FBI operated 23 Tor-hidden child porn sites, deployed malware from them

Share this…

Researcher: FBI was likely enabled to run half of all child porn sites on the servers. As Ars has reported, federal investigators temporarily seized a Tor-hidden site known as Playpen in 2015 and operated it for 13 days before shutting it down. The agency then used a “network investigative technique” (NIT) as a way to ensnare site users.

However, according to newly unsealed documents recently obtained by the American Civil Liberties Union, the FBI not only temporarily took over one Tor-hidden child pornography website in order to investigate it, the organization was in fact authorized to run a total of 23 other such websites.

According to an FBI affidavit among the unsealed documents:

In the normal course of the operation of a web site, a user sends “request data” to the web site in order to access that site. While Websites 1-23 operate at a government facility, such request data associated with a user’s actions on Websites 1-23 will be collected. That data collection is not a function of the NIT. Such request data can be paired with data collected by the NIT, however, in order to attempt to identify a particular user and to determine that particular user’s actions on Websites 1-23.

“That paragraph alone doesn’t quite say the FBI is operating them,” Fred Jennings, a cybercrime lawyer, told Ars. “But definitely no other way to read that than websites 1-23 were hosted at a government facility, with the FBI’s knowledge and to the FBI’s informational benefit. It’s clever phrasing on their part.”

Security researcher Sarah Jamie Lewis told Ars that “it’s a pretty reasonable assumption” that at one point the FBI was running roughly half of the known child porn sites hosted on Tor-hidden servers. Lewis runs OnionScan, an ongoing bot-driven analysis of the Tor-hidden darknet. Her research began in April 2016, and it shows that as of August 2016, there were 29 unique child porn related sites on Tor-hidden servers.

“Doing the math, it’s not zero sites, it’s probably not all the sites, but we know that they’re getting authorization for some of them,” she said. “I think it’s a reasonable assumption—I don’t think the FBI would be doing their job if they weren’t.”

That NIT, which many security experts have dubbed as malware, used a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data. As part of the operation that took down Playpen, the FBI was then able to identify and arrest the nearly 200 child porn suspects. (However, nearly 1,000 IP addresses were revealed as a result of the NIT’s deployment, which could suggest that even more charges may be filed.)

BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)

Rule 41’s arrival