SR2 Buyer Arrested: Affidavit claims FBI collected IP addresses of people accessing SR2 during Jan/14-Jul/14

The FBI gathered information from January to July 2014 that resulted in identifying at least 17 other black markets through the same network, according to an affidavit for search warrant filed in King County Superior Court on Jan. 7.

The IP address for Bellevue resident Brian Farrell was found to have been used to access the vendor portal for SR2, according to the affidavit, prompting Homeland Security to begin surveillance on his home from early August to late December.

http://www.bellevuereporter.com/news/288854101.html


EDIT: During investigation it was found out that Brian Farrell went under the name DoctorClu - one of SR2's site admins. More info and discussion here:

https://www.reddit.com/r/DarkNetMarkets/comments/2t30hs/the_plot_thickens_sr2s_doctorclu_possibly_arrested/


This is not the first time we hear that LE was able to track down people accessing SR2 during those specific months:

Investigators said they began to suspect the couple after discovering an Internet Protocol address was accessing the Silk Road 2.0 site

http://www.sfgate.com/crime/article/NorCal-couple-ensnared-in-dark-Web-drug-site-5907946.php

recently i was visted by US homeland security, the day before the visit i received a call on my phone from a "special agent" saying that they had a list of questions for me, the agent said i "wasnt in trouble" but they needed to meet with me ASAP. [...] when they came, they told me they had my IP address accessing SR2 in july of 2014... WTF?!

http://i25c62nvu4cgeqyz.onion/viewtopic.php?id=34048

Another user in this same thread joins to say he was also questioned by DHS.


Coincidentally (or not), the Tor project detected a group of relays that were trying to deanonymize users from Jan/14 until they were removed in Jul/14:

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.

https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack

They speculate that this surveillance could have been based on the same technical flaw(s) that were part of a cancelled Black Hat 2014 talk by CMU researchers, titled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget"


Comments


[10 Points] None:

[deleted]


[12 Points] GoAwayThrowaway420:

well damn... glad i'm not still hitting the markets for buying. i don't see buyer arrested though, just a couple were questioned. i'm here for the lolz and to help people learn about btc, tails, and general opsec. my time of fun and running amok has long since passed.


[10 Points] None:

the day before the visit i received a call on my phone from a "special agent" saying that they had a list of questions for me, the agent said i "wasnt in trouble" but they needed to meet with me ASAP.

Kids? What is the correct response? There is only one right answer. Say it with me!

Cop: You're not in trouble, but we have a few questions.

You: Answer questions.

Cop: Okay, now that you've confessed, you're in trouble. *cuffs go on*


[7 Points] RosyPalm:

Ummm... They're all vendors in the articles not buyers as you've described in the headline.


[6 Points] Sostratus:

We know the FBI has previous busted Tor users by exploiting known and patched vulnerabilities against users who did not update. That would seem the most likely explanation to me. Or maybe they turned Flash on.


[4 Points] DankNetMarkets:

Ding Ding Ding

Shortcut: http://i.imgur.com/Di5tmy9.png


From the first article: http://www.bellevuereporter.com/news/288854101.html

he IP address for Bellevue resident Brian Farrell was found to have been used to access the vendor portal for SR2


Second article: http://www.sfgate.com/crime/article/NorCal-couple-ensnared-in-dark-Web-drug-site-5907946.php

Investigators said they began to suspect the couple after discovering an Internet Protocol address was accessing the Silk Road 2.0 site


Evo: http://i25c62nvu4cgeqyz.onion/viewtopic.php?id=34048

they had my IP address accessing SR2 in july of 2014


[4 Points] ciphersexual:

It's official then. SR2 was a honeypot.


[2 Points] II-NataYmleg:

As long as Tor is still compromisable using enough resources thrown at the task, we really need some kind of blackhat squad that keeps LE in check.


[2 Points] thascarecro:

As soon as i saw SR2 go up i instantly thought it was the equivalent of this guy. Just looked like a bad idea.


[2 Points] solid12345:

"Looks like it's back to jail for me." - Tim Allen


[1 Points] alilbithazy:

LoL So they are going to see some random ass VPN IP's. I hope they have some fun with that.


[1 Points] rapey_tree_salesman:

Soooo glad I've never even been on there. Never read anything good.


[1 Points] gwern:

Earlier discussion of the California case: https://www.reddit.com/r/DarkNetMarkets/comments/2myaiu/2_sr2_marijuana_sellers_arrested_in_california/


[1 Points] totes_meta_bot:

This thread has been linked to from elsewhere on reddit.

If you follow any of the above links, respect the rules of reddit and don't vote or comment. Questions? Abuse? Message me here.


[1 Points] 1percentof1:

I can't even remember if I used SR2 now... I don't think so... no wait, all that xanax, fuck..


[1 Points] gwern:

Update: Farrell == DoctorClu https://www.reddit.com/r/DarkNetMarkets/comments/2t30hs/the_plot_thickens_sr2s_doctorclu_possibly_arrested/


[1 Points] arstechy:

It is very likely the FBI used a Firefox exploit, like the javascript attacks used by the FBI to identify pedophiles. It is known that the SR2 servers were compromised long in advance of the takedown, so this kind of attack is trifling. Always use the latest version of Tor, never enable scripting on sites (even if it breaks things, deal with it). Plausible deniability could come through claiming that your router used to be unprotected.


[-12 Points] iiieiieiirierieireir:

This sub sucks and youre all idiots. SR2 was run by feds, the conf attack let them see who accessed what onion but not what they did, unless they ran the onion, which they did, which is why they could deanonymize you. Dont access sketchy onions run by idiots kkk.