• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Hacking
  • Intelligence
  • Laws and regulations
  • FBI infected PCs on a large scale to persecute alleged criminals

FBI infected PCs on a large scale to persecute alleged criminals

Pierluigi Paganini August 07, 2014

A report disclosed by Wired suggests that the FBI is using a malware to identify Tor users by infecting machines on a large scale.

It’s not a mystery that usage of the Tor network represents a problem for investigators of law enforcement agencies and for government entities that need to track users on the popular anonymizing network. Last year the FBI dismantled the Tor hosting service Freedom Hosting in a large scale investigation on child pornography. FBI used a malicious code able to exploit a Firefox Zero-day for Firefox 17 version that allowed it to track Tor users. The malware implants a tracking cookie which fingerprinted suspects through a specific external server. The exploit is based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.  

This Warrant Authorized FBI to Track and Infect Computers with Malware from The Hacker News

A few days ago, operators at Tor Project revealed that an unknown entity has managed a series of relay servers to conduct a confirmation attack against the Tor network and de-anonymize its users.

“The security advisory explains that bad actors were leveraging a critical flaw in Tor to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. The advisory reports that 115 malicious fast non-exit relays (6.4% of whole Tor network) were involved in the attack, the servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymizeusers. ” I’ve reported in a previous post on the attack.

A new report disclosed by Wired suggests that agents of FBI are using a malware to identify Tor users by infecting their machines, it seems that the law enforcement agency is infecting computers as part of a large scale campaign dubbed Operation Torpedo. The tactic adopted by the FBI is simple as dangerous, the Bureau has compromised high-traffic websites using them to deliver the malicious code used to track Tor users, the infection schema is known as “drive-by download”. A court case has revealed that the FBI has used the tactic to track computers accessing the Tor network. It is difficult to verify if innocent Tor users were also infected by the the Operation Torpedo campaign, but security experts are sure that FBI and other agencies will continue to infect systems with drive-by download exploits.

“Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes.” report Wired.
In reality the FBI was interested to track those Internet users, which were habitual visitors of hidden websites dealing with illegal activities like child pornography, selling drugs and weapons and murder contracts.
In 2012 the FBI discovered a site called “Pedoboard,” and successfully hacked it exploiting a poorly configuration for the administrative account. The FBI, after obtaining legal warrants to track visitors of Aaron McGrath identified the IP address of as many as 25 individuals using a malware specifically designed for the purpose.
Of course, despite the use of tracking malware could be very effective, its use have many repercussions on legal and security perspectives. It could be used to track Internet users legally visiting other suspicious sites, and don’t forget that similar malicious could be also abused by bad actors.
“You could easily imagine them using this same technology on everyone who visits a jihadi forum, for example,” “And there are lots of legitimate reasons for someone to visit a jihadi forum: research, journalism, lawyers defending a case. ACLU attorneys read Inspire Magazine, not because we are particularly interested in the material, but we need to cite stuff in briefs.” said Chris Soghoian, principal technologist with the American Civil Liberties Union.
Operation Torpedo malware Tor FBI
The ACLU fears that judges issuing the legal search warrants to the FBI, which make these tracking malware attacks legal due their poor knowledge of technology issue.
“A federal magistrate signed three separate search warrants: one for each of the three hidden services. The warrants authorized the FBI to modify the code on the servers to deliver the NIT to any computers that accessed the sites. The judge also allowed the FBI to delay notification to the targets for 30 days”
Let’s hope that similar tactics will be properly regulated in the future, I understand that they could be necessary to track criminals, but potential side effects could be hard to mitigate and dangerous for Internet survival.

Pierluigi Paganini

(Security Affairs –  malware, FBI)  


facebook linkedin twitter

Cybercrime FBI Hacking law enforcement Magneto malware privacy Tor network

you might also like

Pierluigi Paganini June 27, 2025
Taking over millions of developers exploiting an Open VSX Registry flaw
Read more
Pierluigi Paganini June 27, 2025
OneClik APT campaign targets energy sector with stealthy backdoors
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Taking over millions of developers exploiting an Open VSX Registry flaw

    Hacking / June 27, 2025

    OneClik APT campaign targets energy sector with stealthy backdoors

    Hacking / June 27, 2025

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    Cisco fixed critical ISE flaws allowing Root-level remote code execution

    Security / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT