Pierluigi Paganini January 10, 2016

The US law enforcement conducted an unprecedented hacking campaign leveraging on the  network investigative technique (NIT) to de-anonymize Tor users.

In July, at least two individuals from New York have been charged with online child pornography crimes after visiting a hidden service on the Tor network. The Federal Bureau of Investigation (FBI) had used a hacking tool to identify de-anonymize the suspects while surfing on the Tor network.

Now we have more information on the operation conducted by the FBI, the law enforcement hacked over a thousand computers, according to court documents reviewed by Motherboard.

It is the first time that the FBI conducted a so extended operation against Tor users.

According to the court documents, the FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.”

The Playpen hidden service reached in one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The law enforcement discovered nearly 1300 IP addresses belonging to the visitors.

According to Motherboard, the server running Playpen was seized by the FBI from a web host in North Carolina, then the law enforcement managed the computer to track its visitors. The agents used the a network investigative technique (NIT) to obtain the IP addresses of the Playpen users.

It isn’t the first time that the FBI used the NIT to de-anonymize Tor users, on December 22nd, 2014 Mr. Joseph Gross retained the assistance of Dr. Ashley Podhradsky, Dr. Matt Miller, and Mr. Josh Stroschein to provide the testimony as the expert in the process against pedo’s on Tor.
The suspects were accused in federal court in Omaha of viewing and possessing of child pornography.

The NIT was a Flash-based application that was developed by H.D.Moore and was released as part of Metasploit. The NIT, or more formally, Metasploit Decloaking Engine was designed to provide the real IP address of web users, regardless of proxy settings.” stated the forensic report.

According to the act of the process, the investigators were informed that there were three servers containing contraband images that the FBI found and took offline in November of 2012.

Also in that case the authorities used the server as a bait for online pedos, then the Bureau placed the NIT on the servers and used them to de-anonymize TOR users accessing the illegal content. With this technique, the FBI identified the IP addresses of visitors.

The NIT was also used in 2011, by agents running the “Operation Torpedo,” it was the first time that FBI deployed a tracking code broadly against every visitor to a website, instead of targeting a particular user.

According to some clues emerged in the Playpen case, the version of NIT currently used by the FBI is different from the one used in the past during the Operation Torpedo.

The legal counsel for one of the men accused speculates that the number of individuals charged with online child pornography crimes after visiting PlayPen may increase in the next months.

“Fifteen-hundred or so of these cases are going to end up getting filed out of the same, underlying investigation,” Colin Fieman, a federal public defender handling several of the related cases, told Motherboard in a phone interview. Fieman, who is representing Jay Michaud, a Vancouver teacher arrested in July 2015, said his estimate comes from what “we’ve seen in terms of the discovery.”

“There will probably be an escalating stream of these [cases] in the next six months or so,” said Colin Fieman, the federal public defender of Jay Michaud in a phone interview with Motherboard. “There is going to be a lot in the pipeline.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – NIT, Tor users)