The VICE Channels

    Image: Jo McRyan/Getty

    ​Here Is the Warrant the FBI Used to Hack Over a Thousand Computers

    Written by

    Joseph Cox


    In early 2015, the Federal Bureau of Investigation ran a dark web child pornography site from its own servers for 13 days, and hacked over a thousand computers that visited it. Defense lawyers have argued it was not clear in the relevant warrant that child pornography would be distributed while the site was under government control, and attorneys from a civil liberties group have stated that the warrant was “unconstitutional.”

    Now, anyone can see that warrant for themselves. Although the full version is still under seal, a very lightly redacted version of the warrant and its supporting documentation, which only omit usernames and some other details, has been released as an exhibit in an affected case.

    The affidavit supporting the warrant does say that, after being seized, Playpen would be run by the government.

    “While the TARGET WEBSITE operates at a government facility, such request data associated with a user's actions on the TARGET WEBSITE will be collected,” the affidavit, signed by Douglas Macfarlane, an FBI special agent, reads. The documents were released as exhibits in the case of Bruce Lorente, who is facing child pornography charges. Specifically, the filings were made in response to Lorente's motion to suppress evidence, which is currently sealed.

    A section of the affidavit in support of the application for a search warrant, indicating foreign law enforcement's involvement in identifying the Playpen server.

    The affidavit also asks for the authority to deploy a network investigative technique (NIT)—the FBI’s term for a hacking tool—on any computer that logs into the site, regardless of its location.

    “The NIT may cause an activating computer—wherever located—to send a computer controlled by or known to the government, network level messages containing information that may assist in identifying the computer,” it reads. In this case, the NIT grabbed targets' real IP address, MAC address, operating system and architecture, computer Host Name, and username.

    Critics are worried that the language of NIT applications is too vague for judges to grasp what exactly it is they are authorizing; the words "malware" or "hacking" are never used, for example. (Magistrate Judge Theresa C. Buchanan, who signed off on the NIT, has repeatedly declined to answer questions from Motherboard.) The NIT was used to access computers in the US, Greece, Chile, and likely elsewhere.

    The warrant allowed the FBI to deploy the NIT for up to 30 days. In the end, it was only used to hack computers for 13.

    The newly released documents also suggest how the FBI found the Playpen server in the first place.

    “In December of 2014, a foreign law enforcement agency advised the FBI that it suspected IP address, which is a United States-based IP address, to be associated with the TARGET WEBSITE,” the affidavit reads. As Motherboard previously reported, an unidentified foreign agency also helped the FBI identify at least two, and possibly three, high level members of the site. For at least one of those, the foreign agency used its own hacking tool.

    In January, the FBI seized a copy of the Playpen server, and later tracked one of the site's administrators to Naples, Florida, the affidavit continues. (Exhibits also include an interception affidavit, which appears to include details on how Steven Chase, one of the site’s administrators, was identified, but this document is heavily redacted.)

    A short section describing the data centre that hosted Playpen is redacted, but a footnote in the document names “Centrilogic.” Centrilogic is located in Lenoir, North Carolina, and when contacted by Motherboard back in January of this year, a spokesperson for the company said “We have no comment on the matter referenced by you. Our obligations to customers and law enforcement preclude us from responding to your inquiry.”

    Extra details about the scale of the site are also included in the documentation. According to the affidavit, Playpen had dozens of threads dedicated to different types of child pornography, and also included a “Security & Technology discussion” section, which had 281 topics and 2,035 posts.

    The registration page of Playpen also contained some security advice for those signing up. As well as using a non-existent email, the administrator recommends “that you turn off javascript and disable sending of the 'referer' header.” The latter can be used to map what sites users have visited.

    The released copy of the warrant and supporting documentation is embedded below.

    NIT Warrant and Affidavit Used on Playpen [Slightly Redacted Version] by Joseph Cox