The recent filings in the Ulbricht case relating to the Force/Bridges corruption case make for interesting reading, especially the DEA internal timeline detailing the infighting (and revealing 2 new CIs) and Ross Ulbricht's 'counterintel' file (PDF of screenshots, transcribed text version).
The counterintel file turns out to contain Force's initial emails corresponding with Ulbricht, in exchange for the initial retainer of $5k or whatever in June-August 2013. While a bit rambling, the emails constitute a fairly thorough briefing on the progress up to then, investigative methods and level of monitoring of the DNMs, internal politics, motivations, and limitations of the investigations into SR1. Force reveals, among other things:
- LE does actively compile lists of buyer addresses either from cooperating sellers or outright buying them; this strategy has not yielded many results though
- a number of buyers have been so worried about threats to dox them on forums that they have run into the loving arms of LE
- the investigations were largely sparked by Chuck Schumer's 2011 grandstanding, and were otherwise not a big priority
- the DEA investigation was surprisingly poorly-funded, tech-illiterate, unmotivated, and juvenile; the FBI seems to be much more technologically sophisticated.
- all the markets and forums are actively monitored/scraped, but by a very small team who can't go into much detail for each
- a handful of the DoS attacks were done by the NCIJTF/FBI, testing SR1, but do not seem to have been attempts to use the known de-anonymization attacks
- As of August 2013, the investigations had made almost no real progress in finding Ulbricht (and the timeline indicates they had wasted huge amounts of time on Mark Karpeles & Athavale); it seems that Curtis Green and then Tarbell's mysterious de-anonymization of the Icelandic servers were huge breakthroughs
- flipped vendors cannot, as a matter of DoJ policy, sell large quantities drugs for a long time; hence they will tend to go in a blaze of glory, start faking feedback, or quasi-retire with a low level of targeted undercover sales to attack specific buyers (especially gun and poison buyers)
- Atlantis was (as probably is obvious by now) legitimate and not a honeypot. (I know, most of you don't even know what Atlantis is, but the old-timers will appreciate the closure.)
- the domestic Bitcoin exchanges were fighting cooperating, MtGox was surprisingly safe, and Coinbase was actively rolling over to hand over user information (and PayPal but we knew that)
- as long theorized, guns are huge red flag and single out a market for special attention and investigative effort; BMR was badly penetrated even in mid-2013, and despite all the BMR cases which have become public, Force's briefing indicates even more are still unknown
The excerpts:
Know that some of your vendors have been approached for (and have provided for money) buyer information (the idea is to purchase buyer information, which gets dumped and collated into excel). Vendors that get banned are approached via the email addresses they provide on their pages "in the event SR is down, contact here..". Just recently a New York based pill guy sold his entire customer list to what he thought was atlantis. Can find out his handle so you can poke around old private messages if need be. Several uses for databases of buyer information...Vendors HAVE been approached off-site (most list their tormails on their pages) for customer information. This has been bought. Then collected and dumped. It has mostly been vendors who have vanished/been banned/ or slowed down. They're deemed to be the most vulnerable. This is not pursued as much due to a poor ROI. Most vendors/former vendors have not entertained such advances and those who have have demanded funds that simply are not available even in the discretitionary account(s). Like any other government effort/agency/JTF, funds are near impossible to get approved & released. Even undercover buys require paperwork and approval. There is no joint kitty of BTC available to make purchases from every vendor. It would take 2-3 days to get funds released for anything, and approvals are not that easy to obtain AFAIK. And in any case in this scenario, verifying information would be a nightmare. No guarantee that they would not just copy and paste names from the phonebook or use a name generating site. No real benefit other then to identify potential bulk buyers who would resell IRL (and this information would get kicked down to state/local).
...Am certain there are not many techies involved. Due to the unconventional nature of this network and technology, not much use for full time "geeks" being sourced & assigned anything more then standard workload. Unless there's some specific technical question/explanation needed
...Again, something you would probably be able to verify - maybe half a year ago a guy from podunk Virginia contacted local and was crying about being blackmailed for his personal information by 'anonymous criminals' (Phil something). Middle aged guy who ran a travel agency. Even down to that level pops up on the radar nearby to where the birdie hangs out. Did not take long to assemble the backstory (small time recreational buyer just got blackmailed if you want to call it that by a crooked vendor) and dismiss as utterly irrelevant. I'm sure old private messages or communications can be examined to verify that instance.
...Prominent on the radar is Silk Road (amongst other known sites/actors on TOR) and since late 2011 there's been a lackluster yet interagency effort to monitor, disrupt, infiltrate and/or penetrate operations. The office of the DAAG (Deputy Assistant Attorney General) Computer Crime (at time Jason Weinstein) was the principal in spearheading. This is after Sen. Schumer & party created a hoo-ha. Weinsteins office jumped to take charge and assume oversight. Under the auspices of the NCIJTF (National Cyber Investigative Joint Task Force which is DOJ), the following fed agencies have a presence when it comes to SR (Stateside)
1) DEA 2) FBI 3) DHS 4) ICE 5) USPIS 6) ATF 7) CBP
That should NOT worry you, because by "presence" I only mean their are active agents and officer level involvement from who's resources are pooled and budgets are shared. On a limb I'll say this, everything having to do with Silk Road (like any other open set of investigations) is on shared drives that almost all can read+write, and there is a shared public Outlook folder where all emails/correspondence pertaining to SR are routed. Everybody (and I mean everybody) from entry level up to the heavens have "read" access. Additionally, people talk a LOT. Loose lips is an understatement and the level of immaturity and juvenile attitude is staggering. There is no such thing as "confidential", and this is a culture where people are numb. You must understand that part of why I'm so confident (in my ability to maintain this relationship) is that nothing is treated as sacred and there are probably 100 people like me who could offer the same level of access. Analysts do collate data and prepare summarizations/status sheets and CC the requisite list/group.. and majority of the time nothing happens. Little to none replies/discussion. This is not SR specific, but does include SR. For example reports related to CP sites/forums or BMR often get the same treatment.. ambivalence. Here is something that will bring a smile to your face.. it is just not in the budgets to aggressively dedicate resources to SR. The way the budgets are allocated are almost certainly political in nature, and the lions share goes to War on Terrorism or "real world" drug activity. That's the cold hard truth. That's not to say that there are no zealots who do have a harden for SR related activity, but that is more focused on suspected real world trafficking. Ironically enough, guys at USPIS do not care in the least about SR. Yes you read that right. They're broke and have no concept of tech savvy.. and frankly, they are not interested. DEA guys often initiate most chatter having to do with SR, yet follow up is minimum and they are too bogged down in pending investigations of subjects whom they have the ability to surveil and/or who's circle they can infiltrate by way of CI's (conf informants).. none of which is possible when dealing with a beast that is virtually immune to real world surveillance. It's not a question of getting warrants to ISPs.. its a question of who/where to begin looking. They're stuck.
At the analyst level, SR forums and the main site are crawled/monitored. Not more then 4 people are tasked with just crawling and mining the forums main site in an observational capacity. These 4 people are also tasked with crawling and mining many other websites and forums on TOR and clear net. So while everything is printed, you can guesstimate the scrutinity level is not extraordinary. That's not to say that others do not actively surf the forums and maintain both buyer and vendor accounts on the main site, they do. But at any given time, there are not more then a handful of people overseeing a crawl. When something deemed highly interesting or important pops up, they will CC the SR mailing list with a description and screenshot with their thoughts. Otherwise, there is a weekly status sheet that gets dumped with the most relevant/interesting/useful occurrences on the forum along with a summary on value/suggested "action items". Everything you post (along with the time stamps) is copied. You are referred to as DPR across the board. Often there is nothing interesting, and if there is there is it would be a bullet point such as "Vendor XYZ (who deals in ABC..) said his packaging methods consist of 123" etc. This is so they seem like they're doing their job as often there is nothing interesting at all taking place on the forum side. When moderators quote you, that is often the bulk of what gets bullet pointed "DPR has instructed us to do such and such". Now, there have and continue to be attempts to compromise staff accounts (on the forum and main side) by the normal methods of password guessing, but AFAIK none have been successful. There have been successful instances of cloning lookalike accounts which have all been shut down on your side. Of significant focus is attempts to impersonate you and your moderators on not only SR mainsite/forum, but on other TOR sites such as BMR or Atlantis to see if any prior correspondences can be restarted. Nothing there either.
...There HAVE been concentrated efforts to DoS/DdoS the site and forum to assess your response time and technical acumen. I'm not too savvy regarding this, but on a horizontal scope there have been/are attempts to run exit notes [exit nodes] and track traffic across TOR. To what end this has been aimed at SR would be something I would need to poke around about...6) Yes. I can poke around more, but in short - yes. What the end-goal was, I'm not sure. What they assessed, I'm not sure. But further attempts on the integrity of the site will be executed, be sure of that. Although I can tell you, that won't be a long term play. It can't be sustained forever...The DDoS would certainly be NCIJTF/FBI.
...The high-vol vendor operations such as (to just name a few) Nod, NorCalKing, RxKing are all under scrutiny. They've all been purchased from multiple times and general geographic location is assembled. For example it would be known that the Nod operation is NY, NCK is in California, RxK is Southwest US etc. There are also ongoing attempts to befriend the 'biggish' vendors through private message/forum pm/privnote/pgp and take correspondence off-site. This is where off-site deals and 'partnerships' would get cooked up and layers of anonymity be peeled away, leading to more detailed profiles. No high volume US vendor has been surveilled. On a state level, several suspected major vendors have been surveilled, yet none have been touched as that won't happen till a multi-jurisdiction plan to move on several vendors simultaneously in a grand slam display is logistically possible let alone greenlit. AFAIK, something of that magnitude would not be possible currently. There have been one-off prosecutions on county and state levels. What happens is that a vendor that has confidently profiled/ascertained to be originating packages out of a certain jurisdiction, that information is shared down to local/state to put eyeballs on. A lot of that was happening in the beginning, but now there's more of a "hands off" approach. They'd want to sweep the maximum amount of vendors at once. Having the Sheriff of Mayberry hit one based on JTF Intel is just not the culture/mindset. Nearly all efforts are conducted out of Jersey and Los Angeles.
...Posing as vendors - yes. That has happened. Although, DOJ attorneys will never ever allow drugs to 'walk' en masse. Especially after scandals such as Fast and Furious where the guns were allowed to walk.. they simply can not introduce narcotics into circulation. Vendor accounts have been bought to gain access to that side of the site and Vendor Roundtable and to establish longterm credibility, but any "purchases" would be absolutely fake and bought by their own accounts to build credible stats. Pm sure on state level there have been targeted vendor-posed operations to net bulk buyers, but those are highly controlled and short term. I have not heard of any of the top of my head. That does NOT mean that is not currently happening or will not happen in the future, but any significant bust would have made waves.
...One thing to be cognizant of, there's a lean on the domestic BTC exchanges to cooperate. There have been informal discussions in the last few months to develop working relationship with Coinbase (I know for a fact). After DHS hit Gox, even the boogeyman of a FinCEN violation is enough to mortify any of the btc guys. Anyone moving large sums of BTC will be open to scrutiny. I reference Coinbase because I know there was a series of meetings with Compliance at Coinbase. That can only mean one thing& BUT, that does not mean that the full on arm twisting by Treasury is going to be utilized to track black market vendors. They're more concerned (and justify) their desire for access due to terrorism. Most of the black market economy is essentially low hanging fruit in comparison to terror funding. But if OC activity is disrupted and theres political mileage for DoJ, the wide dragnet serves a multi faceted purpose.
1) a) BMR is on the radar and that is ATF's baby. Politics plays a significant role in prioritization of which agency gets to own which investigations. The climate is aggressive when it comes to weapons trafficking and with the gun control hot potato has guaranteed virtually a carte blanche to ATF. And they have deep pockets as well. Because tor based weapons traffickers are almost always running guns IRL, there is synergy between federal and state. Federal approves staggering sums of money for surveillance,undercover and CI's. I don't want to say BMR is "infiltrated", but there are a lot of compromised accounts and there have been a few quiet busts. Nearly every bust has resulted in cooperation. I am not sure what the long play is, but as long as this current administration is in power the gunrunners will always be hard targets. They are intimidated with the threat of tangible charges (interstate trafficking, conspiracy, organized crime, distribution) and they ALL cooperate. The general consensus is that weapons dealers are not sophisticated and have a lot of IRL visibility, so they are ALWAYS on the radar.
...c) HackBB and TCF are prominent and actively surveilled. Have not heard of any significant operations that have netted any majors, but there have been some successful prosecutions/interagency wins. HackBB especially is monitored closely. There is another counterfeit site whose name escapes me now, but there was a major sting that happened in Boston last winter which was a result of efforts focused on it. Paypal was involved and was very accommodating to SS in handing over logs.
...8) Some, yes. Off the top of my head - I know that "Costco" is a West Coast operation and theres some fair certainty that it's an Asian gang deal. There is an immigration element and tied to IRL dealing. I'm not sure what the wait is, but there's some play that probably involves state/local. "Marlostansfield" is NYC, and the guy has a lengthy record and has been a CI in the past. "Godofall" is NYC and they're Dominicans who are street level/wholesalers. "DaRuthless1" has been surveilled by local in Queens and has a prior for distribution oxy. "UndergroundSyndicate" I know was assumed to have been made, but there was some snafu with that and bickering state level. I know there were a few California based pot guys who were being surveilled, I can circle back on vendor information. There is a vendor in Dade County, FL that was surveilled, grabbed and turned but the focus was on his IRL connects to coke wholesalers, not on mail.
[Marlostanfield, Godofall, and DaRuthless1 seem to have disappeared before or during the fall of SR1 and no busts are known to be associated; UnderGroundSyndicate was busted as part of the SuperTrips case; the CA and FL mentions are too vague to judge. Ulbricht in his journal credits Force's info with saving at least one vendor, and it's noteworthy that someone contacted Eileen Ormsby in December 2013 (http://allthingsvice.com/2015/04/02/special-agent-force-alpacino-and-me/), referring to Force's info and telling Ormsby to "ask M___ how DPR knew stuff that helped him not get busted. He won't know how, but he will know what you are talking about"; Marlostanfield is the only vendor named in the entire file whose name begins with "M" and if he had already run afoul of the law many times, he would be quick to disappear upon being warned.]
...Now, when Gox was hit in the spring.. that was literally over an unchecked box on some form asking "Are you a money transmitter?"! Because (the US subsidiary) of Gox failed to check the "Yes" box.. that alone was enough to get a judge to sign off on a warrant. The rest is history. LE has reached out to EVERY SINGLE DOMESTIC btc exchange and asked them to share records on vague grounds (ongoing narco-traffic investigations, Islamic charities/donations etc) and establish channels. The exchanges seem to talk to each other, and have by large put a united front and rebuffed these advances so far and have insisted their Ts are crossed and I's are dotted, which means they are not obligated to share records with any LEA on gratis. And since their paperwork is in order, LE is stuck here. They have not been enable to find cause to hit any of the other exchanges the way they hit Gox. I can tell you that LE is so used to banks bending over backwards to accommodate, they're annoyed that the exchanges have not rolled over. They have not seized servers of any domestic btc exchange. Even Mutum Sigillum's seizure was just their Dwolla account, not their servers or any stateside Gox data. Coinbase, however, is probably playing ball at some level. If you recall they scored like $5mil in a Series A round a few months ago. Few weeks after that (I'm talking June), there were meetings between there Compliance/attorneys and Treasury. This is not public knowledge. Either this was the investors insisting that they reach out to the feds and get in their good graces, or Treasury tried to squeeze them and maybe found something they thought they could use to bully them. But that's been quiet since. Have not heard anything. Gut says they probably reached some tentative agreement to pass on records in a limited capacity. Long story short, no, they are not tapped in to the exchanges (yet), aside from possibly Coinbase. ...About Gox: No way. Hitting Mutum Sig was a last resort and reactionary because they had approached Gox directly and were rebuffed, and then reached out to the Japanese government to no avail. Although on good relations, Japanese companies are very anal when it comes to perceived threats to their bottom line. Must not forget that Gox is fully aware that that a staggering amount of traffic is dirty money (no offense), and that makes them money. They can't fathom turning over records and data to the Americans without a crippling mass exodus of capital (if it ever came to light). Also Japanese are a proud people when it comes to their work. There are free trade agreements with Japan that have binding clauses to provide financial information to requests from say the IRS, but something that like can't be used as a tool with the Japanese government because of limited resources and approvals on our end. It's very beauracratic and not just a matter of a few phone calls and emails. And even still the Japanese can stall and pushback. As long as Gox is operating where they are, they will guard the integrity of their records/logs/data. Gox is outside the tentacles.
I want to remind everyone that part of the budget LE has for busting markets comes from seized funds. By using multisig we can make it impossible for LE to grab those coins.