“I imagine that someday I may have a story written about my life and it would be good to have a detailed account of it.” —home/frosty/documents/ journal/2012/q1/january/week1
The descent was stunning. Chris Tarbell, a special agent from the New York FBI office, was in a window seat, watching a green anomaly in a sea of blue as it resolved into Iceland’s severe, beautiful landscape. On approach to Keflavík International Airport, he could now see the city of Reykjavik coming into view. And just beyond that, perched on the edge of a moss-covered lava field: the massive matte-white box that housed the Thor Data Center. That’s why Tarbell and two US attorneys had come all this way. Thor was the home of a computer with a very important IP address, one that Tarbell and his FBI colleagues had discovered back in New York—the hidden server for a vast online criminal enterprise called Silk Road.
They’d been working on this case for months, as had federal agents across the country, in a wide-ranging digital manhunt for Dread Pirate Roberts: the mysterious proprietor of Silk Road, a clandestine online marketplace that functioned like an anonymous Amazon for criminal goods and services. Silk Road investigations had been launched by Homeland Security, the Secret Service, and the DEA office in Baltimore, where an agent named Carl Force had been working an undercover identity as a Silk Road smuggler for more than a year.
Tarbell and his team—known as Cyber Squad 2 (or CY2 for short and “the Deuce” for fun)—were relative newcomers to the case. The other agencies had dismissed the FBI, partly because of interagency bluster and partly because the traditional agents who thought casework was all guns and grime and grit had no respect for the eggheads from cybercrime. But in the midst of this enormous law enforcement effort—mostly fruitless so far—Tarbell and CY2 had found the first promising lead in the case.
Cybercrime agents spend a lot of time at their desks, and it was exciting to be in the field. Down below they could see Iceland’s fierce geology, all jutting rock built up from the water by volcanoes. Beneath the surrounding ocean are the massive cables that make the country an important location for web traffic; the island is nearly equidistant between North American and Europe, and its forbidding geography and climate reduce cooling costs and provide free geothermal power. One of the attorneys told Tarbell about Iceland’s tectonic forces—the North American and Eurasian plates, slowly tearing open a growing chasm. Really puts you in your place, Tarbell thought.
Alt text
Once on the ground in Reykjavik, Tarbell and the lawyers met with their counterparts and explained why they’d come. Silk Road had eluded law enforcement for almost three years because it ran on Tor, a kind of cryptographic camouflage that made it nearly impossible to see the site’s users, vendors, or servers. Until Tarbell made a chance discovery.
His investigation had started entirely at his desk with virtual gumshoe diligence, poking around Tor’s IP publishing protocol and spending time on Silk Road looking for chatter about the site’s security. His lucky break came from a thread on Reddit: A user posted a warning that Silk Road’s IP address was “leaking”—visible to other computers. Dread Pirate Roberts (or DPR, as he was often called) had been alerted to the problem by a user but ignored the warning. Silk Road’s success was making DPR arrogant. He had let down his guard, confidently telling colleagues that the site would never be found.
Tarbell threw data at Silk Road, hoping to see the leak. He entered usernames with bad passwords (and vice versa) and pasted data into input fields—all the while using regular old freeware to analyze network traffic and collect the IPs communicating with his machine. Then he tested those. On June 5, 2013, after staring at IP addresses for hours, Tarbell pasted one of them—193.107.86.49—into a browser and suddenly there it was: the Silk Road Captcha field. He showed it to fellow agent Ilhwan Yum and to Tom Kiernan, the civilian computer technician who formed the technical backbone of the cybersquad. This was what the team had been waiting for: a misconfiguration somewhere on the site that revealed the real IP address of Silk Road, which Tarbell proceeded to trace all the way to the state-of-the-art facility in Iceland.
Tarbell had been to the island nation once before and knew some of the officials at the meeting. There was an Icelandic prosecutor present—Tarbell was mildly distracted by how attractive she was, with her fitted skirt, secretary glasses, and hair in a bun—and an attaché from the US embassy. It’s a delicate thing, making requests of another government—a US attorney had written up an official letters rogatory petition, requesting that Iceland honor the bureau’s investigative requests—but the Icelandic authorities were accommodating, and the meeting was over in an hour. Not long thereafter, an Icelandic police detachment entered the immaculate foyer of the Thor Data Center.
What kind of data center has a foyer? The kind that also has a gleaming glass front and a spotless floor and houses the world’s first zero-emission supercomputer. Cybercrime forensics often means untangling wires from machines stuck in some basement. Thor looked like the future. Past the foyer’s key card entry was a former airplane hangar in which sat a double-high shipping container, bright blue with silver ducts, full of servers. Inside were three rows of blades lined up floor to ceiling, flashing with blue lights. There was a chill in the air and the thrum of a thousand fans, all powered by Vulcan forces from the rock below. The Icelandic authorities found the correct box and discovered that it had a mirror drive, a duplicate set of contents. They pulled the mirror, returned to Reykjavik, and handed the drive to Tarbell. And just like that, he was holding Silk Road in his hand.
Even on first glance the site’s volume was surprising: On July 21, 2013, around the time Tarbell landed in Iceland, DPR’s account received 3,237 transfers totaling $19,459, which would give DPR an annualized income of more than $7 million. The data center also kept system logs for six months; they could see all the other computers that had recently communicated with this machine. It was an investigative windfall.
After returning to New York, Tarbell started unspooling the electronic threads that led from the Iceland machine to computers around the world. They looked at traffic recorded for port 22—the encrypted connection where admins log in—and discovered several non-Tor IPs: a backup near Philadelphia, a hosting proxy server in France, a VPN in Romania.
On the wall of the CY2 computer lab, Tarbell mounted an 8-foot sheet of plotter paper and constructed the classic crime investigation visual, with a skein of lines mapping the complicated relationship of leads and evidence. But rather than the traditional godfather surrounded by his capos, this chart centered around a server in Iceland and a sprawling cryptographic computer network.