Tor Websites Down As Alleged Freedom Hosting Admin Arrested For Child Porn Distribution

Evidence suggests hackers employed by the FBI managed to track some Tor users

Scores of “darknet” websites and services remain inaccessible following the arrest of an Irish man believed to be the head of Freedom Hosting, the biggest service provider on the anonymous Tor network.

The FBI has accused Eric Eoin Marques of facilitating child pornography distribution. If he is extradited to the US, he could spend up to 30 years in prison.

Marques is expected to appear in Ireland’s High Court on Thursday, reports The Independent in Ireland. He was identified as a result of a cyber attack on Freedom Hosting, which had also configured the servers to spread the infection.

Hacking in the name of the law

Tor is a free encrypted network that conceals a user’s location or Internet use from anyone conducting network surveillance or traffic analysis. It hosts a variety of content from news and secure communication services to things like The Hidden Wiki, a collection of illegal instructions and manuals.

Firma VFreedom Hosting is one of the largest and most known Tor service providers. It has been linked to all manner of criminal activity, including websites dedicated to child abuse and the infamous Silk Road, an online illegal drug marketplace.

Marques, a 28 year-old Dublin resident with no previous convictions, has been described by the FBI as “the largest facilitator of child porn on the planet”. Besides Freedom Hosting, he is also alleged to be involved with encrypted email service Tormail and Bitcoin exchange Onionbank. The FBI has been hunting the man responsible for Freedom Hosting for the last 12 months.

Several sources suggest Marques was identified and tracked using a JavaScript exploit in the Tor Browser Bundle, which is based on Firefox 17 browser.

“The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of JavaScript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers,” explained Andrew Lewman, executive director of the Tor project.

“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can,” he added.

“We are actively investigating this information and we will provide additional information when it becomes available,” commented Michael Coates, director of security assurance at Mozilla.

Ofir David, head of intelligence at Israeli cybersecurity firm Cyberhat, told researcher Brian Krebs it looks like the exploit was used to identify not just Marques, but also other users of Freedom Hosting, and record their true IP addresses.

”Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by a [law enforcement agency] and not by blackhats,” suggested Vlad Tsyrklevich, the man who reverse-engineered the exploit.

What do you know about crime and punishment in the digital age? Take our quiz!