Mistakes that betrayed anonymity of former DEA agent and Silk Road investigator

Wow, just wow; it might be weird to suggest a 95-page criminal complaint (pdf) is good read, but you might feel like you watched some cybercrime drama show after reading about the scheming and alleged crimes of a former DEA Special Agent and a former U.S. Secret Service Special Agent who were part of the Silk Road and Ross Ulbricht, aka Dread Pirate Roberts, investigation.

Instead of writing “alleged” 50 times to describe one of the scumbags completely corrupt agents, just assume all of this describes mere allegations. Additionally, some italics were added to emphasize specific points.

Former DEA Special Agent Carl Force made numerous mistakes – other than the whole huge bitcoin theft and other alleged crimes which had him charged with “wire fraud, theft of government property, money laundering and conflict of interest” by the DOJ. Here are a few of Force’s mistakes that betrayed his anonymity, mistakes that jumped out from the criminal complaint (pdf), although Special Agent Tigran Gambaryan IRS Criminal Investigations spelled out many more.

DEA’s Force, using the alias Nob to communication with Dread Pirate Roberts (DPR), “repeatedly emphasized” the need for DPR to use PGP (pretty good privacy) encryption for all their communications. That might have helped convince DPR that Nob was a credible “criminal,” but Force’s official case file did not contain any private PGP keys or passwords that were needed to decrypt the encrypted communications between the two. Force also did not give the PGP keys to the any of the pack of law enforcement agencies involved in Silk Road investigations to help them build decipherable, admissible evidence.

“Nob” (aka Force) told DPR that he had access to “Kevin,” a corrupt government employee. Nob used this scenario with fake insider info to get DPR to pay him twice in bitcoins equaling about $90,000. The point is less about him “wrongfully” depositing “substantial portions of both payments into his own” personal CampBX and later Bitstamp accounts and more about a mistake.

Force of course denied making off with a fortune in bitcoins, claiming 400 of them were “at the DEA” and that he never received a 525 bitcoin payment. But he left a note to himself in a saved drafts folder in one of his personal email accounts; it referenced “two transfers of bitcoin payments from DPR.” The complaint states, “In other words, Force’s own saved email note indicates there was a payment from DPR on August 4, 2013.”

Besides the alias of “Nob,” Force communicated with DPR as “French Maid” and made off with another $100,000 in bitcoins that DPR paid to learn what name Mt. Gox CEO Mark Karpeles had supposedly given to the cops. That whole scenario is a good read, but regarding Force’s mistakes that potentially blew his anonymity…the complaint references “pieces of circumstantial evidence” which “prove that Force is ‘French Maid’.”

Both “French Maid” and Force (operating as “Nob”) used the exact same brand of PGP software, a free brand called GnuPG. There are different brands of PGP software so it is noteworthy that both Force (operating as “Nob”) and “French Main” used the same brand. Not only did Force and “French Maid” both use the same brand of PGP software, they also both used the same outdated version of that software, 1.4.12. Version 1.4.12 was released on January 2012, and was replaced with a new version by December 2012, and was one of several versions of GnuPG software. As such, both “French Maid” and Force (as Nob) were using the specific, older version of the GnuPG software, and neither of them replaced it with the other (free) version of GnuPG that came out thereafter.

After talking with another fed involved in undercover investigations involving TOR users, the complaint explains that the PGP version was outdated by the time “French Maid” used it in August 2013 to communication with DPR. “This is not akin, for example, to two people using the same model of mobile phone but both having software that is out of date. Rather, the outdated version that both ‘French Maid’ and Force (as Nob) used is more of a ‘signature’ given the greater number of versions available.”

There are also additional similarities between Force’s (Nob’s) and “French Maid’s” PGP patterns. Both “Nob” and “French Maid” left certain default settings on their PGP software. For one thing, both “French Maid” and Force (Nob) left a “tag” that appeared on every message authored from their PGP key revealing the brand and version of PGP software they were using. This is akin to, for example, leaving the phrase “sent from my iPhone” on the bottom of one’s emails but with greater detail: it would be akin to leaving a phrase like “sent from my iPhone 6 iOS 8.0.1.” Leaving this “tag” on typically reveals that one is dealing with a fairly inexperienced user of PGP, because someone that regularly uses PGP to communicate would normally have changed their settings to omit this tag.

After all, the entire point behind PGP software is anonymity, so if a user leaves the brand, version, bit and release data of software on a message this is revealing something about the sender and undermines the goal of remaining 100% anonymous. One of the first things many PGP forums or regular users of PGP software instruct is that a user disable this feature. Moreover, PGP offers choices of 1024, 2048, 3072 or 4096 bit encryption keys, with the higher keys giving greater protection. Many of the regular PGP users that were active on Silk Road chose the 4096 bit keys because of the additional protection the larger key provided. Here both Force (as Nob) and “French Maid” used the 2048 bit default encryption key.

Microsoft served with search warrant for former DEA’s Outlook email account

Since this is the Microsoft Subnet, here’s a reference to the big M in the portion of the complaint dealing with Force. He was listed a Compliance Officer for CoinMKT, despite the conflict of interest as he also worked as a DEA agent. In fact, he offered to misuse a government database to run criminal queries for CoinMKT. He was ironically listed as a “compliance extraordinaire” and the “primary anti-money laundering contact;” he thought of himself as a core member of the CoinMKT team. The complaint quotes snippets of communications and lists numerous shady dealings initiated by Force, even though the CoinMKT CEO suggested it might be a conflict of interest.

Yet it serves as a potent reminder that just because you deleted an email that could come back to bite you, doesn’t mean the other party did. During the feds’ investigation into Force, Microsoft was served with a search warrant for Force’s personal emails in his Outlook account. Some of the quoted snippets of emailed communications that CoinMKT provided didn’t match up the emails stored in Force’s Outlook account.

“The FBI has conferred with Microsoft about this issue, and was advised that all emails from Force’s personal email were provided and that any emails that were missing likely meant that the user had deleted those emails.” The complaint added, “In other words, it appears to me that Force may have selectively deleted certain inculpatory emails between himself and CoinMKT.”

Of course, Force used his government email account when he served an administrative subpoena on CoinMKT, but that leads to a whole CC’d (carbon copied) email mess.

Comment about NSA snooping resulted in Bitstamp block

There’s plenty more, and we could turn it into soap opera episode for technically smart people. At one point of bitcoin scheming that triggered a Bitstamp Know Your Customer (KYC) check and then a complete block on Force’s account, Force sent an online support ticket to Bitstamp trying to explain why he used Tor to access his account.

Force wrote, “I utilize TOR for privacy. Don’t particularly want NSA looking over my shoulder 🙂“

The complaint stated, “The following day, a member of Bitstamp’s management learned of Force’s comments and thought it was strange that a government official would make such a statement. Force’s account was blocked again.”

Perhaps we’ll look at more tomorrow as the rest of the world may be filled with April Fool’s tricks.