The Silk Road 2 trial was made possible by a six-month long attack on Tor, according to recently pubished court documents. Prosecutors are still making their case against the alleged Silk Road 2 kingpin, Blake Benthall (not to be confused with the Silk Road's Ross Ulbricht, who is also currently on trial), but Benthall's trial is already shedding new light on how law enforcement circumvented Benthall's anonymity tools. A search warrant made out for the arrest of one of the Silk Road 2's vendors describes a six-month long infiltration campaign aimed at Tor's hidden services, the same system that kept Silk Road 2 users anonymous. Eventually, that trail led investigators back to the Silk Road 2's servers, resulting in the raid that took down the site in November.

Law enforcement needed more sophisticated tools to take down the Silk Road 2

Established after the first Silk Road was taken down, the Silk Road 2 relied on the same basic technology as the first site and attracted many of the same users. But Silk Road 2 wasn't vulnerable to the same CAPTCHA attack that gave away location of the first Silk Road's servers, so law enforcement needed more sophisticated tools to take it down. The Silk Road 2 was set up as a hidden service on Tor, so it was only accessible by routing through a network of complex and shifting relays. The court documents refer to a source that provided "reliable IP addresses" for Tor hidden services between January and July of 2014, leading them back to both the servers and 78 different people doing business on the site.

According to a Tor blog post, someone during that period was infiltrating the network by offering new relays, then altering the traffic subtly so as to weaken Tor's anonymity protections. By attacking the system from within, they were able to trace traffic across the network, effectively following the server traffic back to their home IP. In July, Tor noticed the bug and published an update to fix it — but for six months, certain hidden services were badly exposed, and the Silk Road 2 appears to have been one of them.

OK, almost certain: CERT Tor deanon attack was FBI source: https://t.co/JKwWD2E3VK SR2 server, 78 vendor IPs, Jan-July 2014 — Nicholas Weaver (@ncweaver) January 21, 2015

So who carried out the attack? Already, researchers are pointing to a Black Hat presentation this summer that promised to outline a similar attack, but was controversially cancelled at the last minute. The researchers, working for CMU's CERT Center described similar capabilities and performed their research over a nearly identical span of time: January to July of 2014. If the researchers were also helping the FBI investigate criminal activity on Tor, it would explain why law enforcement might not want their methods getting out to the community at large.