This article is more than 1 year old

Tor pedo's torpedo torpedoed: FBI spyware crossed the line but was in good faith, say judges

Playpen pervert fails to convince appeals court

Analysis US judges have shut down an appeal from a convicted pedophile who claimed the FBI hacking of his computer was an illegal and unreasonable search.

Gabriel Werdene, 53, of Bucks County, Philadelphia, is serving two years in a federal prison for rummaging through the Playpen dark-web filth souk for images and footage of child sexual abuse. Copies of the banned material were found on a DVD and USB drive at his home by the Feds during a sting operation in 2015.

Playpen was a hidden service on the anonymizing network Tor, and had up to a quarter of a million users sharing footage of underage sex. The FBI had seized its server after obtaining a search warrant to snoop on those connecting to the underground website. The g-men deployed what they termed a network investigative technique (NIT) on the site to determine the public IP addresses of Playpen users as they logged in.

Tor works by bouncing your connection through several nodes, concealing the public IP address you're using to connect to the internet and thus hampering efforts to trace and identify you.

When you connect to a Tor hidden service, your true public IP address shouldn't be revealed to the server. However, Uncle Sam's NIT hidden on the commandeered Playpen website was able to determine the IP address of the forum's users. The Feds then took these addresses to ISPs, such as Comcast, and demanded details of the subscribers assigned those IP addresses.

With those home addresses in hand, the Feds swooped, and arrested hundreds of people suspected of being Playpen degenerates. Werdene was among those cuffed, convicted, and in 2016 was thrown in the clink for 24 months by a Pennsylvania district court. Specifically, he signed a plea deal in which he would plead guilty early in exchange for a lighter sentence and sparing taxpayers a lengthy trial. Normally these bargains waive one's right to appeal, but in this case, Werdene was allowed to challenge his prosecution.

He duly filed a request to suppress the FBI's evidence against him, arguing the FBI's spyware was illegal, in a bid to overturn his conviction.

This week, he failed.

Werdene, whose Playpen username was "thepervert," argued that the FBI broke the rules by getting a warrant to install the NIT. Usually, a search warrant requires the judge to know the location of the suspect before it can be issued, however, prosecutors persuaded a court to give the bureau blanket search rights. It didn't matter where the users were, according to the warrant, the FBI was allowed to unmask and collar them.

It's a legal argument that has worked for some of the Playpen arrestees. Congress has since changed the rule – Rule 41 of the Federal Rules of Criminal Procedure – to allow US crimefighters to probe machines anywhere in the world, with a warrant. Judges Joseph Greenaway Jr, Richard Nygaar, and Mike Fisher, sitting in the third circuit court of appeals, agreed this week that a magistrate should not have approved the search warrant, and that the FBI had exceeded its authority, but nonetheless decided that the government had acted in good faith.

That decision kills off Werdene's attempts to throw out the prosecution's evidence that he was a Playpen user.


I'll torpedo Tor weirdos, US AG storms: Feds have 'already infiltrated' darknet drug souks


"We hold that the NIT warrant violated the prior version of Rule 41(b) and that the magistrate judge exceeded her authority under the Federal Magistrates Act. The warrant was therefore void ab initio, and the Rule 41(b) infraction rose to the level of a Fourth Amendment violation," their ruling [PDF] read.

"However, we agree with the government that the good-faith exception to the exclusionary rule may apply to warrants that are void ab initio, which ultimately precludes suppression in this case. We therefore will affirm on alternative grounds the district court’s decision to deny Werdene’s suppression motion."

The case did reveal some interesting details about the FBI's mysterious NIT. In the past, the agency has actually dropped cases against suspected sharers of underage sex videos rather than reveal details of its Tor privacy exploit. Agents for one foreign government, working with the FBI, previously used a specially crafted video to snare dark-web pedos, yet it's not known exactly how the FBI's NIT works.

Now, we've got some extra details, thanks to this case. Court documents show the spyware – likely a piece of Flash or JavaScript that exploits a vulnerability in the Firefox-based Tor Browser – looked for seven pieces of information:

  • The IP address
  • A unique identifier to distinguish the data from that of other computers
  • The type of operating system
  • Information about whether the NIT had already been delivered
  • A Host Name
  • An active operating system username
  • Media Access Control (MAC) address

The NIT likely has multiple components: one to exploit the bug or otherwise get a second part, the information gatherer onto the PC, and then a means to send this information back to the Feds.

The FBI took some flak for the way it handled the Playpen sting. After taking over Playpen's server, hosted in North Carolina, it moved the box to Virginia, and ran the site for an additional 13 days to spread the NIT around. The dark-web site's administrator, Michael Fluckiger, was sent down for 20 years for his role in aiding child abuse. Many more prosecutions are still weaving their way through the courts. ®

More about


Send us news

Other stories you might like