Five days after the Silk Road takedown and Ross Ulbricht's arrest at the Glen Park branch of the San Francisco Public Library on Tuesday afternoon. The FBI seized approximately twenty-six thousand bitcoins (worth, on Tuesday's exchange rate, around $3.5 million; rather more on today's, given Bitcoin's run through the past week) along with the Silk Road infrastructure itself, and have made the criminal complaint against Ulbricht substantially public. The complaint is detailed enough that the takedown methodology can be reconstructed in some detail, and the methodology is interesting more for what it tells us about the operational limits of Tor's anonymity guarantees than for what it tells us about Silk Road itself.
The structural point is that Ulbricht was identified through old-fashioned investigative work rather than through any cryptanalytic attack on Tor. The complaint reads like a study in operational-security failures: in 2011, before Silk Road was substantial, Ulbricht posted on Bitcointalk under the pseudonym "altoid" announcing the new site; some weeks later, he posted under the same "altoid" handle asking for technical help on Stack Exchange and gave his real Gmail address. The Gmail address resolved through Google's records to Ulbricht. Independent of that, the FBI have a parallel chain of evidence based on packages seized from Ulbricht's San Francisco residence, the bitcoin-flow analysis of Silk Road transactions, and the fact that "Dread Pirate Roberts" (Ulbricht's Silk Road handle) was logged in to Silk Road from Ulbricht's laptop at the moment of his arrest at the library — the FBI agents who arrested him made a point of distracting him so they could grab the laptop with the session active.
What this tells us about Tor is that the anonymity guarantees are real but bounded. Tor protects against network-level traffic analysis and against direct cryptographic deanonymisation under the threat model the design was built for. It does not protect against operational-security failures by the user, against deanonymisation through metadata correlation across systems, or against physical-evidence chains that are independent of the network layer. Ulbricht's deanonymisation was not a Tor failure; it was a series of failures in the layer above Tor, where Ulbricht as the operator did not maintain the discipline of identity-compartmentalisation that the threat model his service was operating in required. This is exactly the structural argument I have been making in the privacy-and-encryption methodology: the cryptographic guarantee is necessary but not sufficient, and the operational-security discipline around it is where most failures actually occur.
The Bitcoin angle is the more contested part of the analysis. The FBI's bitcoin-tracing work — done internally rather than through any of the publicly-known commercial blockchain-analytics tools — produced enough evidence to demonstrate that specific Silk Road operator transactions were flowing through a small cluster of accounts that they could trace back to Ulbricht's personal exchanges. This is a meaningful piece of intelligence in itself. The "Bitcoin is anonymous" framing that has been one of the appeals of Bitcoin as a payment mechanism for darknet markets is, on the evidence of the Silk Road investigation, substantially weaker than the public discussion has been suggesting. The blockchain is a public ledger; pseudonymous addresses can be linked to real-world identities through any of several side-channels. The FBI did the linking competently; future law-enforcement investigations against bitcoin-paying targets will be able to do similar work, and the academic literature is starting to document the specific techniques that make this feasible. Sarah Meiklejohn and others at UCSD published their "A Fistful of Bitcoins" paper at IMC 2013 in October, which is the academic foundation for the kind of analysis that the FBI evidently has built on internally.
For the engagements I run, the Silk Road takedown is going to land in two specific conversations. The first is with the Browne Jacobson team, who have asked about Tor in the context of source-protection workflows for clients in sensitive matters. The honest answer I have been giving them is what I have written above — Tor is real but not sufficient, the operational-security discipline above it is where most failures occur, and the threat model for which Tor is the right answer is narrower than the marketing of the privacy community sometimes suggests. The Silk Road case is the public reference point for that argument. The second conversation is with two of the Hedgehog clients who have asked about bitcoin-related risk in the context of customer-payment infrastructure. The post-Silk Road answer is that bitcoin is operationally less anonymous than the Silk Road operators clearly believed, and that any business model that depends on bitcoin for plausible deniability of customer identity is on weaker ground than it was last month.
The wider point — what the FBI's investigative methodology tells us about state-level capability against anonymising infrastructure — is one I am thinking about more carefully than the Silk Road case alone justifies. The combination of operational-security failures, bitcoin-flow analysis, parallel physical-evidence chains, and ultimately physical-arrest opportunism produced a deanonymisation outcome without any cryptanalytic attack on Tor itself. That is a model for how state-level investigation against pseudonymous infrastructure works in practice, and it is a model that the engagement-team material has not been emphasising enough.
The next post is probably the Adobe breach, which the customer-count revision yesterday has confirmed as one of the larger consumer-data exposures of the year, or whatever Snowden material lands first. The pace continues.