Posts Tagged: ICSI

Mar 16

Carders Park Piles of Cash at Joker’s Stash

A steady stream of card breaches at retailers, restaurants and hotels has flooded underground markets with a historic glut of stolen debit and credit card data. Today there are at least hundreds of sites online selling stolen account data, yet only a handful of them actively court bulk buyers and organized crime rings. Faced with a buyer’s market, these elite shops set themselves apart by focusing on loyalty programs, frequent-buyer discounts, money-back guarantees and just plain old good customer service.

An ad for new stolen cards on Joker's Stash.

An ad for new stolen cards on Joker’s Stash.

Today’s post examines the complex networking and marketing apparatus behind “Joker’s Stash,” a sprawling virtual hub of stolen card data that has served as the distribution point for accounts compromised in many of the retail card breaches first disclosed by KrebsOnSecurity over the past two years, including Hilton Hotels and Bebe Stores.

Since opening for business in early October 2014, Joker’s Stash has attracted dozens of customers who’ve spent five- and six-figures at the carding store. All customers are buying card data that will be turned into counterfeit cards and used to fraudulently purchase gift cards, electronics and other goods at big-box retailers like Target and Wal-Mart.

Unlike so many carding sites that mainly resell cards stolen by other hackers, Joker’s Stash claims that all of its cards are “exclusive, self-hacked dumps.”

“This mean – in our shop you can buy only our own stuff, and our stuff you can buy only in our shop – nowhere else,” Joker’s Stash explained on an introductory post on a carding forum in October 2014.

“Just don’t wanna provide the name of victim right here, and bro, this is only the begin[ning], we already made several other big breaches – a lot of stuff is coming, stay tuned, check the news!” the Joker went on, in response to established forum members who were hazing the new guy. He continued:

“I promise u – in few days u will completely change your mind and will buy only from me. I will add another one absolute virgin fresh new zero-day db with 100%+1 valid rate. Read latest news on – this new huge base will be available in few days only at Joker’s Stash.”

As a business, Joker’s Stash made good on its promise. It’s now one of the most bustling carding stores on the Internet, often adding hundreds of thousands of freshly stolen cards for sale each week.

A true offshore pirate’s haven, its home base is a domain name ending in “.sh” Dot-sh is the country code top level domain (ccTLD) assigned to the tiny volcanic, tropical island of Saint Helena, but anyone can register a domain ending in dot-sh. St. Helena is on Greenwich Mean Time (GMT) — the same time zone used by this carding Web site. However, it’s highly unlikely that any part of this fraud operation is in Saint Helena, a remote British territory in the South Atlantic Ocean that has a population of just over 4,000 inhabitants.

This fraud shop includes a built-in discount system for larger orders: 5 percent for customers who spend between $300-$500; 15 percent off for fraudsters spending between $1,000 and $2,500; and 30 percent off for customers who top up their bitcoin balances to the equivalent of $10,000 or more.

For its big-spender “partner” clients, Joker’s Stash assigns three custom domain names to each partner. After those partners log in, the different 3-word domains are displayed at the top of their site dashboard, and the user is encouraged to use only those three custom domains to access the carding shop in the future (see screenshot below). More on these three domains in a moment.

The dashboard for a Joker's Stash customer that has spent over $10,000 buying stolen credit cards from the site.

The dashboard for a Joker’s Stash customer who has spent over $10,000 buying stolen credit cards from the site. Click image to enlarge.


Customers pay for stolen cards using Bitcoin, a virtual currency. All sales are final, although some batches of stolen cards for sale at Joker’s Stash come with a replacement policy — a short window of time from minutes to a few hours, generally — in which buyers can request replacement cards for any that come back as declined during that replacement timeframe.

Like many other carding shops, Joker’s Stash also offers an a-la-carte card-checking option that customers can use an insurance policy when purchasing stolen cards. Such checking services usually rely on multiple legitimate, compromised credit card merchant accounts that can be used to round-robin process a small charge against each card the customer wishes to purchase to test whether the card is still valid. Customers receive an automatic credit to their shopping cart balances for any purchased cards that come back as declined when run through the site’s checking service.

This carding site also employs a unique rating system for clients, supposedly to prevent abuse of the service and to provide what the proprietors of this store call “a loyalty program for honest partners with proven partner’s record.” Continue reading →

Feb 16

The Lowdown on the Apple-FBI Showdown

Many readers have asked for a primer summarizing the privacy and security issues at stake in the the dispute between Apple and the U.S. Justice Department, which last week convinced a judge in California to order Apple to unlock an iPhone used by one of assailants in the recent San Bernardino massacres. I don’t have much original reporting to contribute on this important debate, but I’m visiting it here because it’s a complex topic that deserves the broadest possible public scrutiny.

Image: Elin Korneliussen

Image: Elin Korneliussen (@elincello)

A federal magistrate in California approved an order (PDF) granting the FBI permission to access to the data on the iPhone 5c belonging to the late terror suspect Syed Rizwan Farook, one of two individuals responsible for a mass shooting in San Bernadino on Dec. 2, 2015 in which 14 people were killed and many others were injured.

Apple CEO Tim Cook released a letter to customers last week saying the company will appeal the order, citing customer privacy and security concerns.

Most experts seem to agree that Apple is technically capable of complying with the court order. Indeed, as National Public Radio notes in a segment this morning, Apple has agreed to unlock phones in approximately 70 other cases involving requests from the government. However, something unexpected emerged in one of those cases — an iPhone tied to a Brooklyn, NY drug dealer who pleaded guilty to selling methamphetamine last year. Continue reading →

Feb 16

This is Why People Fear the ‘Internet of Things’

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

The FI9286P, a Foscam camera that includes P2P communication by default.

The FI9286P, a Foscam camera that includes P2P communication by default.

This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!

I first became aware of this bizarre experiment in how not to do IoT last week when a reader sent a link to a lengthy discussion thread on the support forum for Foscam, a Chinese firm that makes and sells security cameras. The thread was started by a Foscam user who noticed his IP camera was noisily and incessantly calling out to more than a dozen online hosts in almost as many countries.

Turns out, this Focscam camera was one of several newer models the company makes that comes with peer-to-peer networking capabilities baked in. This fact is not exactly spelled out for the user (although some of the models listed do say “P2P” in the product name, others do not).

But the bigger issue with these P2P -based cameras is that while the user interface for the camera has a setting to disable P2P traffic (it is enabled by default), Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online (see screenshot below).

This is a concern because the P2P function built into Foscam P2P cameras is designed to punch through firewalls and can’t be switched off without applying a firmware update plus an additional patch that the company only released after repeated pleas from users on its support forum.

Yeah, this setting doesn't work. P2P is still enabled even after you uncheck the box.

Yeah, this setting doesn’t work. P2P is still enabled even after you uncheck the box.

One of the many hosts that Foscam users reported seeing in their firewall logs was, a domain registered to Chinese communications firm ThroughTek Co., Ltd. Turns out, this domain has shown up in firewall logs for a number of other curious tinkerers who cared to take a closer look at what their network attached storage and home automation toys were doing on their network.

In January 2015, a contributing writer for the threat-tracking SANS Internet Storm Center wrote in IoT: The Rise of the Machines that he found the same domain called out in network traffic generated by a Maginon SmartPlug he’d purchased (smart plugs are power receptacles into which you plug lights and other appliances you may wish to control remotely).

What is the IOTC Plaform? According to ThroughTek, it’s a service developed to establish P2P communications between devices.

“I read the documentation provided with the device as well as all the website pages and there is no mention of this service,” wrote Xavier Mertens, an incident handler and blogger for SANS. “Manufacturers should include some technical documentation about the network requirements (ex: to download firmware updates).”

In another instance from May 2015, this blogger noted similar communications traffic emanating from a digital video recorder (DVR) device that’s sold in tandem with Internet-enabled surveillance cameras made by a company called Swann.

Likewise, postings from Dec. 2014 on the QNAP network attached storage (NAS) user forum indicate that some QNAP customers discovered mysterious traffic to and other Internet address requests that also were found in the Swann and Smart Plug traffic.

What do all of these things have in common? A visit to ThroughTek’s Web lists several “case studies” for its products, including Swann, QNAP and a home automation company based in Taiwan called AboCom.

ThroughTek did not respond to requests for comment. A ThroughTek press release from October 2015 announced that the company’s P2P network — which it calls the Kalay Network — had grown to support more than seven million connected devices and 100 million “IoT connections.”

I contacted Foscam to better understand the company’s relationship to ThroughTek, and to learn just how many Foscam devices now ship with ThroughTek’s built-in, always-on P2P technology. Foscam declined to say how many different models bundled the P2P technology, but it’s at least a dozen by my count of the models mentioned in the Foscam user manual and discussion thread. Continue reading →

Apr 15

China Censors, Blocks Sites With “Like” Buttons

Chinese government censors at the helm of the “Great Firewall of China” appear to have inadvertently blocked Chinese Web surfers from visiting pages that call out to, a resource used by Facebook’s “like” buttons. While the apparent screw-up was quickly fixed, the block was cached by many Chinese networks — effectively blocking millions of Chinese Web surfers from visiting a huge number of sites that are not normally censored.


Sometime in the last 24 hours, Web requests from within China for a large number of websites were being redirected to, an apparently innocuous site hosting an open-source, automated software deployment, upgrade and removal program for Windows.

One KrebsOnSecurity reader living in China who was inconvenienced by the glitch said he discovered the problem just by trying to access the regularly non-blocked UK newspapers online. He soon noticed a large swath of other sites were also being re-directed to the same page.

“It has the feel of a cyber attack rather than a new addition to the Great Firewall,” said the reader, who asked not to be identified by name. “I thought it might be malware on my laptop, but then I got an email from the IT services at my university saying the issue was nation-wide, which made me curious. It’s obviously very normal for sites to be blocked here in China, but the scale and the type of sites being blocked (and the fact that we’re being re-directed instead of the usual 404 result) suggests a problem with the Internet system itself. It doesn’t seem like the kind of thing the Chinese gov would do intentionally, which raises some interesting questions.”

Nicholas Weaver, a researcher who has delved deeply into Chinese censorship tools in his role at the International Computer Science Institute (ICSI) and the University of California, Berkeley, agrees that the blocking of by censors inside the country was likely a mistake.

“Any page that had a Facebook Connect element on it that was unencrypted and visited from within China would instead get this thing which would reload the main page of,” Weaver said, noting that while always encrypts users’ connections, sites that rely on Facebook “like” buttons and related resources draw those from “That screw-up seems to have been fairly quickly corrected, but the effect of it has lingered because it got into peoples’ domain name system (DNS) caches.”

In short, a brief misstep in censorship can have lasting and far flung repercussions. But why should this be considered a screw-up by Chinese censors? For one thing, it was corrected quickly, Weaver said.

“Also, the Chinese censors don’t benefit from it, because this caused a huge amount of disruption to Chinese web surfers on pages that the government doesn’t want to censor,” he said. Continue reading →

Apr 15

Don’t Be Fodder for China’s ‘Great Cannon’

China has been actively diverting unencrypted Web traffic destined for its top online search service — — so that some visitors from outside of the country were unwittingly enlisted in a novel and unsettling series of denial-of-service attacks aimed at sidelining sites that distribute anti-censorship tools, according to research released this week.

The findings, published in a joint paper today by researchers with University of Toronto’s Citizen Lab, the International Computer Science Institute (ICSI) and the University of California, Berkeley, track a remarkable development in China’s increasingly public display of its evolving cyber warfare prowess.

“Their willingness to be so public mystifies me,” said Nicholas Weaver, a researcher at the ICSI who helped dig through the clues about the mysterious attack. “But it does appear to be a very public statement about their capabilities.”


Earlier this month, Github — an open-source code repository — and, which distributes software to help Chinese citizens evade censorship restrictions enacted by the so-called “Great Firewall of China,” found themselves on the receiving end of a massive and constantly-changing attack apparently designed to prevent people from being able to access the sites.

Experts have long known that China’s Great Firewall is capable of blocking Web surfers from within the country from accessing online sites that host content which is deemed prohibited by the Chinese government. But according to researchers, this latest censorship innovation targeted Web surfers from outside the country who were requesting various pages associated with Baidu, such that Internet traffic from a small percentage of surfers outside the country was quietly redirected toward Github and

This attack method, which the researchers have dubbed the “Great Cannon,” works by intercepting non-Chinese traffic to Baidu Web properties, Weaver explained.

“It only intercepts traffic to a certain set of Internet addresses, and then only looks for specific script requests. About 98 percent of the time it sends the Web request straight on to Baidu, but about two percent of the time it says, ‘Okay, I’m going to drop the request going to Baidu,’ and instead it directly provides the malicious reply, replying with a bit of Javascript which causes the user’s browser to participate in a DOS attack, Weaver said. Continue reading →

Jul 14

Service Drains Competitors’ Online Ad Budget

The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality that for nearly every legitimate online business there is a cybercrime-oriented anti-business. Case in point: Today’s post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of their competitors.

Youtube ads from "GoodGoogle" pitching his AdWords click fraud service.

Youtube ads from “GoodGoogle” pitching his AdWords click fraud service.

AdWords is Google’s paid advertising product, displaying ads on the top or the right side of your screen in search results. Advertisers bid on specific keywords, and those who bid the highest will have their ads show up first when Internet users search for those terms. In turn, advertisers pay Google a small amount each time a user clicks on one of their ads.

One of the more well-known forms of online ad fraud (a.k.a. “click fraud“) involves Google AdSense publishers that automate the clicking of ads appearing on their own Web sites in order to inflate ad revenue. But fraudsters also engage in an opposite scam involving AdWords, in which advertisers try to attack competitors by raising their costs or exhausting their ad budgets early in the day.

Enter “GoodGoogle,” the nickname chosen by one of the more established AdWords fraudsters operating on the Russian-language crime forums.  Using a combination of custom software and hands-on customer service, GoodGoogle promises clients the ability to block the appearance of competitors’ ads.

“Are you tired of the competition in Google AdWords that take your first position and quality traffic,?” reads GoodGoogle’s pitch. “I will help you get rid once and for all competitors in Google Adwords.”

The service, which appears to have been in the offering since at least January 2012, provides customers both a la carte and subscription rates. The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitors’s ads indefinitely. Fees are paid up-front and in virtual currencies (WebMoney, e.g.), and the seller offers support and a warranty for his work for the first three weeks. Continue reading →

Feb 14

Florida Targets High-Dollar Bitcoin Exchangers

State authorities in Florida on Thursday announced criminal charges targeting three men who allegedly ran illegal businesses moving large amounts of cash in and out of the Bitcoin virtual currency. Experts say this is likely the first case in which Bitcoin vendors have been prosecuted under state anti-money laundering laws, and that prosecutions like these could shut down one of the last remaining avenues for purchasing Bitcoins anonymously.

michaelhackfeedbackWorking in conjunction with the Miami Beach Police Department and the Miami-Dade State Attorney’s office, undercover officers and agents from the U.S. Secret Service’s Miami Electronic Crimes Task Force contacted several individuals who were facilitating high-dollar transactions via, a site that helps match buyers and sellers of the virtual currency so that transactions can be completed face-to-face.

One of those contacted was a user nicknamed “Michelhack.” According to this user’s profile, Michelhack has at least 100 confirmed trades in the past six months involving more than 150 Bitcoins (more than $110,000 in today’s value), and a 99 percent positive “feedback” score on the marketplace. The undercover agent and Michelhack allegedly arranged a face-to-face meeting and exchanged a single Bitcoin for $1,000, a price that investigators say included an almost 17 percent conversion fee.

According to court documents, the agent told Michelhack that he wanted to use the Bitcoins to purchase stolen credit cards online. After that trust-building transaction, Michelhack allegedly agreed to handle a much larger deal: Converting $30,000 in cash into Bitcoins.

Investigators had little trouble tying that Michelhack identity to 30-year-old Michell Abner Espinoza of Miami Beach. Espinoza was arrested yesterday when he met with undercover investigators to finalize the transaction. Espinoza is charged with felony violations of Florida’s law against unlicensed money transmitters — which prohibits “currency or payment instruments exceeding $300 but less than $20,000 in any 12-month period” — and Florida’s anti-money laundering statutes, which prohibit the trade or business in currency of more than $10,000.

Police also conducted a search warrant on his residence with an order to seize computer systems and digital media. Also arrested Thursday and charged with violating both Florida laws is Pascal Reid, 29, a Canadian citizen who was living in Miramar, Fla. Allegedly operating as proy33 on, Reid was arrested while meeting with an undercover agent to finalize a deal to sell $30,000 worth of Bitcoins.

Documents obtained from the Florida state court system show that investigators believe Reid had 403 Bitcoins in his on-phone Bitcoin wallet alone — which at the time was the equivalent of approximately USD $316,000. Those same documents show that the undercover agent told Reid he wanted to use the Bitcoins to buy credit cards stolen in the Target breach.

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley and keen follower of Bitcoin-related news, said he is unaware of another case in which state law has been used against a Bitcoin vendor. According to Weaver, the Florida case is significant because is among the last remaining places that Americans can use to purchase Bitcoins anonymously.

“The biggest problem that Bitcoin faces is actually self-imposed, because it’s always hard to buy Bitcoins,” Weaver said. “The reason is that Bitcoin transactions are irreversible, and therefore any purchase of Bitcoins must be made with something irreversible — namely cash. And that means you either have to wait several days for the wire transfer or bank transfer to go through, or if you want to buy them quickly you pay with cash through a site like” Continue reading →

Oct 13

Feds Arrest Alleged Top Silk Road Drug Seller

Federal authorities last week arrested a Washington state man accused of being one of the most active and sought-after drug dealers on the online black market known as the “Silk Road.” Meanwhile, new details about the recent coordinated takedown of the Silk Road became public, as other former buyers and sellers on the fraud bazaar pondered who might be next and whether competing online drug markets will move in to fill the void.

NOD's feedback from Silk Road buyers, according to the government.

NOD’s feedback from Silk Road buyers, according to the government.

A complaint unsealed Oct. 2 by the U.S. District Court for the Western District of Washington at Seattle alleges that Steven Lloyd Sadler, 40, of Bellevue, Wash., used the nickname “NOD” on the Silk Road, and was among the “top one percent of sellers” on the Silk Road, selling high-quality cocaine, heroin and methamphetamine in small, individual-use amounts to hundreds of buyers around the world.

Investigators with the FBI and U.S. Post Office inspectors say they tracked dozens of packages containing drugs allegedly shipped by Sadler and a woman who was living with him at the time of his arrest. Authorities tied Sadler to the Silk Road after intercepting a package of cocaine and heroin destined for an Alaskan resident. That resident agreed to cooperate with authorities in the hopes of reducing his own sentence, and said he’d purchased the drugs from NOD via the Silk Road.

Agents in Seattle sought and were granted permission to place GPS tracking devices on Sadler’s car and that of his roommate, Jenna White, also charged in this case. Investigators allege that the tracking showed the two traveled to at least 38 post offices in the Seattle area during the surveillance period.

Interestingly, the investigators used the feedback on NOD’s Silk Road seller profile to get a sense of the volume of drugs he sold. Much like eBay sellers, merchants on the Silk Road are evaluated by previous buyers, who are encouraged to leave feedback about the quality of the seller’s goods and services. According to the government, NOD had 1,400 reviews for individual sales/purchases of small amounts of drugs, including: 2,269.5 grams of cocaine, 593 grams of heroin and 105 grams of meth. The complaint notes that these amounts don’t count sales going back more than five months prior to the investigation, when NOD first created his Silk Road vendor account.

Cryptome has published a copy of the complaint (PDF) against Sadler. A copy of Sadler’s case docket is here. NOD’s reputation on the Silk Road also was discussed for several months on this Reddit thread.

Many readers of last week’s story on the Silk Road takedown have been asking what is known about the locations of the Silk Road servers that were copied by the FBI. It’s still unclear how agents gained access to those servers, but a civil forfeiture complaint released by the Justice Department shows that they were aware of five, geographically dispersed servers that were supporting the Silk Road, either by directly hosting the site and/or hosting the Bitcoin wallets that the Silk Road maintains for buyers and sellers.

Two of those servers were located in Iceland, one in Latvia, another in Romania, and apparently one in the United States. See the map above.

Continue reading →

Oct 13

Feds Take Down Online Fraud Bazaar ‘Silk Road’, Arrest Alleged Mastermind

Defendant Charged With Drug Trafficking, Hacking, Money Laundering

Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering.

A screen shot of the Silk Road Web site, taken Oct. 23, 2013.

A screen shot of the Silk Road Web site, taken Oct. 2, 2013.

The Silk Road is an online black market that as late as last month was hosting nearly 13,000 sales listings for controlled substances, including marijuana, LSD, heroin, cocaine, methamphetamine and ecstasy. Much like eBay sellers, merchants on the Silk Road are evaluated by previous buyers, who are encouraged to leave feedback about the quality of the seller’s goods and services.

The Silk Road is not available via the regular Internet. Rather, it is only reachable via the Tor network, an anonymity network that bounces its users communications across a distributed network of relays run by volunteers all around the world.

That is, it was until this week, when FBI agents arrested its alleged proprietor and seized the Web servers running the site. The feds also replaced the Silk Road’s home page with a message saying that the site had been seized by the FBI, Homeland Security Department and the Drug Enforcement Administration.

According to a complaint unsealed this week, Ulbricht alone controlled the massive profits generated from the operation of the business. The government alleges that Ulbricht also controlled and oversaw all aspects of the Silk Road, including: the maintenance of the computer infrastructure and programming code underlying the Silk Road Web site; the determination of vendor and customer policies; decisions about what could be sold on the site; and managing a small staff of online administrators who assisted with the day-to-day operations.

The Silk Road didn’t just sell drugs. For example, the complaint identifies 801 for-sale listings under “digital goods,” which included banking Trojans, pirated content, and hacked accounts at Netflix and Amazon. The “forgeries” section of the Silk Road featured 169 ads from vendors of fake driver’s licenses, passports, Social Security cards, utility bills, credit card statements, car insurance records, and other forms of identity documents.

An ad for heroin on the Silk Road. Notice this seller has 97 feedback points.

An ad for heroin on the Silk Road. Notice this seller has 97 feedback points.

Another popular section of the Silk Road included 159 listings for generic “Services,” mostly those listed by computer hackers offering such services as hijacking Twitter and Facebook accounts of the customer’s choosing. Other classified ads promised the sale of anonymous bank accounts, counterfeit bills, firearms and ammunition, and even hitmen for hire.

FBI investigators said that on or about March 29, 2013, Ulbricht contacted a Silk Road seller “Redandwhite” to see about hiring him to to take out another Silk Road user — someone going by the nickname “FriendlyChemist” — who was threatening to release the identities of thousands of users of the site.

From the government’s complaint: “Asked what sort of problem FriendlyChemist was causing him, DPR responded in a message dated March 30, 2013, ‘[H]e is threatening to expose the identities of thousands of my clients that he was able to acquire….[T]his kind of behavior is unforgivable to me. Especially here on Silk Road, anonymity is sacrosanct.'” As to the murder-for-hire job he was soliciting, DPR commented that “[i]t doesn’t have to be clean.”

Later that same day, redandwhite sent DPR a message quoting him a price of $150,000 to $300,000, “depending on how you want it done, ‘clean’ or ‘non-clean’.

On March 31, DPR began haggling over the price, responding: “Don’t want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80k. Are the prices you quoted the best you can do? I would like this done asap as he is talking about releasing the info on Monday.”

DPR, allegedly using the nickname "altoid" seeks to hire a tech expert for the Silk Road via

DPR, allegedly using the nickname “altoid” seeks to hire a tech expert for the Silk Road via

According to investigators, the two ultimately settle on a price of $150,000, and that Ulbricht paid for the transaction using Bitcoins — an anonymous virtual currency — sending the would-be hit man 1,670 bitcoins for the arranged hit. Bitcoin currency rates fluctuate quite a bit from day to day, but historic sites that track Bitcoin rates show that one bitcoin around that date in late March 2013 was worth about USD $90, meaning investigators believe Ulbricht paid approximately $150,300 for the hit.

The government’s complaint states that the hit wasn’t carried out, but it also doesn’t seem that FriendlyChemist was the source of investigators’ break in this case. That would come on July 23, 2013, when investigators gained access to a Silk Road server and made a complete copy of the data on the machine.

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at University of California San Diego, said the information contained on the server seized by investigators indicates that Ulbricht/Dread Pirate Roberts routinely failed to heed his own advice to fellow Silk Road users: Prominent on the Silk Road site were links to tutorials DPR penned which laid out the technologies and techniques that users should adopt if they want to keep off the radar of federal investigators.

“This shows me that the head of the Silk Road wasn’t using [encryption] for all his communications, because [the government] wouldn’t have all of this information otherwise, unless of course he stored his encryption key on the server that was seized,” Weaver said. “Either [the government] got his encryption key off of this server or another server that they were able to access, or he wasn’t using encryption at all.”

The complaint also suggests that in June 2013, Ulbricht accessed a server used to control the Silk Road site from an Internet cafe that was 500 feet from the hotel he was staying at in San Francisco.

Continue reading →