You may have heard that the infamous Dread Pirate Robets AKA Ross Ulbricht’s Silk Road was taken down thanks to a problem in his anonymous Tor server. Now, however, Brian Krebs has shown us just how the Feds found Ulbricht’s server and, additionally, the pirate himself.

A hole in the Silk Road’s anonymity appeared because of a leaky CAPTCHA prompt. CAPTCHA, as we all well know, is the little box that some sites use to prevent robots from filling out forms. If misconfigured, it will point to the server to which it is connected. On a non-anonymous server this would be a non-issue. However, Ulbricht’s anonymous server was misconfigured and sent out the actual IP address of the Silk Road machines with every hit to the login page.

The government described their process in a US District Court filing:

￼“The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.” “The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”

Is this real? As many have noted, there is some possibility that Tor itself is compromised and that this admission is a cover but, if Occam is to be believed, parsimony will out.

In short, Ulbricht mixed anonymized and non-anonymous resources and misconfigured things to release his IP. One would presume this won’t happen again as thousands of CAPTCHA prompts wink out of existence, but it shows just how hard it is to be completely invisible online.