By now you’ve probably heard of Ross Ulbricht and Silk Road. When he was apprehended last year in San Francisco and charged with running the world’s largest online drug and illegal goods marketplace, he was at a local library using the wireless network to log in to his black market business.
Ulbricht is still claiming he wasn’t the one running Silk Road, but as someone who personally knows that the FBI was poking at Noisebridge (the hackerspace nearby Ulbricht’s library) for at least a year before he was apprehended, it’s clear that these darknet markets are a major target for law enforcement.
Still, Ulbricht supposedly left behind a large sum of bitcoins in a wallet somewhere, ostensibly as a way for him to support himself if he ever gets out of jail. These darknet markets take a commission on sales, and I have long said that the worldwide value of all bitcoins will eventually level off at about the same amount as the value of the world’s heroin supply. Bitcoins are, literally, a currency backed by drugs instead of gold.
Ulbricht’s story, however, is just a drop in the bucket today. It’s another tale of someone getting arrested after not being careful enough. He’ll fall by the wayside of history as little more than the first person to fall because of darknet markets.
The people they’ll be talking about for years, instead of Ulbricht, are Kimble and Verto. These two folks just cashed out a $34 million bitcoin heist, and they did it by being, basically, typical e-commerce software developers.
Let’s first explain how Evolution Marketplace worked. Generally, drug dealers are not trustworthy people, so software had to solve this problem somehow. Sites like Silk Road just served as a place for dealers to meet customers. A small fee was paid to Silk Road, but generally, the dealers and their clients traded bitcoins on their own. Evolution, however, included an escrow service.
As a journalist, I’ve long read the forums on the darknet sites because they are absolutely riveting. They contain drama, intrigue, mystery, bravado, stupidity, and the entire gamut of human emotions. It’s like “Scarface,” the soap opera.
While reading forums back on the Silk Road, I noticed a fairly common pattern with buyers on the site. Often, they would post four or five reviews of the same dealer, and the reviews would read as follows:
1: Bought $100 of coke from this guy, it was great!
2: Bought $1,000 of coke from this guy, it was great!
3: Bought $10,000 of coke from this guy, it was great!
4: Bought $100,000 of coke from this guy. Never heard from him again, never got the coke.
I say this to hammer home the fact that these darknet drug sites were not just for Colorado kids selling dimebags to teenagers in Atlanta. These sites were making major international cartel connections for people, and while most of the high-number deals I can find evidence of ended in someone being ripped off, this, I believe, indicates that at least some of these six-figure and higher deals were going through and succeeding.
That should lay out the stakes here. Two guys, Verto and Kimble, members of the Silk Road, decided that they would start their own darknet market to replace Silk Road shortly after the FBI took hold of Ulbricht. These two fellows were also skilled credit card fraudsters, so they weren’t exactly trustworthy pioneers.
But it would seem that they were pretty good software developers. They managed to run the world’s largest darknet drug site for almost two years. This is a site that was transacting hundreds of thousands of dollars a day, if not more, and it was doing so with users that aren’t technical (and are definitely a bit punchy).
Compare this to the days of yore, when computer crime immediately meant hacking into a system and taking something out. No, these guys literally built an online marketplace, an escrow service, a forum, and a masquerading server host setup, all in the pursuit of becoming rich. Boy, that sounds just like a software startup doesn’t it?
A typical hack can net a small amount of money, or information that can be sold. Five figures is a damn good sum to make off a hack, especially considering most major software packages have bug bounties in the four-figure range. If you’re a god of hacking and credit card fraud, you could probably crack the six-figure mark if you work hard, and spread the fraud over thousands of cards at $5 or $10 each.
Verto and Kimble, however, made off with BTC130,000. That’s more than US$34 million. That’s bigger than any bank heist. That’s larger than any hack. That’s more than you’d make starting a software security firm and selling in in two years.
That’s the power of evil software developers. They didn’t code in a backdoor. They didn’t hack people’s machines. They didn’t write a virus or DDOS anyone. They simply built a working software product, and then took complete advantage of their users.
And they didn’t even have to break a sweat doing it. The pair simply shut off the auto-withdrawal options for users of the site, forcing them to pull their funds out of escrow manually. Slowly, over a few months, this meant the actual amount in the escrow wallet began to inflate, as dealers and users took more and more time to pull out their funds.
Finally, the pair just closed down the site and vanished, taking130,000 in bitcoins. That was, basically, the amount of escrow money on the Evolution site when it went down. That was not just bank money; it was, basically, active transaction money.
Imagine 130,000 users, each with one bitcoin on Evolution. That’s not exactly a massive website. That sort of user count is something a major site like Amazon, Google or Facebook wouldn’t even flinch at. It’s also likely a wildly too-low and inaccurate estimate. Frankly, that 130,000-bitcoin number smells like the amount of money used on the site for a single week or month’s worth of transactions.
We have entered an era where scalable Web applications are the most lucrative way to scam and make illegitimate money. Even the Russian mob or the Mexican drug cartels aren’t pulling $34 million out of a single scheme. These guys are now world-class criminals, right up there with D.B. Cooper and Al Capone. And they’re software developers.
They’re definitely going to have to use all of their powers of anonymity and obfuscation, however. Verto and Kimble are no longer the most wanted men on the planet for law enforcement, but they are certainly the most wanted men on the planet for the murderous drug dealers whose money they took. And while this all is basically criminals robbing criminals, you can bet there will be lives lost over this heist: Imagine having to explain to your cartel bosses that you just lost $100,000 in bitcoins and cannot pay them for those drugs they just shipped for you.
When did software development become so dangerous?