Connect with us

Hi, what are you looking for?



FBI Says Leaky CAPTCHA Was Used to Locate Silk Road Server, Experts Doubtful

U.S. law enforcement authorities claim to have leveraged a leaky CAPTCHA on the login page of Silk Road to identify the real IP address of the server hosting the website, according to court documents filed on Friday by the prosecution.

U.S. law enforcement authorities claim to have leveraged a leaky CAPTCHA on the login page of Silk Road to identify the real IP address of the server hosting the website, according to court documents filed on Friday by the prosecution.

Silk Road was a notorious online criminal marketplace that leveraged the Tor anonymity network to protect itself and its customers. The website was taken down in October 2013, when 30-year-old Ross W. Ulbricht, believed to be “Dread Pirate Roberts,” the mastermind behind Silk Road, was arrested.

Ulbricht’s lawyers have questioned the methods used by the FBI to track down the Silk Road servers and their client so a former agent who was actively involved in the investigation provided a fairly detailed description of the agency’s actions.

The defense and many others believe that the NSA might have been somehow involved in the law enforcement operation against Silk Road. However, former FBI agent Christopher Tarbell, who currently conducts cybersecurity investigations at New York-based FTI Consulting, claims that a leaky CAPTCHA helped them track down the Silk Road server’s real IP address.

In the court document, Tarbell pointed out that for Tor to provide complete anonymity, the applications running on the computer must be properly configured. In Silk Road’s case, the former agent says the problem was a CAPTCHA placed on the login page with the purpose of ensuring that those who logged in to the website were human.

The FBI allegedly entered valid and invalid usernames, passwords and CAPTCHAs, and analyzed the individual packets of data being sent back from the website. That’s when they noticed that one of the IP addresses wasn’t associated with any Tor nodes like it should have been if it had been configured properly.

“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal,” Tarbell explained. “When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”

Tarbell emphasized that Silk Road often had IP leakage issues, an aspect also described in the log files found on Ulbricht’s computer after his arrest.

Advertisement. Scroll to continue reading.

While the explanation provided by the former agent might sounds valid, some experts say its not completely accurate. Security researcher Nik Cubrilovic, who often analyzed Silk Road while it was online, is confident that the method described by the FBI would not have worked.

“The idea that the CAPTCHA was being served from a live IP is unreasonable. Were this the case, it would have been noticed not only by me – but the many other people who were also scrutinizing the Silk Road website. Silk Road was one of the most scrutinized sites on the web, for white hats because it was an interesting challenge and for black hats since it hosted so many bitcoin,” Cubrilovic explained in a blog post on Sunday. “The second theory, that the agents ‘discovered’ the real IP address by just looking at packet captures produced by a sniffer is similarly impossible. This also would have been discovered much sooner and noticed by most of the internet very quickly.”

A more plausible explanation, according to the researcher, is that the FBI discovered a security exploit or information leak in the login page. This wouldn’t be surprising since numerous vulnerabilities were discovered in Silk Road throughout its existence, and the FBI’s investigation took place at exactly the same time as various individuals reported finding exploits and information leaks on the website.

“In this scenario, the description of packet sniffers and ‘inspecting each packet’ is all a distraction from what the FBI really did. Technically, saying that a packet sniffer revealed the true IP address of the server is true – what isn’t mentioned is the packet sniffer was picking up responses from a request to the login page that was forcing it to spit out the IP address as part of a bug,” Cubrilovic said. “The FBI have good reason to not mention any bugs or forcing the server to do anything, and to pretend that they simply picked up the IP address from the wire, since such actions would raise concerns about how lawful their actions in uncovering the IP address were.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.