Silk Road paid thousands in shake-downs from malicious hackers

The Silk Road online drug marketplace was routinely bedeviled by extortionists

When operating outside of the law, you can't rely on the police to protect your illegal enterprise from other criminals.

The Silk Road marketplace founders likely learned this lesson in 2012 and 2013, after paying thousands of dollars to cyber extortionists who threatened to expose serious site vulnerabilities or hit it with denial of service attacks, according to evidence presented in federal court in Manhattan on Wednesday.

The extortion information emerged during testimony from U.S. Internal Revenue Service special agent Gary Alford, who had subpoenaed the emails of defendant Ross Ulbricht as part of his investigation. Ulbricht is on trial at the U.S. District Court for the Southern District of New York for narcotics and criminal enterprise charges in relation to Silk Road.

According to prosecutors, Silk Road facilitated the exchange of $1.2 billion in illegal goods, mostly drugs, and generated $80 million in commissions for the operators from 2011 until October 2013, when the site was shuttered by law enforcement. Like an eBay for unlawful goods, Silk Road matched sellers with buyers, who used bitcoins to pay for goods that were delivered through the mail.

On at least two separate occasions, Silk Road operators paid malicious attackers ransoms in exchange for keeping the site up and secure.

During his testimony, Alford showed an email received by Silk Road in November 2012 claiming to have found a serious vulnerability in the site's software. The e-mail, from an anonymous sender, asked for $5,000 in exchange for not exposing the flaw, or $15,000 to offer full details on how the flaw operated and how it could be exploited.

A spreadsheet found on the computer Ulbricht was using at the time of his arrest suggested that $15,000 was paid out shortly after the email was received. An entry for a debit for that amount was annotated with the phrase "pay off hacker."

Chat log files between the Silk Road admin identified as Dread Pirate Roberts -- whom prosecutors have alleged is Ulbricht -- and another administrator of the site, also indicate the extortion fee was paid. The fellow administrator consoled Dread Pirate Roberts by writing: "You're still way richer than he is."

In April 2013, Silk Road was subjected to another shake-down. An anonymous party had hit the site with a distributed denial of service (DDOS) attack, which can congest servers to the extent that legitimate users can't access the targeted site. Silk Road paid $10,000 to stop the attack, according to the site's ledger. However, the attack continued even after the money was deposited to an anonymous account, according to Dread Pirate Roberts chat logs.

In addition to drugs, Silk Road also sold hacking tools, according to prosecutors. Alford testified of buying, undercover, a "Hacking Pack," that included 115 "hacking tools and programs" from the site. When the pack was purchased, the vendor emailed a list of links that the buyer could follow to download the programs, including some that supposedly offered the ability to remotely take control of a Web site.

Federal prosecutors maintain that Ulbricht was the mastermind behind the Silk Road site. Ulbricht was charged with narcotics conspiracy, engaging in a continuing criminal enterprise, conspiracy to commit computer hacking and money laundering. The narcotics and criminal enterprise charges carry maximum penalties of life in prison. Ulbricht has pled not guilty to all charges.

Ulbricht's defense lawyer, Joshua Dratel, argues that Ulbricht handed off the site to other operators shortly after he started it, and that he rejoined immediately prior to his arrest, lured back in by the new operators to serve as a fall guy.

The case is being overseen by District Judge Katherine Forrest of the Southern District of New York.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Lock down your servers more easily: A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies