server, and the "private" key, which is stored on the computer from which the connection to the server is made. Once these keys are generated, the server can recognize the administrator's computer based on the relationship between the administrator's private key and its corresponding public key stored on the server.
iii. Based on my training and experience, I know that encryption keys in SSH are made up of long strings of text characters. Different SSH programs generate public keys in different ways, but they all generate public keys in a similar format, with a text string that always ends in "[user] @ [computer]". The computer in this substring is the name of the computer that generated the public key, and user is the name of the user who created it. For example, if someone generates an SSH key pair using MyComputer and logged in as John, the resulting public key will end with the substring “John @ MyComputer”.
iv. I researched the SSH public key stored on the Silk Road web server, which was used to authenticate the administrator when connecting to the server. The key ends with "frosty @ frosty". Based on my training and experience, this means that the Silk Road administrator is using a computer named "frosty", which has a user account with the same name "frosty" that logged into the Silk Road web server. Based on my training and experience, I know that computer users often use the same name for different types of accounts. Thus, I believe that, especially in view of the other links between Ross Ulbricht and DPR described above, that Stack Overflow user Ross Ulbicht who changed his name to frosty and his email address to [email protected] is the same person asas DPR, who is the administrator of Silk Road, who connected to the Silk Road web server from a computer named "frosty" with the user account "frosty".
44. I received from the Texas Motor Vehicle Administration a copy of the driver's license of the accused ROSS WILLIAM ULBRICHT, also known as "Dread Pirate Roberts", "DPR", "Silk Road", with the same number as the driver's license that ULBRICHT presented during contact with agents of the DRVB on July 26, 2013, as described above. The photo on the driver's license is the same person whose photo is posted on the Google+, Mises Institute, and LinkedIn profiles described above.
45. Accordingly, I believe that the owner and operator of Silk Road is the accused ROSS WILLIAM ULBRICHT, also known as "Dread Pirate Roberts", "DPR", "Silk Road".
THEREFORE, I am requesting the issuance of an arrest warrant for the accused ROSS WILLIAM ULBRICHT, also known as "Dread Pirate Roberts", "DPR", "Silk Road", with detention or bail, as applicable.
In addition to running the site, Ulbricht is accused of trying to hire a hitman to "remove" one of his employees, whom Ulbricht suspected of stealing store funds. But the "hit man" turned out to be an FBI agent. This charge will still be considered by the court.
Identification of Ross William Ulbricht, known as the "Dread Pirate Roberts", of the accused.
33. As described in detail below, in the process of identifying DPR, it is established that the person in question is ROSS WILLIAM ULBRICHT, the accused, also known as “Dread Pirate Roberts”, “DPR”, “Silk Road”. According to ULBRICHT's profile on Linkedin.com, a professional social networking website where members can post their professional experiences and interests, ULBRICHT, 29, graduated from the University of Texas with a Bachelor of Science in Physics in 2006 year. From 2006 to 2010, he attended the School of Materials Science and Engineering at the University of Pennsylvania. However, ULBRICHT says on his LinkedIn profile that after graduating from this high school, his "goals" later "changed". ULBRICHT makes it clearthat since then he has concentrated on "creating economic simulation" designed to "give people a direct experience of what would be like living in a world without the systemic use of power by organizations and governments." Based on the evidence below, I believe that this "economic simulation" that ULBRICHT refers to is Silk Road.34. In the beginning, I spoke with another agent involved in this investigation (Agent-1), who conducted an extensive Internet survey to establish how and when the Silk Road website became known to Internet users. The earliest public reference found by Agent-1 is from a post dated January 27, 2011, posted on the online forum at www.shroomery.org, an information website for “Shroomery” fans. The post entitled "Anonymous online marketplace?" Was created by a user known only to his alias, "altoid". The message contained the following information:
This was the only post ever posted by user "altoid" on the Shroomery forum, which is evidence, as my training and experience confirms, that the sole purpose of his registration on this forum was to post this post.
35. In a post on Shroomery, "altoid" said that he "learned" about Silk Road through "silkroad420.wordpress.com", which claims that Tor users can be redirected through Tor to Silk Road. The address "silkroad420.wordpress.com" is an account on a blogging site known as Wordpress. According to records received from Wordpress, the account “silkroad420” was registered on 1/23/2011 - just four days before the post “altoid” appeared on the Shroomery blog. (The account was registered anonymously by a person who, judging by the IP address used, was connected to the Internet using Tor.)
36. After the Shroomery post appeared on 01/27/2011, the next mention of Silk Road on the Internet discovered by Agent-1 is a post posted two days later, 01/29/2011, on bitcointalk.org, an online discussion forum. dedicated to Bitcoin ("Bitcoin Talk"). This post was also posted by a person using the pseudonym "altoid". The post appeared in a long thread of discussion started by other Bitcoin Talk users regarding the possibility of a heroin store with Bitcoin settlements. In this message, "altoid" writes:
37. Based on my background and experience, the two posts created by "altoid" on Shroomery and Bitcoin Talk are attempts to generate interest in the site. The fact that "altoid" posted two similar posts about this site in two completely different discussion forums, two days apart, indicates that "altoid" during this time visited various discussion forums, the users of which could potentially be Silk Road is interesting, looking for a way to promote a site among forum participants - which, based on my training and experience, is a standard marketing tactic for new websites. What's more, the fact that altoid ends both posts with the phrase “Let me know guys what you think about this” suggests that altoid was interested in more than just sharing his experience with Silk Road,but also wanted to get feedback from other users, again in line with his intentions to promote and improve the site.
38. Upon further investigation of the Bitcoin Talk forum, Agent-1 discovered another message left by "altoid" on the forum on 10/11/2011, about 8 months after the Silk Road report. In this later post, posted on a separate and unrelated thread, altoid reports that it is looking for “IT pros in the Bitcoin community” to hire in connection with “a single startup project using Bitcoin”. In the message, interested participants were encouraged to send their proposals to the address "rossulbricht at gmail dot com" - indicating that "altoid" is using the email address "[email protected]" ("Ulbricht's Gmail Account").
39. According to user records obtained through Google, Ulbricht's Gmail account is registered under the name "Ross Ulbricht". Records indicate that Ulbricht has an account on Google+, a social networking service maintained by Google. After examining Ulbricht's publicly available Google+ profile, I found out that it contains a photo of him that matches the photo on Ross Ulbricht's LinkedIn profile, as mentioned in paragraph 33.
40. A visit to Ulbricht's Google+ page also revealed that it contained links to a specific website that DPR regularly quoted in its forum posts. In particular:
a. Ulbricht's Google+ profile contains a list of his favorite YouTube videos, which includes videos from mises.org, the site of an organization called the Mises Institute. According to her website, the Mises Institute considers itself the "world center of the Austrian School of Economics." The website allows visitors to register and create a profile. By researching the publicly available archived version of this site, I found a user profile named "Ross Ulbricht" that contained a user picture that matched that of "Ross Ulbricht" found on Google+ and LinkedIn profiles.
b. Based on my knowledge of DPR posts on the Silk Road forum, I know that the DPR user's signature on this forum contains a link to the Mises Institute website (one of two links included in his signature). Moreover, in separate forum posts, DPR cites "Austrian Economic Theory" as well as the work of Ludwig von Mises and Murray Rothbard, economists associated with the Mises Institute, as such who provide a philosophical justification for the existence of the Silk Road.
41. The investigation also established confirmation that in early June 2013, Ulbricht lived in San Francisco, California, near an Internet cafe from which a connection was established to the server used to administer Silk Road. In particular:
a. I studied the records received from Google and containing in the logs the IP addresses from which the Gmail logged in. Ulbricht's account from 01/13/2013 to 06/20/2013. The IP logs show that during this time the account was regularly accessed from specific IP address of Comcast. According to the records received from Comcast, this IP address at the specified access time was registered at a specific address on ul. Hickory, San Francisco, California. Another person is registered at this address, who, as I know, is Ulbricht's friend in San Francisco (hereinafter referred to as the "Friend"), with whom Ulbricht stayed when he arrived in San Francisco approximately in September 2012, as evidenced by a video posted on YouTube , in which both friends are removed in circumstances supporting these considerations.
b. Based on my research of DPR's private correspondence retrieved from the Silk Road web server, I know that DPR regularly specified the Pacific Time Zone when it was operating time. For example, in one personal message dated 4/18/2013, DPR tells another Silk Road user: “It’s about 4pm PST. I have some business to do. " Based on my training and experience, I believe this trend suggests that DPR is physically located in the Pacific Time Zone, which is of course San Francisco, California.
c. Further, based on the results of the forensic analysis of the Silk Road web server, I know that the server contains a code that was once used to restrict administrative access to the server, so that only a user with a specific IP address specified in this code can access it. Based on my training and experience, as well as understanding how access to the server is configured in general cases, I believe that this IP address belongs to the VPN server - in fact, a secure gateway through which DPR could remotely connect to the Silk Road web server from your computer. The IP address of the VPN server belongs to the server, which is hosted by a certain hosting company, which, by a court order, provided data regarding the specified VPN server. The records showthat the contents of the VPN server have been destroyed by the user renting it *. However, the records contained information about the IP address from which the user connected to the VPN server during the last communication with the server on 03.06.2013. This IP address belongs to Comcast, the records of which, obtained by court order, indicate the location - Internet cafe at Laguna Str., San Francisco, California. This cafe is located less than 500 feet from Druha's address on Ul. Hickory, from whom Ulbricht regularly connected to his gmail account - including, several times on 06/03/2013 according to Google records.whose court-ordered records indicate the location of an Internet cafe on Laguna Str., San Francisco, California. This cafe is located less than 500 feet from Druha's address on Ul. Hickory, from whom Ulbricht regularly connected to his gmail account - including, several times on 06/03/2013 according to Google records.whose court records indicate the location is an Internet cafe on Laguna Str., San Francisco, California. This cafe is located less than 500 feet from Druha's address on Ul. Hickory, from whom Ulbricht regularly connected to his gmail account - including, several times on 06/03/2013 according to Google records.
* The code containing the IP address of the VPN server was "commented out" on the Silk Road web server, which means that it was inactive as of 23/07/2013 when the server was imaged. As a result of studying DPR's private correspondence recovered from the Silk Road web server, I know that on May 24, 2013, a Silk Road user sent him a personal message warning that “some external IP address was leaked” from site, while it indicates the IP address of the VPN server. Based on my training and experience, I believe that in response to this message, DPR deactivated the code containing the IP address of the VPN server, then destroyed the contents of the VPN server, and then changed the way to access the Silk Road web server, which it used in the future ...
d. Based on my training and experience, this evidence confirms the presence of the Silk Road administrator, which is DPR, in approximately the same area as Ulbricht, at the same time.
42. The investigation also found that by July 2013 Ulbricht had moved to a different address in San Francisco, where he received a package containing several fake identity documents, while DPR was known to be looking for similar documents on Silk Road. In particular:
a. Based on the results of studying the investigation report received from the US Customs and Border Protection (CBC), I became aware of the following:
i. On approximately July 10, 2013, as part of the standard border check procedure, the TPN detained a packet coming from Canada. 9 fake IDs were found in the package. All of the forged documents were written in different surnames, although all contained a photograph of the same person. The package was intended for a recipient at an address located on 15th Street in San Francisco, California (“15th Street Address”).
ii. On or about 7/26/2013, agents from the Directorate of Internal Security Investigation (DIOI) visited the 15th Street Address for further investigation. In a residential area at this address, agents found ROSS WILLIAM ULBRICHT, also known as "Dread Pirate Roberts", "DPR", "Silk Road", the accused, the person depicted in the photographs on the fake IDs in the bag.
iii. The agents showed ULBRICHT a photograph of one of the seized forged documents, which was a California driver's license containing a photograph of ULBRICHT, his real date of birth, but the name of another person. ULBRICHT declined to answer questions regarding the purchase of this and other IDs. At the same time. ULBRICHT, on his own initiative, said that "hypothetically" anyone could go to the Silk Road website on the Tor network and buy any drugs or fake documents they wanted.
iv. ULBRICHT showed agents his real state-issued Texas driver's license. He explained that he was subletting a room at 15th Street Address for $ 1,000 a month in cash. ULBRICHT said that at the moment two people lived in the same house with him, who knew him under the assumed name "Josh".
v. The agents also spoke with one of ULBRICHT's housemates, who confirmed that ULBRICHT, whom he knew as "Josh," was always at home in his room at the computer.
b. From a study of DPR's personal communications recovered from the Silk Road web server, I know that DPR contacted other Silk Road users on multiple occasions in June and July 2013 expressing an interest in acquiring fake IDs. For instance:
i. In one exchange dated 7/8/2013, DPR informs another Silk Road user that he “needs a fake ID” which he intended to use to “rent servers”, explaining that he is busy “creating his cluster servers ". Based on my training and experience, I know that server hosting companies often require customers to verify their identity in one form or another in order to identify them. Accordingly, I believe DPR was looking for fake documents in order to rent servers under an assumed name.
ii. In another messaging, dated 06/01/2013, DPR and another Silk Road user "redandwhite", the same user DPR suggested to carry out a contract assassination as mentioned above. agreed to chat at a specific time in the Internet chat, while DPR tells redandwhite: "I have something to discuss with you." Four days later, on 06/05/2013, DPR sent a message to redandwhite: "Hi, I want to clarify where you went with your proposal for a fake ID." Redandwhite replies: "This is my man and he's in the process."
43. Ultimately, the investigation yielded evidence that Ulbricht was in control of the hidden Tor service, as well as confirmation of its association with specific programming code and a specific encryption key found on the Silk Road web server. In particular:
a. From my background and experience, I know that the “stackoverflow.com” (“Stack Overflow”) website is a website used by programmers to post questions about programming problems and get suggestions from other programmers with solutions. According to the posts obtained from Stack Overflow:
i. On 03/05/2012, a user registered an account on Stack Overflow under the name "Ross Ulbricht". Ulbricht provided Ulbricht's Gmail Account as an email address as part of the information required upon registration.
ii. On 3/16/2012 at about 8:39 PM PST, Ulbricht posted a post on the site entitled “How can I connect to the hidden Tor service using curl in php?”. Based on my training and experience, I know that "PHP" means a programming language used for web servers, and "curl" means a set of programming commands that can be used in this language. In the content of the post, Ulbricht lists 12 lines of code using "curl" commands, which he claims he used "to connect to the hidden Tor service ... using php", but he reports the code was returning an error. Based on my background and experience, Ulbricht's post suggests that he was writing custom code for a Tor hidden service web server such as Silk Road.
iii. When a user posts a post on Stack Overflow, their name appears next to that post. However, less than one minute after the posting described in the previous paragraph was published, Ulbricht changed his username from "Ross Ulbricht" to "frosty". Based on my training and experience, I know that criminals in their efforts to hide their identity online often use pseudonyms in order to make them difficult to identify. Thus, taking the timing into account, I believe that Ulbricht changed his username to "frosty" in order to disguise his association with the post he posted one minute ago, realizing that the post is publicly available to any Internet user and speaks of his involvement in the use of Tor hidden services.
iv. A few weeks later, Ulbricht also changed his registered email address to Stack Overflow, "[email protected]" instead of Ulbricht's Gmail account. According to centralops.net, a publicly available email lookup service, [email protected] is not a valid email address. Again, based on my training and experience, I know that criminals who seek to hide their identity often use bogus email addresses in online accounts. thus, I believe Ulbricht changed his email address on Stack Overflow to a fictitious one in order to completely eliminate any connection between his real email address and the message indicating his use of the Tor hidden service.
b. Based on forensics on the Silk Road web server, I know that the code on the Silk Road web server contains a custom PHP script based on "curl" that is functionally very similar to the code described in Ulbricht's Stack Overflow post, and contains several lines of code that are identical to the code given in the message. Based on my training and experience, it appears to me that the code on the Silk Road web server is a modified version of the code described in Ulbricht's post (the one Ulbricht was trying to find a way to fix because it was generating an error).
c. Further, also based on the forensic data of the Silk Road web server, I know the following:
i. On July 23, 2013, the Silk Road web server was configured in such a way as to allow the administrator, who was DPR, to connect to the server without having to enter a password, provided that the administrator connects from a trusted computer from the server's point of view.
ii. In particular, based on my training and experience, I know that this configuration involves the use of encryption keys with a connection via SSH (Secure Shell). To create such a configuration, the administrator must generate two encryption keys - the "public" key, which is stored on the server, and the "private" key, which is stored on the computer from which the connection to the server is made. Once these keys are generated, the server can recognize the administrator's computer based on the relationship between the administrator's private key and its corresponding public key stored on the server.
iii. Based on my training and experience, I know that encryption keys in SSH are made up of long strings of text characters. Different SSH programs generate public keys in different ways, but they all generate public keys in a similar format, with a text string that always ends in "[user] @ [computer]". The computer in this substring is the name of the computer that generated the public key, and user is the name of the user who created it. For example, if someone generates an SSH key pair using MyComputer and logged in as John, the resulting public key will end with the substring “John @ MyComputer”.
iv. I researched the SSH public key stored on the Silk Road web server, which was used to authenticate the administrator when connecting to the server. The key ends with "frosty @ frosty". Based on my training and experience, this means that the Silk Road administrator is using a computer named "frosty", which has a user account with the same name "frosty" that logged into the Silk Road web server. Based on my training and experience, I know that computer users often use the same name for different types of accounts. Thus, I believe that, especially in view of the other links between Ross Ulbricht and DPR described above, that Stack Overflow user Ross Ulbicht who changed his name to frosty and his email address to [email protected] is the same person asas DPR, who is the administrator of Silk Road, who connected to the Silk Road web server from a computer named "frosty" with the user account "frosty".
44. I received from the Texas Motor Vehicle Administration a copy of the driver's license of the accused ROSS WILLIAM ULBRICHT, also known as "Dread Pirate Roberts", "DPR", "Silk Road", with the same number as the driver's license that ULBRICHT presented during contact with agents of the DRVB on July 26, 2013, as described above. The photo on the driver's license is the same person whose photo is posted on the Google+, Mises Institute, and LinkedIn profiles described above.
45. Accordingly, I believe that the owner and operator of Silk Road is the accused ROSS WILLIAM ULBRICHT, also known as "Dread Pirate Roberts", "DPR", "Silk Road".
THEREFORE, I am requesting the issuance of an arrest warrant for the accused ROSS WILLIAM ULBRICHT, also known as "Dread Pirate Roberts", "DPR", "Silk Road", with detention or bail, as applicable.
