FBI seized Tormail database, it has the access to all users emails

Pierluigi Paganini January 28, 2014

The Federal Bureau of Investigation (FBI) seized the database of Tormail service for its investigation on cybercrime and illegal online hacking.

Do you have used the Tormail Email service to protect your privacy? Are you searching for anonymity online? Well, the revelation regarding Tor Stinks project and many recent news on the spying activity discovered on Tor Traffic made by an unknown Russian entity suggest us that nothing is completely secure and that anonymity is hard to preserve in these days. Last disturbing news is related the Tormail Email service, the Federal Bureau of Investigation (FBI) seized its database for its investigation on cybercrime, the operation is linked to seizure of Freedom Hostingthe most popular Tor hidden service operator company. The news was disclosed by Wired that reported that the database is used in completely unrelated investigations, the FBI is collecting information to catch cyber criminals and hackers that used the Tor network to protect their anonymity, the problem is that Tor was also used by normal people that desire to be anonymous online for legitimate purposes.



The attack against Freedom Hosting took advantage of a Firefox Zero-day to identify some users of the Tor anonymity network. The FBI had control of the Freedom Hosting company to investigate on child pornography activities, Freedom Hosting was considered by US law enforcement the largest child porn facilitator on the planet.

“FBI for its analysis exploited a Firefox Zero-day for Firefox 17 version that allowed it to track Tor users, it exploited a flaw in the Tor browser to implant a tracking cookie which fingerprinted suspects through a specific external server. 

Mozilla confirmed the presence of the security vulnerability in Firefox 17 (MFSA 2013-53), which is currently the extended support release (ESR) version of Firefox.”

“The exploit is based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.” I wrote in a previous post on the event.

TorMail was one of the web services hosted by Freedom Hosting, so it was subject to investigation by FBI too.

The tactic suggests the FBI is adapting to the age of big-data with an NSA-style collect-everything approach, gathering information into a virtual lock box, and leaving it there until it can obtain specific authority to tap it later. There’s no indication that the FBI searched the trove for incriminating evidence before getting a warrant. But now that it has a copy of TorMail’s servers, the bureau can execute endless search warrants on a mail service that once boasted of being immune to spying.”“We have no information to give you or to respond to any subpoenas or court orders,” read TorMail’s homepage. “Do not bother contacting us for information on, or to view the contents of a TorMail user inbox, you will be ignored.”

The attack against TorMail alarmed the underground community, the notorious Dread Pirate Roberts, the operator of the Silk Road black market, posted the following warning on the Silk Road homepage:
“I know that MANY people, vendors included, used TorMail,” he wrote. “You must think back through your TorMail usage and assume everything you wrote there and didn’t encrypt can be read by law enforcement at this point and take action accordingly. I personally did not use the service for anything important, and hopefully neither did any of you.” Two months later the FBI arrested San Francisco man Ross William Ulbricht as the alleged Silk Road operator. The connection, if any, between the FBI obtaining Freedom Hosting’s data and apparently launching the malware campaign through TorMail and the other sites isn’t spelled out in the new document. The bureau could have had the cooperation of the French hosting company that Marques leased his servers from. Or it might have set up its own Tor hidden services using the private keys obtained from the seizure, which would allow it to adopt the same .onion addresses used by the original sites.
The bureau was supported by the French hosting company that Marques leased his servers from.
I believe that the Silk Road 2.0, started in December after the arrest of  Ross Ulbricht as the alleged owner of the illegal portal, could be itself a honeypot established by law enforcement, in this climate it is hard to trust anyone.
In the past TorMail website always refused to support feds,  even when presented with a court order, but now the unique certainty in time I’m writing is that FBI has all the information managed by TorMail and archived in its database. 
As remarked by other colleagues Tormail was not affiliated with the Tor Project, so Tor users should not be affected by the Tormail seizure. 

Pierluigi Paganini

(Security Affairs – TorMailAnonymity)

you might also like

leave a comment