TorMail hack, FBI surgical operation, or dragnet surveillance?

Pierluigi Paganini January 22, 2016

In 2013 the FBI agents seized TorMail, now new information are emerging on the operations. Someone believes it was a surgical ops others accuse Feds of dragnet surveillance.

In 2013 the FBI agents seized TorMail, at the time the most popular dark web email services. The US law enforcement agency seized the TorMail database during in concomitants of the seizure of Freedom Hosting, the most popular Tor hidden service operator company. Early 2014, Wired reported that the database was seized due to a completely unrelated investigation aiming to identify cyber criminal organization operating principal black markets in the Tor network.

The IT security industry speculated Feds had used a hacking tool, the network investigative technique (NIT), to de-anonymize users on the Tor network. The use of the NIT was also confirmed earlier this year when according to court documents reviewed by Motherboard, the FBI had used it to identify the suspects while surfing on the Tor network.

In July, at least two individuals from New York have been charged with online child pornography crimes after visiting a hidden service on the Tor network.

According to the court documents, the FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.” The law enforcement discovered nearly 1300 IP addresses belonging to the visitors.

Now a report published by the Washington Post confirms that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users. Obviously the US Government would not confirm the circumstance, but it seems that only a limited number of accounts belonging to suspects were hackers. This version doesn’t convict many security experts and privacy advocates that believe the FBI managed a dragnet surveillance against TorMail users.

The attack against Freedom Hosting took advantage of a Firefox Zero-day to identify some users of the Tor anonymity network. The FBI had control of the Freedom Hosting company to investigate on child pornography activities, Freedom Hosting was considered by US law enforcement the largest child porn facilitator on the planet.

“FBI for its analysis exploited a Firefox Zero-day for Firefox 17 version that allowed it to track Tor users, it exploited a flaw in the Tor browser to implant a tracking cookie which fingerprinted suspects through a specific external server. 

The exploit was based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.

TorMail was one of the web services hosted by Freedom Hosting, so it was subject to investigation by FBI too.

“This week, people familiar with the investigation confirmed that the FBI had used an NIT on TorMail. But, they said, the bureau obtained a warrant that listed specific email accounts within TorMail for which there was probable cause to think that the true user was engaged in illicit child-pornography activities. In that way, the sources said, only suspects whose accounts had in some way been linked to involvement in child porn would have their computers infected.” states the Washington Post report.

“An FBI official who spoke under a similar condition on anonymity said the bureau recognizes that the use of an NIT is “intrusive” and should only be deployed “in the most serious cases.” He said the FBI uses the tool only against offenders who are “the worst of the worst.”



I can report my experience with the TorMail service that I used for research purpose, when I was trying or access the TorMail service it was returning an error page. According to the analysis conducted by the expert that error page was containing the malicious exploit code to track the users.

“There were certainly large numbers of TorMail users who were not engaging in any criminal activity,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told Motherboard. “If the government in fact delivered a NIT to every single person who logged into TorMail, then the government went too far,” he continued.

“Using a privacy preserving communication service is not an invitation, or a justification, for the government to hack your computer.”

I sincerely don’t understand how it is possible to discriminate the users that were not logged in, I remember that the error page was displayed before inserting the login credentials, there was no possibility to discriminate my account from others.

I probably don’t remember correctly the exact sequence of operations.


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – NIT, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment