The Tor Project is claiming that researchers at Carnegie Mellon University (CMU) were paid a hefty bounty by the FBI to stage an attack last year aiming to unmask the operators of the network's hidden servers.
"We have been told that the payment to CMU was at least $1 million," the group said in a blog post.
In July 2014 the Tor Project revealed that it had been the victim of a six-month hacking campaign which sought to flood the network with relays that modified Tor protocol headers to track hidden servers. Within a week Tor updated its software and pushed out new versions of code to block similar attacks in the future.
The attack was limited in that it didn't monitor entry and exit nodes to the Tor network, but could have been used to trace traffic patterns to hidden sites by the academics-for-hire. But the Tor Project is fuming that the FBI used the university to circumvent federal hacking laws.
"Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," said the group.
"This attack also sets a troubling precedent: civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses 'research' as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute."
CMU's role in trying to hack the Tor network – an anonymizing internet network that was partially funded by the US Office of Naval Research – has been well known ever since researchers from the university pulled a talk from last year's Black Hat security conference about how they could break through its privacy protections.
According to the Black Hat presentation's precis, some Tor traffic could be tracked using a few powerful servers and some fiber-speed connections. The researchers said that with a $3,000 budget they could use Tor design flaws to deanonymize traffic to hidden servers within a few months.
Two months after the briefing was scheduled to occur, US and European cybercops announced the successful conclusion of Operation Onymous – a huge raid against dark net operators that took down Silk Road 2.0 and Cannabis Road. Police netted over $1m in Bitcoin, €180,000 (£141,200, $223,800) in cash, drugs, gold and silver, shut down 414 websites, and made 17 arrests.
For Tor to go on the record with such a claim indicates pretty strong evidence, but CMU has yet to respond to comment on the matter at time of publication. ®