FBI admits to exploiting Tor to take down child porn behemoth


The Federal Bureau of Investigation has acknowledged it was behind the malware that infiltrated the servers for Freedom Hosting, one of the largest providers of anonymity online, and identified the service’s users.

Internet security experts have long suspected the FBI was behind the cyber-attack, which appeared to target and monitor internet users on Freedom Hosting, which provided hosting for even more anonymous, so-called “hidden services” on the Tor anonymity network. While some users signed up with Freedom Hosting to encrypt their email and everyday Internet use, the FBI alleges that the service became “the largest facilitator of child porn on the planet.”

Eric Eoin Marques, a US-born 28-year-old living in Dublin, Ireland, is accused of being the chief architect behind Freedom Hosting, responsible for hosting child porn on 550 servers throughout Europe. Freedom Hosting is also accused of providing services for money-laundering operations, fraud fronts, and child abuse discussion boards with names like Lolita City and PedoEmpire, according to The Independent.

Marques is wanted in the US for four charges in connection with images on the websites, described as brutal depictions of the rape and torture of underage children.

The FBI’s involvement was acknowledged for the first time Thursday during a bail hearing in Dublin, where Marques is fighting extradition to the United States. He was denied bail for the second time since his arrest in July.

Investigators have not commented on the case but local press accounts reported that FBI Supervisory Special Agent Brooke Donahue testified in court that Marques dove for his laptop when agents raided his home this summer. A forged passport was found in Marques’ possession and his interest in Russia was piqued when NSA whistleblower Edward Snowden first entered the headlines.

“My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the US,” Donahue said, as quoted by the Irish Independent. “He was looking the engage in financial transactions with another hosting company in Russia.”

Marques’ lawyer refused comment to reporters but Wired reported he is facing federal charges in Maryland, where his indictment is under seal. Donahue said that gravity of the charges could mean Marques will “spend the rest of his life in prison.”

Hackers from the Anonymous collective levied a distributed-denial-of-service attack against Freedom Hosting in 2011. Normally advocates of privacy and freedom online, Anonymous asserted that it determined Freedom Hosting hosted 95 per cent of the child porn web pages on the Tor network. Donahue said Thursday that Freedom Hosting facilitated at least 100 sites, each with thousands of users, and Marques himself was a frequent visitor.

Marques has not admitted to being the leader of Freedom Hosting and his father told The Sunday Times that any reports indicating the contrary were only “speculation.” He did admit in court Thursday that he had earned “substantial” sums of money from his involvement with the network.

It is not known when the FBI initially gained access to Freedom Hosting but the network went down on August 4. The key piece of malware used in the hack is known as the Magneto code variable, which does not download anything but accesses the “victim’s MAC address – a unique hardware identifier for the computer’s network or WiFi card – and the victim’s Windows hostname,” according to Wired.

That information then bypassed Tor and was sent back to servers housed in Northern Virginia, fueling speculation that the FBI or National Security Agency were the culprits. The software is also consistent with the FBI’s computer and internet protocol address verifier (CIPAV), which law enforcement has used to subvert anonymity software belonging to hackers, extortionists, sexual predators, and others since 2002.