Department of Justice releases redacted affidavits from the FBI’s hack on Freedom Hosting
Affidavit’s show the FBI hosted 23 child pornography sites while they ran malware through the servers after taking control of Freedom Hosting’s servers
Freedom Hosting was the preferred hosting service on The Tor Project
The malware used by the FBI was able to find the identities of users of the Tor Browser
The FBI used the same malware against users of TorMail
Eric Eoin Marques is accused of being the person behind Freedom Hosting
WARNING: The following article contains graphic content that may not be appropriate for all audiences.
In 2013, the FBI targeted Freedom Hosting, a Tor-based host that was believed to be responsible for hosting the largest child pornography sites on the “Dark Web.” Freedom Hosting was not dedicated to only hosting child pornography sites. Ever since its creation in 2008, Freedom Hosting was the favored host for the Tor network.
The Onion Router
Many have yet to understand what Tor is. Tor stands for “The Onion Router.” In the mid-1990s, United States Naval Research Laboratory employees, mathematician Paul Syverson and computer scientists Michael G. Reed and David Goldschlag, developed Tor with the intent of protecting US intelligence conversations online.
The alpha version of The Onion Router Project, also known as The Tor Project, was developed by Syverson and computer scientists Roger Dingledine and Nick Mathewson. The Tor Project was initially launched on September 20, 2002.
On August 13, 2004, Syverson, Dingledine and Mathewson first showed “Tor: The Second-Generation Onion Router” at the USENIX Security Symposium. Also in 2004, the Naval Research Laboratory released the code for Tor, and the Electronic Frontier Foundation funded Dingledine and Mathewson in the further development of the service.
The Tor Project
In December 2006, The Tor Project was officially founded. The Tor Project was based out of Massachusetts and officially became a 501(c)(3) research-education nonprofit organization. With the help of financial sponsors, the team was able to ensure Tor was available for the general public.
The Tor Project gave users of the Internet the ability to browse online almost entirely anonymously. Some used the service because they just wanted to ensure their privacy, while others used the service for more illicit purposes. The ability to purchase drugs quickly became a huge incentive to use Tor.
Contrary to popular belief, the Tor Project was never meant to make somebody completely untraceable. Instead, Tor makes it more complicated to follow your digital footprints back to their source.
How Tor works
Tor encrypts your data, including your destination IP address, and puts it through a virtual circuit which runs through randomly selected Tor relays. Each relay that the data goes through decrypts a layer of the full encryption before sending it on to the next relay. Each relay is only told the next random relay to send the remaining encrypted data to. Meaning, none of these relays are told the destination, or source, IP address.
The last relay decrypts the deepest core of the encrypted data and sends it off to the destination without ever knowing the source of the data. Keeping these Tor relays from knowing what the relay before or after is doing is how your digital footprint becomes more difficult to trace.
Eric Eoin Marques
Freedom Hosting maintained servers for some of Tor’s most well-known websites, including TorMail, once believed to be the most trusted and secure anonymous email provider online. It would not be until 2013 that the world would learn the name of the man behind Freedom Hosting.
Eric Eoin Marques was dubbed “the largest facilitator of child porn in the world” by the FBI. Marques rented the servers used for Freedom Hosting from an unnamed commercial hosting provider in France, paid for the servers from a bank account in Las Vegas, and lived in Ireland.
He was given the title of the largest facilitator of child porn in the world due to hosting some of the largest child porn sites in the world. Some of Freedom Hosting’s infamous child porn customers included Lolita City, the Love Zone, and PedoEmpire.
August 3, 2013
Despite his attempts to remain anonymous, everything fell apart in 2013 when the FBI was able to seize control of Freedom Hosting’s servers. It is still unclear how exactly the FBI was able to manage the task, but recently unsealed court documents were able to confirm what many already knew.
In September, the American Civil Liberties Union pushed for court documents to be released in regards to the FBI tactics after taking control of Freedom Hosting’s servers. The Department of Justice recently decided to release redacted versions of the documents that had been sealed up to this point.
An affidavit shows that between August 3 and August 5, 2013, the FBI used a Network Investigating Technique, NIT, to collect data on users and creators of child pornography sites. The FBI requested permission for this attack, but it appears the FBI may have gone above and beyond their request.
There was a total of 23 websites that were child pornography sites on Freedom Hosting’s sites. These sites are listed as “Websites 1-23” in the affidavit. Any names of the actual sites or people related to them were redacted from the affidavit.
After gaining control of Freedom Hosting’s servers, the affidavit shows that Websites 1-23 were operated “at a government facility.” This was so that “request data associated with a user’s actions on Websites 1-23 will be collected.”
The affidavit goes into detail on each of the 23 websites, including the requirements for the sites to become a member or a producer of content.
To become a producer of content for Website 1, there were requirements in the application process. You had to send in at least five high-quality pictures and 15 seconds of high-quality video as “Proof Material.”
A large sign was required to be in all photos and videos. The sign needed to have your “Nick,” nickname, for Website 1, and it had to be visible at all times, the affidavit reads.
By for the most disturbing requirement involved a candle. In all the pictures or video, a candle must be either held by the child or inserted into “his/her mouth, ass, or pussy.”
The Proof Material also demanded different “positions/poses of the child,” with both the candle and the sign visible in every image. Both of the last two requirements show that producers for Website 1 were performing sexual acts in real time to provide the site with content. Website 1 is by far the worst description in the affidavit which can be read below.
August 4, 2013
Many got confused and thought the FBI ran, and or operated, 23 child pornography sites, which was not the case. Instead, after taking control of Freedom Hosting’s servers, the FBI entered their malware on August 3, which did not start making its presence known until August 4.
On August 4, every single site that was on Freedom Hosting, including legitimate sites that had nothing to do with child pornography, were displaying an error page. Users of The Tor Project pride themselves on being the best the Internet has to offer, so naturally, it did not take long for a code to be noticed in the error page.
The code was embedded in the error page. After security researchers had dissected the code, it was discovered that the code was created to strip away the anonymity that Tor provided. They found that the code was able to take advantage of a security hole found in Firefox that allowed the creator of the code to identify users of the Tor Browser Bundle.
Once the user was identified, the code reported back to a mysterious server that was located in West Virginia. For obvious reasons, Tor users immediately pinned the FBI as the main suspect, but the FBI refused to comment on the incident.
The error page that held the code remained up until August 5, at which point the servers reportedly went offline. For the known time that the FBI had control of Freedom Hosting’s servers they did not operate the 23 child pornography sites as many media outlets reported. Users were actually not allowed to access the sites and instead were greeted with the FBI’s infected error page.
One reason that many believed the FBI were operating the 23 child pornography websites is their questionable actions in the past. In 2015, the FBI operated Playpen, one of the largest Tor-hidden child pornography sites for 13 days.
For nearly two weeks, the FBI allowed Playpen to operate as usual. Users were able to view, upload, and use the site as they would any other day. In another affidavit related to the malware used with the child pornography site Playpen, referred to as Website A, it goes into further detail on how the NIT worked.
Pursuant to that authorization, on or about and between February 20, 2015, and March 4, 2015, each time any user or administrator logged into Website A by entering a username and password, the FBI was authorized to deploy the NIT which would send one or more communications to the user’s computer. Those communications were designed to cause the receiving computer to deliver to a computer known to or controlled by the government data that would help identify the computer, its location, other information about the computer, and the user of the computer accessing Website A. That data included: the computer’s actual IP address, and the date and time that the NIT determined what that IP address was; a unique identifier generated by the NIT a series of numbers, letters, and/or special characters) to distinguish the data from that of other computers; the type of operating system running on the computer, including type (eg, Windows), version (eg, Windows 7), and architecture (eg, x86); information about whether the NIT had already been delivered to the computer; the computer’s Host Name; the computer’s active operating system username; and the computer’s MAC address.
It was later discovered that the attack on Playpen was deemed, “Operation Pacifier” and once again, the FBI may have had overstepped their boundaries. Instead of allowing the child pornography site to run while they corrupted user’s computers in America, the FBI took on the task of using the malware on user’s around the world.
The results of Operation Pacifier
It is customary international law to consider when a country carries out law enforcement activities in another country without that country’s permission as being an invasion of sovereignty. This kind of action could have led to retaliation against the American people, despite the fact of having no clue what was going on.
Around 100 arrests were made during Operation Pacifier, but some of those arrests are not being prosecuted due to the clear violations of federal law the FBI conducted over those 13 days. The recent release of the affidavits from the operation against Freedom Hosting shows it was not their first time violating federal laws during one of these operations.
The FBI installed their malware on every site that was on Freedom Hosting’s servers, include sites that had nothing to do with child pornography. Which means that the FBI was also collecting data on American citizens that had nothing to do with what they were investigating. While Freedom Hosting’s servers were under the FBI’s control, there was a simultaneous attack on TorMail.
Another affidavit that was released shows the FBI requested permission to hack the TorMail accounts of over 300 specific users. The FBI did the hack and then some, by hacking legitimate users of the privacy based email provider.
The original claim for the TorMail NIT was the malware would only be used against the specific accounts, and it was not to be used until the users logged into one of the targeted accounts.
However, users of TorMail claim that was not the case at all. The malware did not wait until a user logged in, and instead came up before the log in screen when any user went to TorMail. The security community quickly tore through the same error page that was coming up on every site hosted by Freedom Hosting.
The FBI has said little about the incident, including that the operation had to be ended early after being caught red-handed by Tor’s security community. There is also no talk of how the FBI used their malware on innocent Tor and TorMail users. Two facts the courts were most likely not informed of by the FBI.
America orders the extradition of Marques
Marques remains in custody in Ireland. He recently put in an appeal against an extradition order from America for him to stand trial for his role in running Freedom Hosting. A High Court ordered his surrender in December, but he has stayed due to his appeal.
Marques’ legal counsel Micheál P O’Higgins stated that his client has already offered to plead guilty to the charges against him in Ireland. The appeal claims that Marques’ fair trial rights and due process would be violated should he surrender.