Operation Torsploit
I was originally going to make this post on the one year anniversary of the FH Java script attack, but that whole situation with Wired kind of took the wind out of my sails.
Anyway this thread is going to include a final summary of the FBIs war on Tor, my thoughts and theories and i'm going to answer some questions people have been asking me.
The FBI's campaign against Tor has been ongoing for years and it seemed as recently as June 2012 all of their efforts had been in vain as this article was published https://nakedsecurity.sophos.com/2012/06/14/fbi-tor-*****-*****-investigation/
However, just 5 months later they launched Operation Tor***** the first successful mass deployment of their CIPAV/NIT code against a network of .torify.net ***** ***** sites ran by Aaron Mcgrath who is now serving 20 years in prison.
Aaron McGrath was convicted and sentenced for the crime of Engaging in a ***** Exploitation Enterprise. McGrath was sentenced to twenty years of imprisonment. After his release from prison he will begin a 10 year term of supervised release. McGrath created and operated three separate websites dedicated to advertising and distributing ***** *****ography between January 2009 and November 2012. McGrath administered the websites from his workplace, a server farm in Bellevue, Nebraska, and from his home in Omaha, Nebraska. The websites, named *****Board, *****Book and TB3 were only accessible on the TOR network. The TOR network facilitates anonymous and, for the most part, untraceable communications by users. One of the sites had 5,600 members, 3,000 message threads and 24,000 postings as of December 2012. Sub-forums included sections of ***** *****ography involving: Babies; Prepubescent Boys; Prepubescent Girls; *****age Boys and *****age Girls. The text area of the site included a forum devoted to *****philia. One site alone contained well over 10,000 ***** *****ography images with the *****est victims being infants and toddlers. The investigation has resulted in 25 additional defendants discovered using one or more of McGrath’s boards on the TOR network. ~ Justice.gov
Operation Tor*****: November 15- December 5 (this is a broad estimate, I can't find the document that has the exact deployment dates at this time)
The attack: The actual method employed in deploying this attack is unknown at this time but it's assumed that it was a similar attack to the one used on Freedom Hosting. The two attacks do have some distinct differences, mac addresses and host names were NOT collected during Operation Tor***** and there is evidence that suggests this attack may have worked against Linux and Mac.
The Arrests: There were 25 defendants, however only 14 defendants are named in any court documents. The unnamed defendants are listed as John Does, it's unclear why at this moment, this will be covered further in the theories and thoughts section.
The 14 who WERE arrested were all subject to simultaneous raids a little over 4 months after the FBI operation. Their is no evidence that any of the defendants discovered the code that was used. Why this is relevant will be touched on later.
The Defendants: JASON FLANARY, TIMOTHY DEFOGGI, ZACKARY AUSTIN, RUSSELL GLENN PIERCE, DAVID WILLIAM PEER, JOSHUA WELCH, THOMAS SPENCER, BRANDON MOORE, JOHN SEBES, GARY REIBERT, VINCENT DIBERARDINO, MICHAEL HUYCK, KIRK COTTOM, KEVIN M. PITMAN,
The motion to suppress: The code was deployed under the authority of a a search warrant out of Nebraska. The defendants have attempted to suppress any evidence obtained due to the failure of the FBI to notify them of the search within the required 30 days. The 30 day requirement is a non essential element of the 4th amendment and violation of this rule rarely results in suppression. This will be covered in much more depth in the thoughts and theories section.
The Torsploit: Servers under control July 22nd The code deployed July 31- August 5
The first indication that something was wrong was when many people starting July 22nd started reporting outages of popular FH sites, such as Tormail. No one even considered that it was apart of an ongoing law enforcement operation. Just weeks later Erik Eoin Marques was indicted in the US and his servers were serving up malware.
In the hysteria that followed much false information was spread. Many claimed this was just a "dry run" and no arrests of criminals would be made, this I can tell you 100% is false. Then the other big one was that this was an NSA operation, also false.
The attack collected the victim's mac address and host name then sent it to FBI servers in Virginia using the victims clearnet IP. However there is one thing that almost no one discussed immediately following the attack, the tracking cookie.
The only known arrest is a man named Grant Klein of Vermont, they were able to describe in great detail exactly what he was doing on the sites he visited, the tracking cookie is the only way this could be accomplished.
Grant Klein: After hours of sifting through legal documents and following leads I have been unable to find any additional arrests. Grant is the only named suspect in either Operation Tor***** or the Torsploit to receive press coverage at the time of his arrest. Mr. Klein was arrested about 3 1/2 months after the FH exploit. In that time he had destroyed his hard drive, at some point felt "safe" and restarted his illegal conduct. When the FBI showed up at his door he took the route of cooperation. The case was originally filed in Maryland but the FH related charges were dropped at some point and he was charged in his home state of Vermont for images he had stored on his phone. He is now awaiting sentencing after taking a plea deal. The Judge assigned to his case is known for leniency in ***** ***** cases.
This post is a first draft and will be updated and edited regularly until I am 100% satisfied with its content. Part Two "Thought and Theories" will be completed some time tonight.
WIP
https://www.reddit.com/r/TOR/comments/2d6ebm/fbi_vs_tor_torsploit_and_operation_tor*****_the/
.