Malware That Took Down Freedom Hosting Could Be The Property Of NSA

Malware used to identify Tor users contacted an IP address owned by US government agency, researchers claim

Researchers claim that malware responsible for bringing down Freedom Hosting, the biggest service provider on the anonymous Tor network, was hard-coded to send information to the NSA.

Last weekend, scores of “darknet” websites and services went offline following the arrest of Eric Eoin Marques, the alleged head of Freedom Hosting. It was previously suggested that Marques was identified and tracked using a JavaScript exploit in the Tor Browser Bundle, which is based on Firefox 17 browser.

Experts said that malware remained on the servers after the arrest, and could have attempted to identify other Tor users. Now, Baneki Privacy Labs and Cryptocloud claimed it was designed to be controlled from an IP address that seemingly belongs to the NSA.


Tor is a free encrypted network that conceals a user’s location or Internet use from anyone conducting network surveillance or traffic analysis. It hosts a variety of content from news and secure communication services to things like The Hidden Wiki, a collection of illegal instructions and manuals.

nsa-eagle (Small)Freedom Hosting is one of the largest and most known Tor service providers. Over the years, it has been linked to all manner of criminal activity, including websites dedicated to child abuse and the infamous Silk Road, an online illegal drug marketplace.

Marques, a 28-year-old Dublin resident with no previous convictions, has been described by the FBI as “the largest facilitator of child porn on the planet”.

“The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of JavaScript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers,” explained Andrew Lewman, executive director of the Tor project.

Security researcher Vlad Tsyrklevich suggested that since this payload does not download or execute any secondary backdoors or commands, it is likely to be operated by law enforcement agencies and not hackers.

Baneki Privacy Labs and Cryptocloud have analysed the malware, and they have come to the conclusion that it was used to collect information and send it to a single IP address ( This address is part of a block owned by Science Applications International Corporation (SAIC), a US defence contractor.

“SAIC is, needless to say, deep in the core of the cyber-military complex… and certainly not the FBI,” writes Cryptocloud team.

Further investigation of the DNS records by Baneki has suggested the address in question is part of IP space directly allocated to the NSA’s Autonomous Systems.

It’s not clear just how much information the malware managed to send home, or whether this information is completely accurate, but the danger of being identified is sure to make some Tor users nervous. “Tor Browser Bundle users should ensure they’re running a recent enough bundle version, and consider taking further security precautions,” says an updated advisory from the Tor project, issued on Monday.

What do you know about whistleblowers and their tech? Take our quiz!