You may have heard that the infamous Dread Pirate Robets AKA Ross Ulbricht’s Silk Road was taken down thanks to a problem in his anonymous Tor server. Now, however, Brian Krebs has shown us just how the Feds found Ulbricht’s server and, additionally, the pirate himself.
A hole in the Silk Road’s anonymity appeared because of a leaky CAPTCHA prompt. CAPTCHA, as we all well know, is the little box that some sites use to prevent robots from filling out forms. If misconfigured, it will point to the server to which it is connected. On a non-anonymous server this would be a non-issue. However, Ulbricht’s anonymous server was misconfigured and sent out the actual IP address of the Silk Road machines with every hit to the login page.
The government described their process in a US District Court filing:
Is this real? As many have noted, there is some possibility that Tor itself is compromised and that this admission is a cover but, if Occam is to be believed, parsimony will out.
In short, Ulbricht mixed anonymized and non-anonymous resources and misconfigured things to release his IP. One would presume this won’t happen again as thousands of CAPTCHA prompts wink out of existence, but it shows just how hard it is to be completely invisible online.