More than seven years have passed since Ross Ulbricht was arrested in the science fiction section of a San Francisco library and charged with running the sprawling, dark web drug bazaar known as the Silk Road. But when the Feds laid hands on Ulbricht’s laptop that day, they found keys to unlock only a fraction of the bitcoins that he had amassed over the Silk Road’s years of bustling black market drug trade. Today the Justice Department finally revealed where a billion-dollar tranche of the Silk Road’s treasure ended up: stolen by a mysterious hacker, and now seized by the US Treasury.
The DOJ today filed a civil forfeiture complaint over 69,370 bitcoins—and other variants of the cryptocurrency—seized on November 3 from an unnamed person who court documents refer to only as Individual X. According to the IRS’s criminal investigation unit, Individual X successfully hacked the Silk Road sometime between May of 2012 and April of 2013, stealing that abundance of drug money from the dark web site’s bitcoin addresses before Ulbricht’s downfall in October of 2013. The IRS says it has finally tracked down the hacker who stole the Silk Road’s nearly 70,000 bitcoins—now worth more than $1 billion—and allowed law enforcement to take control of those funds.
“The successful prosecution of Silk Road’s founder in 2015 left open a billion-dollar question. Where did the money go?” wrote US attorney David Anderson in a statement announcing the seizure. “Today’s forfeiture complaint answers this open question at least in part. $1 billion of these criminal proceeds are now in the United States’ possession.”
Cryptocurrency analysts first spotted the movement of the $1 billion collection of coins on the night of November 3. The wallet had long been visible on bitcoin’s blockchain and discussed on hacker forums but had remained unmovable for anyone who didn’t have the secret keys to spend it. Though it was far from clear at the time who the coins belonged to or why they’d been moved on Tuesday, Blockchain analysis firm Elliptic at the time connected the wallet to the Silk Road: In May 2012, the 70,000 coins had been moved from the Silk Road addresses to two other addresses.
By April of 2013 those coins had been consolidated at a single address, where they largely sat dormant until this week. Even then, it was unclear whether Ulbricht had simply been moving some cryptocurrency around. Later that year, though, 101 coins moved from the address to the now defunct bitcoin exchange BTC-e. By then, Ross Ulbricht was in jail. Even if it the money was his, he wouldn’t have had access to the keys necessary to move it.
The government’s forfeiture complaint offers an answer to that mystery: The address the coins had been moved to in 2013 belonged not to Ulbricht but to a hacker who had stolen them. With the help of blockchain analysis firm Chainalysis, IRS investigators found 54 transactions moving 70,000-plus bitcoins from Silk Road addresses—transactions that Elliptic says occurred in 2012—to the two other addresses Elliptic had flagged on Tuesday. The transactions were for round amounts of currency, and none appeared in the Silk Road’s own logs as purchases or vendor withdrawals, suggesting that they were likely the work of Individual X transferring stolen loot.
In fact, the forfeiture complaint states that it found evidence that Ulbricht managed to identify the online persona of the person who had somehow hacked the Silk Road and taken the funds—worth $354,000 at the time—and threatened Individual X to try to coerce them to return the money. (The complaint doesn’t explain how the Silk Road breach occurred or where investigators learned of those threats, but both may have been documented on Ulbricht’s seized laptop or on the Silk Road’s seized server.) Individual X seems to have ignored Ulbricht’s threats and held onto the coins long after Ulbricht was arrested, tried, and convicted, quietly watching them explode in value in the years since.