The VICE Channels

    Photo: Cliff/Flickr

    FBI May Have Hacked Innocent TorMail Users

    Written by

    Joseph Cox


    Back in 2013, the FBI seized TorMail, one of the most popular dark web email services, and shortly after started to rifle through the server's contents.

    At the time, researchers suspected the agency had also deployed a network investigative technique (NIT)—the FBI's term for a hacking tool—to infect users of the site. Now, confirmation of that hacking campaign has come about buried in a Washington Post report on the FBI's recent NIT usage.

    Even more questions have now been raised, however. In particular, it's unclear whether the hacking was carried out on a much larger scale than the FBI is letting on, possibly sweeping up innocent users of the privacy-focused email service.

    Right at the end of the Washington Post report are two paragraphs talking specifically about TorMail; the email provider in question which ran as a Tor hidden service, and was supposedly used by child pornographers, fraudsters, and Silk Road employees and drug vendors.

    “This week, people familiar with the investigation confirmed the FBI had used an NIT on TorMail,” the Washington Post writes. The agency, the article reads, had obtained a warrant to hack the owners of certain email accounts, suspected of being involved in child pornography activities.

    “Using a privacy preserving communication service is not an invitation, or a justification, for the government to hack your computer.”

    Under this interpretation, the FBI was targeting specific users, rather than casting a dragnet. But based on previous reports of how the NIT was likely deployed, it seems very unlikely that the hack was carried out in the targeted fashion the Washington Post reports.

    In summer 2013, the FBI seized Freedom Hosting, a web host that provided easy to setup Tor hidden services. TorMail was one of them.

    Media reports at the time suggested that anyone visiting a Freedom Hosting site, including TorMail, was met with an error page. This page, researchers soon found, was delivering malicious code, designed to exploit a security-flaw in Firefox and de-anonymise users of the Tor Browser. The code did this by sending the target's real IP address to a server in Virginia.

    One former TorMail user told Motherboard that the malicious code “appeared before you even logged in.” Bearing that in mind, how could the FBI have targeted the owners of specific email accounts associated with child pornography, if that error page, and the malicious code, was being delivered to anyone that visited TorMail at the time?

    “There were certainly large numbers of TorMail users who were not engaging in any criminal activity,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told Motherboard.

    “If the government in fact delivered a NIT to every single person who logged into TorMail, then the government went too far,” he continued.

    “Using a privacy preserving communication service is not an invitation, or a justification, for the government to hack your computer.”

    Even with new clues and information, some questions remain. Despite this case dating back years, the authorisations signed for the use of a NIT are not public.

    “This case was from 2013: we still don't have the NIT order, or the NIT application,” Soghoian said, meaning that it is unclear whether the judge who signed it really knew what they were authorising.

    Christopher Allen, a spokesperson for the FBI, said “I would not be able to comment one way or the other on your specific question,” when asked to confirm the Washington Post's reporting. When asked whether the agency targeted specific users of TorMail with the NIT, or deployed a broader approach, Allen said “That also is a level of detail I could not address.”