With 'Operation Torpedo,' FBI Malware Infiltrates Dark Web


Zach Dorland/Flickr

Just when you thought it was safe to surf the Silk Road-replacement sites… Wired's Kevin Poulsen reported this week on the FBI using hacker-like techniques to track Tor users, in an effort the agency calls "Operation Torpedo." So far the agency says it has only tracked computers accessing underground child pornography sites. But some privacy advocates worry that the FBI's antics could easily be expanded—or already have. 

Tor is the software and open network that allows for anonymous web browsing and accessing the so-called "dark net" or "deep web". It works by bouncing your communications around a distributed network to effectively keep your IP address from being linked to your web activity.

Tor Project/Facebook

In 2012, the FBI busted a Nebraska man, Aaron McGrath, who was hosting three dark-net child porn sites via three separate servers. A federal magistrate gave the FBI permission to modify the code on these servers to deliver a malware program to any computers accessing those sites. The "network investigative technique" (NIT), as the FBI calls it, allowed the agency to identify IP addresses for these computers and eventually led to 14 arrests.

While it's hard to disagree with busting kiddie-porn proponents, American Civil Liberties Union (ACLU) technologist Chris Soghoian said there needs to be "a public debate about the use of this technology … and whether the criminal statutes that the government relies on" even permits it.

It's one thing to say we're going to search a particular computer. It's another thing to say we're going to search every computer that visits this website.

Soghoian noted that "the mere act of looking at child pornography is a crime," but "you could easily imagine (the FBI) using this same technology on everyone who visits a jihadi forum, for example. And there are lots of legitimate reasons for someone to visit a jihadi forum: research, journalism, lawyers defending a case."

Let's note that these "legitimate reasons" could all apply to child porn sites, too, even if it may be less likely. In terms of Jihadi sites: why should anyone need a 'legitimate reason' to visit? Maybe you're just curious. Maybe you're thinking of joining al Qaeda. Until you start engaging in criminal activity or the planning of it, then the FBI has no right to just up and install secret spyware on your computer.

Soghoian's worries over the FBI spying on non-criminal Tor users may have sounded paranoid until not too long ago. Post Edward Snowden, they seem not just plausible but likely. 

The National Security Agency (NSA) is admittedly monitoring servers running TOR—though this week a Department of Defense (DOD) spokeswoman said neither the NSA or the DOD had received personal data on Tor users during this monitoring. "This particular project was focused on identifying vulnerabilities in Tor, not to collect data that would reveal personal identities of users," she told Reuters. This particular project…

Reuters also notes that "she did not rule out the FBI or other agencies obtaining the data." The FBI declined to comment to the news agency. The U.S. State Department, meanwhile, has been funding Tor, while the Russian govenrment is offering a prize for cracking the Tor code. 

NEXT: Politicians Deny Compensation to Man Wrongfully Incarcerated for 11 Years

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. So far the agency says lies it has only tracked computers accessing underground child pornography sites.

    C’mon. Does anyone believe them?

    1. You doubt our heroes?

    2. The Wired article contains a lot more info about a specific virus/code/whatever that was infecting Tor users computers (those not looking at child porn, per se), which a lot of people say was the FBI. I didn’t mention b/c it kind of seems like just a rumor but … yeah.

      1. (by “just a rumor” I don’t mean I don’t or wouldn’t believe it, just that I didn’t feel comfortable passing it on without knowing how much credence to give it.)

      2. It could be the FBI or it could be someone who got a hold of the FBI malware and appropriated to their own uses or it could be someone who used similar malware made independently from the FBI malware or it could be any combination of the three all happening at once.

        One would think much of this could be cleared up by simply looking at where the malware code is sending information to.

        1. That could be difficult depending on how sophisticated the malware was.

          Also, the FBI could even use an ephemeral location to send data to.

  2. I love big brother.

  3. Tor is the software and open network that allows for anonymous web browsing and accessing the so-called “dark net” or “deep web”. It works by bouncing your communications around a distributed network to effectively keep your IP address from being linked to your web activity.…..nt_4678475

    Trigger warning — rant:

    I’m a bit annoyed about ENB’s “You Can’t Stop the Dark Net” piece from earlier today.

    “The Dark Net” does not exist; there are various darknets. They are classified as such based on network topology (friend-to-friend or similar) and technology stack (e.g., Freenet or GNUnet).

    “The Deep Web”, on the other hand, is an umbrella term for content not indexed by traditional search engines like Google, Bing, Yandex, or Baidu. It doesn’t say much about the technology or content otherwise; something in the Deep Web could be anything from a password-protected message board accessible without any software beyond a web browser to illicit marketplaces accessible via Tor or I2P.

    See the Wikipedia articles for each for more info.

    Of course, that is more the BBC’s fault than ENB’s, as they were using that faulty terminology in the piece she based hers upon.

    And “dark web” isn’t a thing at all, AFAICT.

    1. Okay, I was looking all over about this, because I didn’t want to use the wrong terminology, and both deep web and dark net seem to be popular in media about it. I was confused, too, b/c of the existence of various darknets, but I figured perhaps the nomenclature was changing pop culturally.

      1. As far as I can tell, many media sources / commentators just looked at the term “darknet” and assumed “dark” meant “bad” (it does not).

        It could be a lost cause, though, like trying to explain to people that “wiki” is not a “proper” abbreviation for “Wikipedia”. You may be correct that the proper nomenclature is “changing pop culturally”, or that it will.

        The tl;dr version is that the proper term to be used in this particular piece is Deep Web, although it is pretty broad, covering many much more mundane things.

        Sites that can only be reached via Tor are called “Tor hidden services”, BTW.

    2. Yes, she got called on this before and went to that well again. She’s not bright.

      1. Since I posted it in the PM links and not in the comments to her original post, she probably just didn’t see it. Don’t be an asshole.

  4. So far the agency says it has only tracked computers accessing underground child pornography sites

    So if the FBI infects a person’s PC who is using Tor with malware can’t the tor user check and see if his PC is infected with the malware?

    It would seem pretty easy to check how much the FBI has expanded its malware operations beyond just looking for kiddie porn.

    1. One thing that is interesting. By infecting kiddie porn PCs with malware the FBI just gave a piece of government developed malware to kiddie porn users who now can change and appropriate and distribute it as they see fit.


      1. Various sources have claimed that the various three-letter agencies have policies against deploying malware against individuals they think have the knowledge necessary to locate and reverse-engineer it (with the likes of Stuxnet being obvious exceptions).

    2. That assumes that, if the user has anti-malware software at all, that said software is capable of detecting the malware in the first place. The malware could be particularly clever at disguising itself, the software vendor could be unaware of its existence and hence not have added its signature to its database, or the software vendor could have been pressured by the government not to add the signature to its database.

      1. One would think anyone using TOR would be somewhat sophisticated in their ability to detect packets of data leaving their PC without their prompting.

        1. 1. Tor has been covered in enough popular media reports that you can’t assume high technical knowledge among all users.

          2. “detect packets of data leaving their PC“? Um, what? Do you expect them to be combing Wireshark logs for suspicious data?

          1. 1. When did i say everybody. really only takes one who finds it then posts about it.

            2. A Tor user would be more likely to do this then a non-Tor user.

            1. 1. You used the word anyone

              2. You have got to be fucking kidding me. That was a rhetorical question; hand-monitoring your outbound traffic for malware phoning home is almost totally infeasible, especially in this case, where the FBI has control of a server your’re already purposely communicating with.

              1. I’m not sure what you mean by “hand monitoring”, but one could have whatever local proxy server they have running to route TOR traffic through log all connections made.

                It wouldn’t be hard to see that something made a connection to somewhere it shouldn’t.

                Same goes for if it bypassed the TOR proxy if you were running a software firewall or if you had your router setup to log outbound connections. (I do both of these things personally)

                Of course extremely sophisticated malware could disable the software firewall running on your PC, but it would be harder for them to also happen to simultaneously be able to exploit your router. It’s extremely unlikely.

                I’m pretty positive I’d at least know something fishy happened.

                1. You could also run the proxy on another hardened machine that wasn’t used for much else, like a router/firewall box.

                  This would insulate the proxy logs from being tampered with if the PC being used to browse was exploited and backdoored.

                  (Assuming you didn’t log into the router remotely from the PC after it had become infected.)

              2. Although I just realized that if it were sending data directly back to the owned server it would be much harder to track.

                However, I seem to remember in the case described in the article it just phoned home to some other IP in which case it would be easily detectable.

                1. There are quite a few issues with what you have said — not surprising since you don’t seem to know what Wireshark is — but I don’t feel like giving tips to a pedophile.

                  1. I’ve used Wireshark extensively.

                    As I said, if the exploit just called back directly to the owned server while you were browsing it, it would be harder to detect. But still not impossible.

                    It’s nice though that you can sling ad homs without actually explaining how I said anything factually incorrect.

                    1. (Actually I mainly used it back when it was called Ethereal)

                  2. Oh and I’m sure your excuse for not explaining why I’ve said anything factually incorrect is that “you don’t want to give tips to pedophiles”.

                    Quite convenient, isn’t it? Labeling people pedophiles so you don’t have to actually attack the substance of their argument.

                    1. Say for example you were connecting to an https server and the rouge server used an exploit which didn’t use a separate outbound connection to send whatever data it collected back to the server. But rather just sent it back over the already open encrypted connection.

                      Wireshark wouldn’t necessarily help in this case.

                    2. Also, I don’t really see how useful it would be when trying to analyze Tor traffic anyway.

                      Unless that is, you intercepted it before it hit the Tor proxy.

                      While most Tor users would never go to this much trouble, I wouldn’t be at all surprised if there are some that would.

                      And Corning is right, all it would take is one person posting their packet logs.

  5. Because obviously viewing the evidence of a crime is tantamount to actually committing it.

    Whenever I view an ISIS propaganda video where they are murdering helpless people with automatic weapons, I guess I should go to prison for this and be considered a social pariah?

    The argument that it gives incentive to produce more if possession and/or distribution were legal seems rather absurd too. Because if the distribution of the evidence were legal and they had no way to enforce payment, all it would do is shine a giant spotlight on the people responsible for the actual abuse.

    This is the internet, this isn’t print media, they can’t exactly enforce payment. And even if people were merely creating it because they got a sick thrill from it, I still don’t see how banning the possession or distribution helps keep children safe.

    All it does is make it less likely someone who may be able to identify the perpetrator or the victim will see it, or worse it may cause the evidence to get destroyed where it would have been preserved otherwise.

    All you’re doing is making it less likely people being abused right now will be helped.

    For example in the Steubenville case the only reason why things were brought to the attention of authorities is because someone who knew the girl saw a cellphone video being passed around of the girl being raped and then reported it.

    (cont in next post)

    1. (cont from previous post)

      There’s also that case where a woman had kept footage of her father beating her when she was an adolescent. What if it had been sexual abuse, wouldn’t she have been producing, distributing, and possessing child pornography? Aren’t there people who would get off to seeing a child beaten too? To differentiate between these two types of abuse in such a way is absolutely absurd.

      Also, by eliminating the supply that already exists you’re increasing the demand for new stuff to be made because the stuff that’s already been produced is harder to come by.

      Society in general has their priorities extremely screwed up if they actually believe that preventing some pedo from rubbing one out to CP is more important than increasing the chances of finding and stopping abuse. Especially when it can act as an outlet for desires that may otherwise have lead to another child being abused, instead of evidence just being replayed.

      1. Oh and by wasting resources going after people who are merely consumers you have less resources available to investigate cases of abuse which are currently happening and where the victim has not yet been identified.

        Basically society’s answer to this problem is thoughtcrime and “sweep it under the rug”. Hardly a good policy. A policy for cowards who are too blinded by emotional objections to realize that they’re just making things worse.

    2. Also I just realized I’m not thinking of the Steubenville case but another one.

      It was one involving serial abuse where a girl (If remember correctly, age 11), was being pimped out dozens of men and there was also a similar coverup. However, I can’t remember enough now to find the particular case I’m thinking of.

      Still the same thing applies generally to the Steubenville case because the distribution of the evidence helped bring attention to the rape and helped bring those responsible to justice.

    3. All you’re doing is making it less likely people being abused right now will be helped.

      An interesting pretense coming from somebody who has repeatedly and emphatically argued that having sex with a child is in no way, shape or form abusive.

      Make sure your Malwarebytes is updated, bro.

      1. Actually, I’ve argued that whether or not it is abusive depends on more than an arbitrarily set age. Not that all sex is not abusive. But of course you would word things in such a way that people might infer something different.

        It’s also interesting that once again people are trying to attack me personally instead of attacking my argument.

        If you had a good rebuttal, you wouldn’t have to rely on the argument that since I also hold ‘x’ opinion my other opinions must be invalid.

        You’re engaging in what is basically ad hom. But hey, that’s what I’ve come to expect from people like you.

  6. Looks like we’ll have to get rid of servers. Good thing we have MaidSafe coming.

    1. Looks like we’ll have to get rid of servers.

      Besides that notion being fundamentally naive, no, we don’t. Tor hidden services (.onion URLs) leave the location of the server unknown to the public.

      Good thing we have MaidSafe coming.

      What exactly makes MaidSafe superior to Freenet or GNUnet?

  7. I’m still waiting for Meshnet. Lets see what the Powers That Be do about that.

Please to post comments

Comments are closed.