Yesterday, the Department of Justice announced that they had arrested two undercover agents who had used the investigation into online black market Silk Road as an opportunity to go rogue and become self-made criminal tycoons.
One of the agents, Carl Mark Force IV, allegedly used technologies like Bitcoin and PGP in order to steal money from Silk Road’s leadership and siphon it into personal accounts. But while these systems are thought to be uncrackable, you can still use them poorly. In other words: Just because a car has great airbags and excellent safety standards, doesn’t mean a shitty driver can just avoid any horrible accident.
This is perfectly demonstrated in an incident where Mr. Force allegedly extorted 525 bitcoins from the Silk Road kingpin Dread Pirate Roberts (DPR) by pretending he had information about a fictional government mole named “Kevin” (irony: Mr. Force was the real government mole).
Mr. Force did one thing well: He hid his PGP keys. In order to decrypt a message that’s been encrypted with PGP, you need a secret, private key in order to unlock it. Mr. Force kept his private key hidden from other law enforcement officials—which frankly should have been red flag numero uno—and spent July 31, 2013 through August 4, 2013 having a secret exchange about the fictitious Kevin, which is thought to be the time he was trying to allegedly hustle DPR for cash.
The smoking gun is the one unencrypted message between DPR and Mr. Force. On August 4, DPR wrote to Mr. Force:
“I could not decrypt your second message, got an error. I could decrypt the first, and have sent the 525 [bitcoins] as requested. Please keep me posted and you have my word that no one else knows anything about this. I’m sorry I didn’t know how much to send before. I was afraid of offending if I sent too little and looking foolish if I sent too much. I hope I didn’t make things too difficult for you.”
Oops. Two hours later, Mr. Force sent back an encrypted message titled “use PGP!” Mr. Force put in his notes that no payment was ever actually made, but once the investigators had this key piece of information—that DPR claims to have sent Mr. Force bitcoins—Mr. Force was done for.
Transactions in bitcoin don’t carry any personal information, but eventually all Bitcoin that you want to turn into U.S. dollars has to go through an exchange service or trading platform. On September 27, Mr. Force deposited 525 bitcoins into his own personal account on a trading service called CampBX. Special Agent Tigran Gambaryan, the investigator behind the complaint, ran a check against the Blockchain—the public ledger that contains every Bitcoin transaction in history—and traced those 525 bitcoins.
They were exactly the bitcoins DPR had sent out on August 4, the day of the single, unencrypted email.
Did the government have to hack bitcoin or PGP to uncover these damning details? No, it appears from the complaint that they didn’t. There’s a virulent debate over whether it’s even possible to crack open PGP, Tor, Bitcoin and other encrypted services, but those services are still largely believed to be secure.
But the government doesn’t have to break them, because as long as the technologies of the future are reliant on old infrastructure, they’ll only be as fallible as the technologies of the past.