This article is more than 1 year old
FBI: We unmasked and collared child porn creep on Tor with spy tool
Metasploit decloaking kit rides again?
Dark-web deadbeats may not be as anonymous as they think. A bloke in the US was charged on Friday after FBI spyware caught him downloading child sex abuse material.
Luis Escobosa, of Staten Island, admitted to Feds he broke federal child pornography laws by viewing depraved photos on a hidden Tor service. Unknown to Escobosa, the Feds were running the hidden server, and were using it to feed him spyware.
The child porn website's systems were seized in Lenoir, North Carolina, after agents got a court order in February. The Feds continued to keep it in operation for two weeks afterwards to catch perverts using it. The site had nearly 215,000 users.
Because users had to use Tor to access the warped website, the web server's logs were of little use to investigators – they simply listed the nodes of the anonymizing network. Instead, the FBI deployed a NIT – a "network investigative technique," or what in the hands of criminals would be termed spyware.
The FBI has been using NITs for over a decade. While the Escobosa indictment doesn't give details, other court documents have stated that the software was developed by adapting a tool written by white hat hacker HD Moore called the Metasploit Decloaking Engine.
A NIT works like this: a file, typically a Flash file, is hosted by a seized child porn website, and sent to web browsers when perverts visit the hidden service via Tor. This Flash file is run in Adobe's plugin, and establishes a direct connection to an FBI-controlled server on the public internet without going through Tor.
The Feds can then, in most cases, read off the user's real public IP address from this connection, unmasking the scumbag.
In Escobosa's case, the software reported back he was using a computer in Staten Island via Verizon's fiber service. After determining his home address from the ISP using a subpoena, FBI agents got a search warrant, and snatched the man's computers in late June.
The investigators said Escobosa thought he kept no copies of illegal imagery on his PC, but agents found 115 child sex abuse images stored in the thumbnail cache of his Tor browser – plus logs of IRC chats with other pedophiles. After he was cuffed, Escobosa kept his mouth shut and demanded a lawyer, then admitted to the Feds he had cruised websites looking for unspeakable images.
Escobosa was then given a polygraph test to determine if he had physically abused children, which showed he had not. He has appeared before magistrates in an eastern district court of New York, and is free on a $150,000 bond awaiting trial.
According to the FBI, Escobosa joined the notorious Playpen website on February 4 using the handle Fraud92787, and on one day alone in March, found 70 indecent pictures of three girls aged between five and eight.
This isn't the first time a NIT has been used to find someone using the dark web for nefarious purposes, and it won't be the last. ®