What We’ve Learnt From the Benthall Criminal Complaint?

Posted by: Allen Hoffmann, JD

January 2, 2015

New York is still leading the charge on dark markets, and it’s a joint effort of the Federal Bureau of Investigations, Homeland Security Investigations, and the Drug Enforcement Administration – Benthall criminal complaint, page 6 and elsewhere.

The special agent who is making the criminal complaint is attached to a cybercrime squad working out of the FBI’s New York field office, and states that they are working a joint investigation with HSI. During September and October of 2014, as a component of the investigation, the DEA used a Manhattan address to order heroin, cocaine, LSD and oxy to help build the case.

HSI had an undercover operative in SR2 since day one, and they were a mod or admin, trusted by defcon, and on the payroll, who could see the user support interface – Benthall criminal complaint, page 6 onwards.

The complaint emphatically indicates that Homeland Security Investigations had an undercover operative, not an informant, but rather, an actual undercover HIS officer working in the administration team of SR2; in fact, s/he was INVITED to become a mod on October 7, 2013, in the wake of the SR 1 takedown [sidebar: as soon as one investigation winds down, major agencies engaged in task forces such as those assembled for SR 1 have two options; go back to their normal duties or find a new target before momentum is lost. Guess which way this went?] during recruitment of vendors from SR 1. It is not unreasonable to assume, considering the trust being placed in the HSI’s UC, that s/he was, potentially, a known and trusted vendor at SR1. At page 15, discussions visible only to mods and admins (a group which the HSI belonged to) occurring on July 15, 2014 are reproduced. At page 18, excerpts of a conversation between defcon and the HSI UC about reestablishing SR2 in the wake of the BTC thefts is reproduced. It is not unreasonable to assume that defcon must have regarded the HIS UC rather highly to have such discussions- and its no wonder, considering that at page 18, we hear that the UC has been paid the equivalent of 32k since January 2014 for admin duties. Finally, at page 27, we learn the UC was able to gather information about OS and browser information used to access the site (more on this later in the article)

Author’s observation:

Defcon didn’t recruit the HSI UC; that falls on DPR2, who was running SR2 for a couple of months. You’re only as good as the weakest link, and this is the absolute worst case scenario. DPR2, before he departed the scene, managed to invite a fox into the henhouse from day one of their operation’s establishment.

Defcon was receiving potentially spurious counter-intelligence information – Benthall criminal complaint page 19-20,

On January 2, 2014, Defcon claims to have acquired intelligence about a ‘darknet’ related operational deployment of FBI SAs to MN, and that vendors in that region need to enhance their security. Defcon specifically notes that the source of this information had been correct before, but had been late to the party.

Author’s observation:

Intel information which you get after the fact is not much good to prove that you’re either connected enough to know what’s going on, or that the provider wanted you to act on it. Police maintain intelligence units, and accordingly, also maintain counter intelligence units. Its not at all unlikely that this information which, whilst correct, arrived late, was part of the effort to help bolster the criminal complaint against defcon – sacrificing outdated information is not sacrificing anything at all. LE is notorious for covering up intelligence leaks (if they don’t report themselves, no one will ever detect their screw up, so its not in their interest to highlight this sort of thing); if this were not a set up or fabrication, the details would NEVER make it into an indictment, much less a criminal complaint such as this.

The server SR2 was on was held on the email address

Yahuh. Apparently, links to SR 2 PMs were emailed from the email account holder to himself. Not much else to say on this, but the FBI did go about seeing what sorts of accounts this email address tied to, and they included a GitHub account in his name, and a twitter account (also in his name) which had a mention of the return of SR on November 6, 2013. He also sold about 25k worth of BTC using this account on a person to person trading site, and had attempted to negotiate the sale of a further 20k worth.

… and was used to email the server provider’s support from two different hotels, both of which Benthall had been a guest at. – Benthall criminal complaint, 24

Once again, not a whole lot to say here. The evidential trail on this email address and its use in attempting to control the server, from places where its quite likely Benthall can be confirmed independently (CCTV, credit cards, etc) to have been present seems likely to be robust.

Benthall ain’t shy about using BTC – Benthall criminal complaint, page 26 – 27

Circumstantial evidence or otherwise, its not a crime to receive BTC and spend it. But Benthall did, according to the complaint, put the equivalent of 273k through one exchanger, did a not insubstantial volume of private sales (mentioned above), and even put down a 70k down payment on a Tesla.

Computer OS and browser data correlation at SR2 and a BTC exchanger – Benthall criminal complaint, page 27

As we already know, the HSI UC had access to information including OS and browser used to access the site. The UC gathered information about the specific versions of both the OS and Browser defcon was using on April 6, 2014; it was an unusual combination, and it was the one and only time anyone logged in using this combination. By amazing coincidence, on the very same date, using the email address from earlier, this same browser and OS combo was also used to access the BTC exchange through whom 273k of BTC got slammed.

Author’s observation:

This is probably the most compelling piece of evidence disclosed, when you factor in the ownership pathway on the email address and its purported links to the SR2 server. One failure in opsec, most likely. Why someone running a darkmarket cannot just have a distinct ‘work’ computer and stick to using that and that alone, forever, I will never understand.

Coordination and correlation of physical and digital surveillance – Benthall criminal complaint, Page 28 to 29

Physical surveillance run by the FBI on Benthall was run on September 10, 2014 – that’s not necessarily the first time they ran it, but this particular instance forms a key component of their establishment of probable cause. Its clear that the FBI and HIS have learned a thing or two about developing the ‘overt act’ aspects of their complaint since Silk Road 1.0. Hard work has been done by HSI and the FBI, with them teaming up on their digital monitoring of ‘defcon’ and posting on SR2, and physical surveillance of Benthall to match times when he was in and out of residential addresses on the evening of September 10 and the early hours of September 11, 2014. Same deal the following day.

Author’s observation:

This temporal correlation stuff is the very essence of circumstantial evidence – its not compelling evidence if you run it on its own, but it will become absolutely DAMNING when looked at in conjunction with other material. This is another circumstantial piece which doesn’t prove Benthall is defcon, but makes proving that he’s not a couple of steps harder. Now if, and that’s a big IF, Benthall actually IS defcon, I will grant federal LE this – their physical surveillance is (usually) very professional. For the most part, the movie clichés of a pizza van, sagging on the standard shocks from two dudes in the back chainsmoking and wearing huge headphones, are not true. That said, physical surveillance countermeasures are a topic for another day. Had he made a steak dinner after logging off as defcon (again, IF he was defcon) and done likewise before logging back on, this would be a much less compelling piece of evidence.

TOR traffic monitored by pen register – Benthall criminal complaint, Page 30

Presumably based on the temporal proximity issues observed the day before as re Benthall being in and out of a house, and the fact that ‘defcon’ was active at that time, the FBI managed to get a pen register under court order on September 11, 2014. Lots of TOR traffic is detected while Benthall’s there, none while he isn’t.

Author’s observation:

Circumstantial evidence once again rears its unpleasant head. So what, TOR’s not illegal? Using TOR from home, whilst convenient, is something which can end up as a circumstantial component of a criminal complaint; and here, ladies and gentlemen, it most certainly is.

Final thoughts: Guilty or not is not for me to say or speculate upon, but its very clear that the FBI learned a lot from their investigation into the original Silk Road, and they are progressively upping their investigative game and cooperation with other agencies. On initial review, however, it seems that if, and that’s if, Benthall is defcon, he was not as severe and adversary as the original SR1 DPR – there are some seriously rookie mistakes here.

If I were in the dark market business, the fact an HSI UC embedded at such a high level from the outset of operation of the marketplace, including access to administrative functions which allowed highly effective intelligence and evidence gathering, would be something which would cause me to immediately consider compartmentalizing certain aspects of my back end.

The criminal complaint for Blake Benthall:

Updated: 2015-01-02