Tech

Court Docs Show a University Helped FBI Bust Silk Road 2, Child Porn Suspects

An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.

It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.

Videos by VICE

***

In January of this year, Brian Richard Farrell from Seattle was arrested and charged with conspiracy to distribute heroin, methamphetamine and cocaine.

In an interview with the FBI, Farrell quickly admitted to being “DoctorClu,” a staff member on the Silk Road 2.0 marketplace, saying “You’re not going to find much of a bigger fish than me.”

Silk Road 2.0 was launched shortly after the original was shut down in October 2013. It also relied on the Tor anonymity network to hide the IP addresses of both the servers running the marketplace as well as mask of those accessing it.

In the search warrant executed against Farrell’s home in January, Special Agent Michael Larson writes that from January 2014 to July 2014, an FBI “Source of Information (SOI)” provided “reliable IP addresses for TOR and hidden services such as SR2.” This included the main marketplace, the vendor section of the site that was typically only accessed by dealers or staff, the site’s forum, and its support interface, where staff dealt with customer issues.

This information led to the location of the Silk Road 2.0 servers, Larson wrote, which led to the identification of “at least another seventeen black markets on TOR.” That refers to Operation Onymous, a multi-agency effort that eventually led to the shuttering of several dark web sites, including Silk Road 2.0. It also took down a number of fake and scam sites.

But that wasn’t all that the source provided, the warrant continues. “The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address,” it says, referring to users of the site.

“Whatever you’re doing, it isn’t science.”

One of these IP addresses led investigators to a house where Farrell was living. After physical surveillance was carried out, his house mate questioned, and FBI interviews, Farrell was eventually arrested.

However, who or what exactly the FBI Source of Information is has remained a mystery, with journalists and researchers only being able to speculate.

Then in a motion filed in Farrell’s case last week, his defense dropped a bombshell.

“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0,” the motion reads.

In response to this letter, the defense asked for additional discovery evidence and information to determine the relationship between this institute and the government, as well as the means used to identify Farrell “on what was supposed to operate as an anonymous website.”

“To date, the government has declined to produce any additional discovery.”

***

The timeline lines up perfectly with an attack on the Tor network last year.

On July 30 2014, the Tor Project announced in a blog post it had “found a group of relays that we assume were trying to deanonymize users.” Relays are nodes of the Tor network that route traffic, and can be set up by anyone. “They appear to have been targeting people who operate or access Tor hidden services.”

These relays joined the network on January 30, and the Tor Project then removed them on July 4: the same time period for which the FBI’s source provided IP addresses of dark web sites, as well as apparent users.

This suggests that the FBI’s Source of Information was whoever was behind this attack; an attack that may have swept up perfectly innocent users of Tor and hidden services, as well as those using the network for illegal purposes.

“If you’re doing an experiment without the knowledge or consent of the people you’re experimenting on, you might be doing something questionable—and if you’re doing it without their informed consent because you know they wouldn’t give it to you, then you’re almost certainly doing something wrong. Whatever you’re doing, it isn’t science,” Nick Mathewson, co-founder of the Tor Project, told Motherboard in a statement.

The attack, according to Tor Project’s writeup, relied on a set of vulnerabilities in the Tor software, and involved setting up a number of relays in order to monitor the activity of a Tor user.

A section of a legal document filed in Farrell’s case, stating that a “university-based research institute” provided information that led to his arrest. Screencap: Motherboard

“If the first relay in the circuit (called the “entry guard”) knows the IP address of the user, and the last relay in the circuit knows the resource or destination she is accessing, then together they can deanonymize her,” Tor Project wrote.

At the time, there was only speculation who might be behind the attack. Because it would have required a substantial number of Tor relays to carry it out, the attack could have been the work of a large intelligence agency. Or, “if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future,” Tor Project wrote.

***

Then in July, a much anticipated talk at the Black Hat hacking conference was abruptly canceled. Alexander Volynkin and Michael McCord, academics from Carnegie Mellon University (CMU), promised to reveal how a $3,000 piece of kit could unmask the IP addresses of Tor hidden services as well as their users.

Its description bore a startling resemblance to the attack the Tor Project had documented earlier that month. Volynkin and McCord’s method would deanonymize Tor users through the use of recently disclosed vulnerabilities and a “handful of powerful servers.” On top of this, the pair claimed they had tested attacks in the wild.

Motherboard contacted Michael McCord, but received a response from Richard Lynch, public relations manager for CMU’s Software Engineering Institute.

“Thanks for your inquiry, but it is our practice not to comment on law enforcement investigations or court proceedings,” Lynch wrote.

Experts who have been following Farrell’s case feel that CMU is very likely to be the institute behind the attack, and therefore the source of the information that led to Farrell’s arrest.

The institute that worked with the FBI is “almost certainly” CMU, Nicholas Weaver, a senior researcher at the International Computer Science Institute at University of California, Berkeley told Motherboard in a phone interview.

“Both the time and the capability” of the attack on Tor in 2014 lined up with what CMU was proposing, Weaver said.

Earlier this year, Weaver also noticed the similarities and links between Farrell’s search warrant, the sustained attack on Tor, and CMU’s proposed Black Hat talk, and estimated that the attack cost somewhere in the region of $50,000. Only now has concrete proof of an academic institution’s involvement come to light.

There is no hard evidence at this time that CMU was the source of the FBI’s information, however, although circumstantial evidence points to it. It could have been another “university-based research institute.”

***

Farrell’s case may not be the only one impacted by this source’s involvement.

On November 1, a hearing was held in the case of Gabriel Peterson-Siler, a man charged with possessing child pornography. In that case, Peterson-Siler’s defense requested the same discovery material as Farrell’s lawyers had asked for, according to documents in Farrell’s case.

“Given that these two cases present identical issues, Mr. Farrell respectfully requests that his trial be continued and that he be allowed to follow the briefing schedule set in Peterson-Siler,” Farrell’s defense writes.

Peterson-Siler is suspected of posting on three different child pornography sites from March 29, 2012 through to August 20, 2012. In his case documents, these are simply referred to as Website 1, Website 2, and Website 3.

In June 2014, within the same time frame that Farrell’s IP address was provided to the FBI, an investigation into Peterson-Siler determined an IP address that belonged to him. After his property was searched in September 2014, he was indicted for possession of child pornography in April of this year, and pleaded not guilty to all charges.

A section of the search warrant against Farrell, stating that the Source of Information provided 78 IP addresses to the FBI. Screencap: Motherboard

None of the legal documents of Peterson-Siler’s case reviewed by Motherboard make any explicit mention of a research institute, however.

But as well as Peterson-Siler’s case, Farrell’s warrant indicated that the source had provided the FBI with 78 individual IP addresses, so it is likely that other criminal cases are dealing with the same evidence.

At this stage, it is unclear whether the FBI directed the academic institution to carry out the attack, or whether the institution approached the agency afterwards. Regardless, questions of the legality of this attack, and whether a warrant was necessary or obtained, are raised.

The FBI did not respond to multiple requests for comment.

UPDATE: After the publication of this piece, the Tor Project published a blog post claiming that researchers at Carnegie Mellon University were paid “at least $1 million” to work with the FBI.

“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses “research” as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk,” the Tor Project wrote.

The source of the $1 million figure came from “friends in the security community,” Roger Dingledine, director of the Tor Project, told WIRED.