It only took about one month from the time the Silk Road drug-dealing website was busted for a successor to be created. The new site, like the old, was on the “Darknet,” only accessible via an anonymizing Tor browser. It called itself “Silk Road 2.0” and kept the appearance of the old site, down to the green nomad-and-camel logo. Its creator named himself Dread Pirate Roberts, after the first site’s admin.
It’s said imitation is the sincerest form of flattery, and the second Silk Road was certainly flattering to the first. “It is with great joy that I announce the next chapter of our journey,” announced the new Dread Pirate Roberts last November, writing on a Tor-only forum about the black market. “Silk Road has risen from the ashes, and is now ready and waiting for you all to return home.”
He added that he had “taken steps the previous Dread Pirate Roberts wouldn’t have even thought of.”
Whatever those steps were, it wasn’t enough to protect the site from old-fashioned human infiltration. The new Dread Pirate Roberts, or DPR2 as the feds call him in their criminal complaint [PDF], is still at large, but the FBI has their man. The real power broker on the site was “Defcon,” who prosecutors say is Blake Benthall, a 26-year-old San Francisco programmer arrested Wednesday.
Undercover agents had been watching the idea for the site germinate in discussion forums. Within several weeks, an undercover agent from Homeland Security Investigations (HSI) wasn’t just perusing goods on the new site—the agent was on staff, with access to special discussion forums and technical data.
At the same time that the agent was working his way into the ranks of trusted staff at Silk Road 2.0, the hierarchy was in motion. The new Dread Pirate Roberts, called DPR2 by the FBI, was on his way out. His “second-in-command,” named Defcon, was taking control of the site. That hierarchy was explained publicly at one point, when DPR2 went off the grid for a few days.
“It has been over 24 hours since we last heard from our Captain,” wrote Defcon in December 2013, days after three Silk Road 1.0 admins were arrested. “He is most certainly in grave danger… as his second in command, I have very clear instructions as to what to do in this worst case scenario… I cannot elaborate on the specifics, but the marketplace is safe in my hands until the Captain returns or his successor appears.”
The captain did come back, but by December, it was Defcon who was fully in command, say the feds. Over the next several months, the site would do millions of dollars of sales in narcotics and other illegal items, like fake passports and drivers’ licenses. Silk Road 2.0 made its money through a 5 percent commission on each purchase.
Hunting for Defcon
“We are the most major market on the darknet site at this point,” Defcon wrote on January 5. With that came security responsibilities. In a seller-only section of the SR2 forum, he wrote:
We are in a position to teach an incredibly valuable life skill for this buyer community: Always encrypt… we are doing this more for buyers’ sake than vendors’ sake. PGP encryption teaches users to never enter their address on ANY darknet site, which greatly decreases LE’s ability to set up honeypots.
By January, the undercover agent had been elevated to a paid position. He got regular payments, all arranged by Defcon, beginning on January 23. Over the course of the year, he was paid 83.39 Bitcoins in all, or $32,189 based on current exchange rates.
By May 2014, the agent used that inside access to get what they really needed: an actual, specific server. Law enforcement in the unnamed foreign country where the server was located made an imaged copy and gave it to the FBI. Posts in SR2 forums complained about service outages during the imaging process.
The imaged server was a gold mine: it had configuration files for the SR2 forums, the private cryptographic key for the forum, even chat logs of conversations they believe were between Dread Pirate Roberts 2 and Defcon.
In a January 28 chat, they discussed the arrest of “btcking,” the pseudonym of Robert Faiella, who helped run Silk Road 1.0. Defcon assured DPR2 he had “disabled [btcking’s] account, changed passwords, refunded unshipped orders, removed listings.”
The arrest was a reminder to DPR2 that he wanted to get out of the picture. “With every bust my retirement hastens,” he wrote.
They discussed a “pension plan” in which DPR2 and Defcon would split the site’s earnings 50/50 “up until you [DPR2] left.”
Linking the server to Blake Benthall wasn’t exactly rocket science. “The server was controlled and maintained during the relevant time by an individual using the email account ‘firstname.lastname@example.org,'” wrote Vincent D’Agostino, the FBI agent who signed the complaint.
It was a Google account, registered to Blake Benthall. (Google Apps allows users to register a Gmail account with a personal domain name.) He used the same e-mail in his public profile on Github and his public Twitter profile shows that benthall.net was his website.
“All this talk about the #SilkRoad being back up just makes me want to watch #ThePrincessBride,” Benthall had retweeted on November 6.
The FBI gathered more data on Benthall. Through an unnamed US-based Bitcoin exchanger, he received $273,626.60 worth of Bitcoins. In January, he made a down payment of about $70,000 on a Tesla Model S, worth $127,000.
In April, the undercover agent saw that Defcon was logged in to the support interface—not using Tor—with a specific (outdated) version of Apple OS X and a beta version of the Google Chrome browser. Later, they would be able to compare those records to ones they got from the Bitcoin exchanger, which show that Benthall logged in on the same day, using the identical combination of software.
The FBI began physical surveillance as well. They watched him in September while he visited family in Houston. On September 10, at 7:55pm, Defcon posted a public message to the SR2 forum. Five minutes later, his forum account went inactive. At 8:07pm, Benthall left the residence he was staying at. He came back at 3:39am. Three minutes later, Defcon was back online and posted a message to his staff.
They also watched the Internet traffic out of the house he stayed at, noticing “a significant volume of Tor-related traffic,” which stopped on September 14, when Benthall traveled back to San Francisco.
While Benthall was in Texas, the Silk Road suffered a major hack. On September 10, almost 3,000 Bitcoins, or $1.41 million, were transferred to a particular address. The theft temporarily closed the site, which at that point had 150,000 active monthly users, according to Defcon. He pumped 1,000 of his own Bitcoins into the site to “return liquidity to Silk Road 2.0.”
The undercover agent asked Defcon how long he thought it would take to recover the other missing Bitcoins. He estimated three months’ worth of commissions would do it. But after just one month, the site had generated about $8 million in sales and $400,000 in commissions. Even after a massive theft, Silk Road 2.0 was looking to be a very profitable venture.
Drugs, Hacks, and Passports
In the final weeks leading up to the arrest, the FBI took more detailed note of what was on the site. When Agent D’Agostino accessed Silk Road 2.0 last week, he found 14,024 listings under “Drugs,” including 1,654 listings for psychedelics, 1,921 listings for ecstasy, 1,816 listings for cannabis, and 360 listings for opioids.
One listing advertised 5 grams of “Highest Purity Cocaine — Direct From Colombia,” on sale for $488 in bitcoins. One hundred grams of “Afghan Heroin Brown Powder” was on sale for $4,555 in bitcoins. A fake Danish passport would run a buyer $2,414, while a fake New Jersey Driver’s license, including holograms, would be a comparatively cheap $98.
Another listing offered a 4-7 day effort “to HACK the website you want,” for $624. A method of hacking Gmail accounts was offered for $42.
In September and October, the DEA made purchases of heroin, cocaine, LSD, and oxycodone. They were tested and found to be genuine.
By October 2014, the site was generating about $8 million in monthly sales and $400,000 in monthly commissions, according to communications intercepted by the undercover officer.
Meanwhile, Benthall’s social media accounts suggest he had the normal life of a young man, enjoying life in San Francisco.
It’s not clear exactly when he moved to San Francisco, but his social media profiles suggest it’s been at least three years. His LinkedIn profile shows he attended Florida College from 2007-2009. He was a keyboardist and vocalist in the school’s promotional touring rock band, “The Friends.”
For about a year and a half he worked for RPX, a defensive patent aggregator, “writing intelligent big data tools for automated analysis of the patent market.” The profile also shows that he had a five-month stint working at SpaceX, Elon Musk’s private space flight startup, which lasted until March of this year. The most recent job experience is for “Codespike,” which he describes as “a collective of makers who love to design and build common-sense software.”
“Facing a ‘now what’ moment at the end of StartupBus,” wrote Benthall on Facebook on March 8. He went to the SXSW music festival. On March 10 he wrote: “anyone want to move to Austin? #thingsisayeverysxsw.”
Later that month, he was back in San Francisco, participating in “Hacktivation for the Homeless.” He wrote on Facebook: “if you have a heart for the TL [Tenderloin neighborhood], swing by. you don’t need to know how to code.”
Like Ross Ulbricht, he seemed to have at least some attraction to libertarian ideas.
“[A]migos I need your help,” he wrote in August. “Who are the most libertarian people you know? I want to meet them… on the edge of launching a very libertarian finance startup, would love to talk.”
His last Instagram and Twitter posts were from last week, when the Giants won the World Series. Things got fairly chaotic in his Mission neighborhood. “[T]hanks for leaving the riots to the professionals, Kansas City #sf #giants,” he Tweeted.
Ars reached out to Benthall’s father, who declined to comment on the situation.
A former co-worker, who declined to be named because he didn’t want his company associated with the arrest, described Benthall as “a talented developer.” They stayed in touch after he moved on.
Benthall appeared in court Thursday for an initial hearing, wearing a gray hoodie that had “INTERNET BETTER” printed on the back. Prosecutors told the magistrate judge he had admitted to his role as administrator of the site. He’s due back in court today and is expected to be transferred to New York.