Threat Management, Malware, Vulnerability Management

FBI takeover of Tor server leads to arrest

The testimony of an FBI agent against 28-year-old Irishman Eric Marques – arrested and charged with distributing child pornography online via the anonymous Tor network – all but confirmed that the FBI was involved in exploiting a Firefox vulnerability that aided in the investigation.

With charges originating in the United States, Marques – said to be a dual citizen of Ireland and the United States, and the world's largest-ever distributor of child pornography via his Freedom Hosting service – is awaiting an extradition hearing after being denied bail in high court on Thursday, according to reports.

During the proceedings, FBI Supervisory Special Agent Brooke Donahue testified that the FBI seized control of Freedom Hosting sometime in July, according to reports.

Authorities were blocked shortly thereafter when Marques changed the Freedom Hosting access credentials, Donahue was reported as saying, but the FBI agent explained that control was regained in early August, right around the time Marques was charged and arrested and Freedom Hosting services went down.

Donahue insisted bail be rejected for Marques because the 28-year-old is a flight risk and due to concerns he would compromise the FBI investigation by attempting to contact co-conspirators, according to reports.

“He was looking to engage in financial transactions with another hosting company in Russia,” Donahue said, according to the Irish Independent. “My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the US.”

An FBI spokesperson could not respond to a query from and an indictment has yet to be unsealed against Marques, so what methods were used by the FBI to take over Freedom Hosting servers remains to be seen.

American authorities were already at the heart of the conjecture as soon as Freedom Hosting services were downed and an FBI extradition request went out for Marques in early August.

Those investigating and discussing the incident online via forums and social media noted that malware introduced into the Tor network via a Firefox vulnerability could gather locations of users and forward that information to an IP address belonging to a Verizon business in Virginia.

Shortly after, Baneki Privacy Labs, an activist project, traced the IP space used in the exploit back to the National Security Agency's (NSA) Autonomous Systems. The NSA's mass data collection apparatus PRISM has been a controversial topic since Edward Snowden blew the whistle on it in May.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.