A Tale Of Greed and Stupidity

As the Silk Road case winds down, Ars Technica posted a great article (seriously, read it) summarizing one of the most interesting aspects of the entire case.

It is the story of how two corrupt officers in the DEA and Secret Service attempted to use the Silk Road investigations to illegally profit from and abuse the authority entrusted to them. After reading the article above I became interested in the case and decided to read the criminal complaint filing. Within it there were lots of interesting explanations of how the investigators were tipped off on the possibility of the corrupt activity as well as how they were able to produce the necessary evidence for the case.

Background

Defendants

The two corrupt officers referenced in the filing were a Carl Force and Shaun Bridges. The two were not cooperating with each other during the relevant time. When interviewed Bridges also stated that he did not know Force well and that they only worked together on the Silk Road case.

Force was a 15 year veteran of the Drug Enforcement Agency (DEA), during the timeframe of the investigation, Force was the only member of his family who was receiving income as his wife was a homemaker. This fact proves to be important during the investigation when tracing Force’s income.

Bridges was a computer forensics expert working for the Secret Service. He became a suspect after the Feds gained full access to Silk Road through the capture of C.G. (Curtis Green), a Silk Road admin, a very large theft took place on Silk Road.

Bitcoin

Bitcoin is a digital currency that records all transactions on distributed public ledger called the block chain. The block chain is updated six times an hour with every transaction and balance for each Bitcoin address. While Bitcoin is used to move money anonymously, it is possible (demonstrated later on) to trace financial transactions on the block chain.

Carl Force, A Man Of 3 Faces

Force was employed by the DEA to investigate and determine the identity of DPR. Force regularly interacted with DPR using the identity of ‘Nob’. He and DPR would communicate using PGP to encrypt their messages. Force was expected to provide all decrypted versions of the messages in his reports of the investigation. However since PGP requires the use of a private key to decrypt messages, Force never provided the key in his reports. The criminal complaint states that Force was repeatedly told the importance of providing all communications by the prosecutor. This seems to suggest that Force knowingly did not want to let the DEA see all the messages he exchanged with DPR and is proven when messages that Force never reported were discovered.

Nob

Force noted that while acting under the Nob identity, he advised DPR that his ‘friend Kevin’ wanted a ‘donation’ of bitcoins for insider information of the Silk Road investigation. He claims that he provided DPR with a Bitcoin address but made a note that no payment was ever made.

As it turns out, Force did not include the actual address he sent to DPR for the payment to ‘Kevin’. By not providing this address, Force was intentionally attempting to hide information from the DEA so that they were unable to trace if a payment was ever made. This was made clear to the investigators after the following exchange was discovered:

Oh look, not even criminals/LE can use PGP safely
The trace of the 525 bitcoin transfered from DPR to Force

French Maid

One of the ‘unofficial’ identities Force used was the French Maid persona. Logs kept by DPR on his computer revealed that French Maid sold DPR information about the Silk Road investigation in exchange for Bitcoins.

Entry in Ulbrichts logs show interactions with a ‘French Maid’

The Baltimore Silk Road Task Force had kept much of the information regarding Silk Road on a need to know basis. Thus only someone with connections to the specific case could have revealed this information to DPR. Review of emails revealed that Force was one of the few individuals who had access to this information, which added to the evidence against him.

Cross referencing the information Ulbricht got with who knew about it at the time pointed to Force

While under the ‘French Maid’ identity Force still made use of PGP (as mentioned earlier with the ‘Nob’ identity) to communicate with DPR. He made two mistakes that made the investigators suspicious:

  1. Force used an old version of PGP (1.4.12, January 2012) which was considered outdated by August 2013, when ‘French Maid’ first appeared. Since PGP is free it seems strange that neither ‘French Maid’ or Force (as ‘Nob’) bothered to update it.
  2. Under both identities Force used the same default settings for PGP. For example he left the tag on revealing the PGP brand and version used. (On a side note this is why its important to make sure you leak as little metadata as possible when hiding from a very powerful adversary). Force also used 2048 bit keys while most other Silk Road users preferred 4096 bit keys for additional security.

Death From Above

The third and final identity that Force was accused to taking was ‘Death From Above’. In his reports, just like ‘French Maid’ there is no mention of it ever existing. Since this identity was not authorized to be used, Force was not permitted to communicate using it, however he knowingly did this for his own gain. When investigators analyzed the hours of video footage of Force’s screen recording that was submitted for the Silk Road case (as ‘Nob’) they found a quick segment where Force is logged in to the ‘Death From Above’ persona (below).

Whenever you think you did something stupid, just remember you weren’t the idiot who did this.

The existence of this evidence proved three things to the investigators:

  1. Force had a history of creating fictitious personas that he did not report to his superiors or the Silk Road prosecutor
  2. Force had a history of soliciting payments from DPR (blackmail, services, insider info)
  3. Force had a history of providing sensitive LE information to outside individuals without authorization

CoinMKT

Force had a two-fold relationship with CoinMKT. He was a major investor in the company as well as being a full-time DEA agent who used the company to investigate digital currencies. Emails show that Force was actively engaging in negotiations with CoinMKT to become its Chief Compliance Officer. Early on it appears that CoinMKT was hesitant to partner with Force due to the possibility of their being a conflict of interest:

Force offers to make queries on a federal criminal database (for non LE reasons), which is illegal

Force also used his influence with CoinMKT to steal Bitcoins from certain users. On February 8th, 2014 Force directed CoinMKT to suspend the account of a user by the name of R.P. who he claimed the Feds were investigating for money laundering. He then instructed a DEA analyst to run a criminal check on R.P. and found the following:

  1. R.P. previously withdrew $17,000
  2. R.P. had a felony conviction for vandalism
  3. R.P. was a self-employed actor

CoinMKT expressed that they were reluctant to do a seizure unless Force provided something in writing. So Force went and prepared two Standard Seizure Form (SSF) which the DEA completes whenever funds are seized.

  1. The first form dated April 3, 2014 for seizing approx. $37,000 from R.P.
  2. The second form dated March 12, 2014 for approx. $297,000 worth of digital currency

Force then instructed an Asset Forfeiture Specialist to not input the second form into the Consolidated Asset Tracking System (CATS) but to “hold onto it for a few months”. The AFS made a hadwritten note on the form expressing this. Force included a copy of the first form in the Silk Road investigation but made no mention of the second in the case file.

This suggested to the investigator that Force was attempting to hide the seizure from his superiors, who would not have been familiar with digital currency. In addition, the seized digital currency never made it into an official DEA or government account, instead being deposited into Force’s personal Bitstamp account. It turns out that there was never an actual case opened against R.P. by the DEA and that Force (surprise, surprise) had no legal basis to seize R.P.’s balances.

Venmo

Force contacted another Bitcoin service that he used, Venmo, on February 13th, 2014 requesting them to unlock his account. He informed them that the account R.R. (not the same as R.P. above) was under investigation. On February 17th, 2014 Force served a subpeona on Venmo to unlock his account. He sent this from his official DOJ email and CC’d his personal email. Venmo still did not respond and so Force tried some more tricks:

It turns out that while the subpeona contained the signature of Force’s supervisor A.P., it was not actually signed by him. In an interview with investigators A.P. stated that he did not sign or review the subpeona and instead believes that Force used a signature stamp without A.P.’s knowledge or permission. Due to this the investigators felt that there was a probable cause to believe Force commited a violation of conflict of interest as well attempting to obstruct justice by using official government subpeonas for personal issues.

Bitstamp

Force attempted to create an account using his DEA issued undercover ID but Bitstamp rejected the documents as not genuine. Force then provided his personal ID documents and the account was then created (protip: don’t ever do this if you want to engage in criminal activity). This account was associated to two of Force’s personal email accounts as well as to his checking account at M&T Bank.

On April 18th, 2014 Force requested a withdrawl from Bitstamp to deposit $80,000 into his M&T bank account. This was flagged causing Bitstamp to perform additional know-your-customer checks. When noticing that Force used TOR to access the account, Bitstamp decided to block access. Force then made the following statement in an attempt to unblock his account:

Bitstamp however was still not satisfied, they wanted to know why Force was attempting to access his account via TOR. Force claimed the following:

I utilize TOR for privacy. Don’t want NSA looking over my shoulder :)

This seemed very strange to the Bitstamp management, why would a government official be afraid of the NSA seeing their transactions? Bitstamp chose to leave his account blocked as they were suspicious of his intent. Eventually however Force was able to get his account unlocked, but this would not be the only time his account would be blocked. However with some help of another agent (Bridges), Force was able to have his account unlocked various times.

Investigators believed (and had evidence via block chain) that the Bitcoin Force was depositing belonged to the government and not actually Force’s personally aquired Bitcoin as he claimed. On May 2nd, 2014 Force contacted Bitstamp and requested that they delete all transaction history associated with the account. Based on the timing investigators believe that this was an attempt to conceal his activities.

The Finishing Touch

After review of Force’s financial history (bank accounts, transactions, spending, etc) it became obvious to the investigators that Force’s financial situation and spending increased dramatically from 2013–2014, the timeframe of the Silk Road investigation.

For the two years before Silk Road, Force deposited approx. $250,000 into his bank accounts, an amount consistent with his salary. However during the Silk Road case, Force deposited approx. $776,000 into his accounts. This aligns with the amount of missing Bitcoins as well as casts some serious suspicion on where he acquired the funds.

Force was able to pay off a $22,000 government loan, pay off his outstanding $130,000 mortgage and provided a $15,000 investment into three real estate properties.

When Force learned that he was being investigated, he wished to arrange a meeting with investigators and signed a Proffer Agreement. Force was asked about if he ever used the ‘French Maid’ persona and Force denied that he had.

Shaun Bridges

Bridges was a Secret Service agent who worked on the Silk Road case along with the DEA and notably, Carl Force. Bridges was suspected of stealing Bitcoins from Silk Road during the investigation which was eventually government property.

Security cameras show Bridges leaving with a bag. The government said the bag contained hard drives with the keys to access his Bitstamp wallet. (source: ars technica)

Curtis Green ( C.G.)

Curtis Green, under the username “Flush”, was a systems administrator employed by DPR to mange the Silk Road website. Due to this unique role Green had a high level of access to the Silk Road servers, making him an ideal target for the Feds. Around January 17, 2013 Force and Bridges were part of the team that apprehended Green. Soon after his arrest Green cooperated with the Feds and gave up passwords, accounts and any information he knew.

DPR (D̶r̶e̶a̶d̶ Dead Pirate Roberts)

On January 26th, 2013 DPR contacted “Nob” that there had been large thefts in Silk Road associated with Green’s account. When questioned about this, Green denied commiting the thefts. It should be noted that Bridges left early that day and so could not participate in any investigation activities. DPR however was convinced that Green’s account “Flush” had commited the thefts. Since DPR had no way to know that Green was actually under arrest he could not have known that it was someone else (can you guess who?).

DPR told “Nob” that he wished to hire his services to kill Green. DPR believed that “Nob” was a drug dealer with connections to hitmen for hire. In exchange for the hit DPR paid “Nob” approx. $80,000 via a bank wire transfer (DPR? More like DERP). Force, with the assistance of the Baltimore Silk Road Task Force, faked Green’s death to make it look like a hit. Bridges assisted with this by creating “proof of death” photos of Green.

This little transaction sealed the deal for DPR, the Feds had proof that he willingly hired a hitman to assassinate one of his employees. This would prove to be one of the crucial pieces of evidence in sentencing DPR.

Tracing The Bitcoin

Review of Bridges accounts revealed that between March 6th 2013 and May 7th 2013 his account recieved nine wire transfers from Mt. Gox (a bitcoin trader). Two days later Bridges presented a seizure warrant to Mt. Gox for $2.1 million. Bridges was also working under the guise of a separate investigation to contact Coinbase (another currency trader) about how Mt. Gox accounts could be traced.

Feds traced Bridges attempted theft of Bitcoins from Silk Road into his personal account

Based on this behaviour the investigators believed that Bridges used the “Flush” account to fraudulently act as an administrator to reset passwords on accounts, then moved the bitcoins owned by these accounts into a wallet and then Mt. Gox. The complaint states that this is probable cause to believe that Bridges committed wire fraud.

During The Investigation

Bitstamp advised Bridges by phone that they suspected Force of wrongdoing and intended to bring it to the attention of LE via a Bank Secrecy Act filing, which they did so on May 1st 2014. On May 2nd an official investigation was opened by the U.S. Attorney’s Office and on May 4th 2014 a subpoena was served to Venmo.

On May 28, 2014 Bridges was interviewed by the FBI Public Corruption Squad. He was present along with an attorney representing him and a high-level superior from the Secret Service. During the interview Bridges stated the following:

  • He knew Force through the Baltimore Silk Road Task Force but had minimal contact with him
  • He had no knowledge of Force’s purchases of Bitcoins
  • Force was unprofessional and after the Bitstamp filing, Bridges briefed the Special Agent in Charge (SAC) of the Baltimore Field Office
  • Denied that he ever told Force about the Bitstamp filing
  • Denied owning Bitcoins in over a year

Days after being questioned, Bridges transferred approx. $225,000 from his Quantum Fidelity account into a different account in the name of a third party at another financial institution. Investigators suspected that Bridges was laundering funds in an attempt to conceal their origin.

Suspension

On March 18th, 2015 Bridges was told that he was being suspended. His reaction was to resign from the Secret Service. He was told to leave behind his two government issued computers. Bridges gave up one of the computers following the appropriate procedures, however he placed the second laptop in a cabinet above an area used as a “wipe” station. USSS told the investigators that this area was not used to store laptops so it casts some suspicion on Bridges intent.

After his suspension he asked his supervisor if he could access his Dell laptop to copy receipts of personal items he purchased. Instead of copying said reciepts, he instead attempted to copy a folder “Bitstamp”. His supervisor noticed this and secured the laptop and prevented Bridges from having further access.

Finale

Ultimately the charges Force and Bridges were accused of were the following:

Force

  • Theft of Government Property (seized Bitcoins)
  • Wire Fraud
  • Money Laundering
  • Conflict of Interest

Bridges

  • Wire Fraud
  • Money Laundering

This twist in the Silk Road investigation should serve as an example of what happens when you have poor operation security (deposting stolen money into your personal account). It should also help show anyone who claims Bitcoins are “totally anonymous” that it is in fact quite easy for a powerful adversary to trace them.