A US bloke was jailed for 13 years on Wednesday for sharing pictures and videos of child sex abuse on the dark web.
Despite using an anonymizing network, such as Tor, to hide his location and cover his tracks on the internet, he was eventually nabbed by pedo-hunting cops – after he watched a crafty video that, we're told, leaked his public IP address. That led the FBI to his front door – and through it.
Roy Harvender Jr was a member of, what is referred to as, Website 19, a site on the dark web that operated between early 2012 and December 2014. It had 105,651 registered users. Pervs had to provide fresh child pornography in order to maintain their access to the site. Under the username "ricenbeans," Harvender, 59, of New Castle County, Delaware, was an active member of Website 19, and posted indecent images of kids as young as four years old.
According to FBI Special Agent Michael Lipsner [PDF], in June 2014 an unidentified foreign law enforcement agency – codenamed FLA 1 – arrested a member of Website 19, and used his account details to identify the location of the server hosting the website. Police in a second country seized the site's machine, and cuffed the operator, who agreed to cooperate.
With the computer in their hands, the cops continued to run the underground Website 19 to snare other perverts.
"Acting independently and in accordance with its own national laws, FLA 1 assumed control of Website 19 in September, 2014 and began operating the site from a computer server in its own jurisdiction," Agent Lipsner told a Delaware court. "Website 19 operated under control of FLA 1 until the first week of December, 2014, when Website 19 ceased to operate."
There's nothing new in police operating these kinds of sites. The FBI briefly ran Playpen – practically the Facebook of pedos – and various other kiddie porn exchanges, after seizing the servers. The agents used their newly found administrator privileges on those boxes to infect visiting web browsers with NIT trackers: this spyware was designed to unmask people hiding behind Tor – a move that landed the Feds on shaky legal ground. Some suspected pedophiles walking free from court after defense lawyers challenged evidence gathered by NITs.
Video killed the anonymity star
Meanwhile, FLA 1 tried a different technique. In November 2014, the agency posted on the Website 19 forums a link to a specially crafted child abuse video. When users hit the URL, they were warned they were accessing stuff on another website: at least one person clicked through.
From what we can tell, when the video loaded up, it somehow automatically opened a second network connection, this time to a server monitored by the police. This secondary connection did not go through any anonymizing networks, and thus leaked the public IP address of the otherwise cloaked viewer.
We'd expect pedos to set up their computers so that all connections are routed through anonymizing networks, such as Tor, and therefore streaming this particular video, even on a separate site, should not reveal one's true IP address. However this video appears to have bypassed that. The Feds don't say which network was targeted – it could be Tor or I2P or similar – nor exactly how the unmasking mechanism worked.
"FLA 1 advised the FBI that in early November 2014, acting independently and according to its own national laws, FLA 1 uploaded a hyperlink to a file within a forum on Website 19 that was accessible only to registered members of Website 19," Agent Lipsner told the court.
"The hyperlink was advertised as a preview of a child pornography website with streaming video. When a Website 19 user clicked on that hyperlink, the user was advised that the user was attempting to open a video file from an external website. If the user chose to open the file, a video file containing images of child pornography began to play, and FLA 1 captured and recorded the IP address of the user accessing the file.
"FLA 1 configured the video file to open an internet connection outside of the [Tor] network software, thereby allowing FLA 1 to capture the user's actual IP address, as well as a session identifier to tie the IP address to the activity of a particular Website 19 user account."
It is certainly possible the video contained malicious code that exploited a security vulnerability to open an unprotected connection when the vid was played, thus ratting out the viewer – but this is perhaps a little too high risk and too unreliable for this operation. Instead, a URL embedded in the video metadata or its webpage, or something like that, may have been automatically fetched while the material was playing, spilling the public IP address to a web server controlled by the plod.
At least one of those leaked public IP addresses was located in the US, so FLA 1 got in touch with the FBI, who got an administrative subpoena requesting subscriber information from Comcast for that address. After a series of investigations, the FBI fingered Harvender as the source of the connection, and applied for a search warrant of his home.
Inside they found a laptop and two USB drives containing hundreds of images and videos of children being sexually abused. They arrested Harvender, who waived his Miranda rights and admitted being a member of the website, but denied knowing that possession of child pornography was illegal.
In October last year, Harvender pled guilty to one count of distribution of child pornography. On Wednesday he was sentenced to 13 years in prison, followed by 10 years' probation. He will have to pay $5,000 in restitution to each of his victims – if they can be found. ®