Photo via flickr/Carsten Lorentzen
When the FBI seized the Tor network's top web host, Freedom Hosting, in August, it took down the largest child pornography ring online—quite the feather in the agency's cap. But it also gave the feds access to every record of every anonymous site hosted by Freedom Hosting, including TorMail, the secure email provider used by criminals, journalists, and dissidents alike.
The breach left users of the now-defunct TorMail wringing their hands, wondering who was trolling through their secret emails. How would the government use this new data bonanza? Could the FBI mine the information in the deanonymized emails to track cybercriminals?
Unnervingly, it looks like the answer is yes. Newly released court documents show that the FBI has access to entire TorMail inboxes and has used the information to make arrests in crimes unrelated to the Freedom Hosting bust.
Last week the agency announced it made a series of arrests around the counterfeit credit card marketplace Fakeplastic, including the website's administer Sean Roberson, Brian Krebs first reported. The cops tracked down Roberson through thousands of web orders that had been sent to his Tor email account, one of many the agency’s been sitting on.
Notably, the FBI did obtain a search warrant before looking through the suspect's emails—unlike the NSA's unfettered access to Americans' online communications. But it's still a huge blow for email users who relied on the onion network to evade law enforcement or the government's prying eyes. As a rule, TorMail refused to hand over information to the feds, even when subpoenaed or presented with a court order.
Experts suspect the FBI hacked Freedom Hosting this summer by infecting the Tor browser, a souped-up version of Firefox, with malicious code. (The Tor Project pointed out at the time that compromising the software behind a hosting company was not the same as infiltrating the onion network itself.) TorMail was seized in the malware attack. The court documents explain:
In connection with an unrelated criminal investigation, the FBI obtained a copy of a computer server located in France via a Mutual Legal Assistance Treaty request to France, which contained data and information from the Tormail email server, including the content of Tormail e-mail accounts. On or about September 24, 2013, law enforcement obtained a search warrant to search the contents of the Platplus Tormail Account, which resided on the seized Tormail server.
Should we expect to see more of this? Well, savvy denizens of the Deep Web know that no encryption service is 100 percent safe, and you still have to take smart precautions to protect your ass. TorMail messages were sent in plain text unless users also encrypted them through PCP or similar services. However, cybercriminals trading on the black market can't force their customers to also encrypt every message. Any sloppy mistakes or laziness can theoretically now be exploited by law enforcement.
Indeed, when Freedom Hosting was seized this summer, the "Dread Pirate Roberts" posted a warning on the Silk Road website to TorMail users (H/T Wired): "You must think back through your tormail usage and assume everything you wrote there and didn't encrypt can be read by law enforcement at this point and take action accordingly. I personally did not use the service for anything important, and hopefully neither did any of you." (Many people assumed the feds would get DPR next, and sure enough Ross Ulbricht was arrested about two months later.)
The TorMail-aided arrest comes on the heels of a bruising week for the privacy network. Last week scientists discovered 25 exit nodes were being hosted by “bad actors” deliberately trying to sabotage the onion router’s encryption. The research paper called them "spoiled onions.” A couple days after that, a separate research team revealed the increasing popularity of "Sniper Attacks" used against Tor to de-anonymize the network without revealing the identity of the attacker. In response to that "devastating" news, the Tor Project published a blog post describing how to protect against an attack.