Saturday, November 14, 2015

How Tor Users Got Caught by Government Agencies

4 examples of people who have used Tor for illegal activities and how they were caught. Multiple de-anonymization attacks are shown at the end of the video.

Case 0: Harvard guy Eldo Kim getting busted by being one of the only users at Harvard on the tor network, and admitting he emailed the bomb threat
Case 1: Sabu getting caught for logging on to IRC one time without tor and FBI using correlation
Case 2: Freedom Hosting admin under attack from Anonymous group previously fighting CP might have helped the FBI, later they skip to when a box was compromised and made it host a javascript exploit (nothing mentioned what happened between the Anonymous attacks and when the FBI smashed in his door)
Case 3: Silk Road admin making too many mistakes including using his own real name then changing it later to a username

Eldo Kim [harvard bomb threat]:

Eldo makes a bomb threat to Harvard's student newspaper and some other Harvard officials. Of all the reasons under the sun to do something like this his was that he wanted to get out of a final exam!? Maybe if we put our heads together we could come up with a less incriminating way to get out of a final exam. Less incriminating, meaning no prison time if caught, though he uses tor to send the threat via email, all tor exit nodes are publicly listed. Unless you use a tor bridge, bridges are not publicly listed as tor nodes, you will give the authorities an obvious starting point from which to launch their investigation.

But that's not the worst mistake, it gets better. He connects to tor through his student account.
Because of this fact and the fact that he was the only one connected to tor at the time the email was sent it was easy for them to correlate that he may have sent the threat. As if that wasn't enough, Eldo puts the final nail in his own coffin by actually admitting that he was the one who made the bomb threat.

Lessons Learned from Eldo:
1) Don't be the only person using Tor on a monitored network at a given time
2) Use a bridge
4) Correlation attacks are a bitch

Hector Xavier Monsegur (Sabu) and Jeremy Hammond (sup_g) [LulzSec]:

Hector was already being watched by the FBI. However, his mistake was that he became lackadaisical. Slipping up, he connected to IRC without tor, when he normally would. This allowed the FBI to get his home IP address. He sang like a caged canary after being caught, and then proceeded to set up his cohort Jeremy Hammond.
Jeremy, otherwise known as sup_g, when speaking with Hector on IRC spoke carelessly of places he had previously been arrested and other groups that he was involved with. The FBI used this information to narrow their suspect pool and allowed them to obtain a court order to monitor his internet traffic.

Once again correlation proves to be a bitch [​IMG] I say this because although the FBI did not
exploit tor to bust Jeremy they were, however, able to correlate the times 'sup_g' spoke with 'Sabu' on IRC with when Jeremy was at home using his computer.

Lessons Learned from LulzSec:
1) Use Tor consistently
2) Don't give personal information
3) Correlation attacks are still a bitch!

Eric Eoin Marques [Freedom Hosting]:

Freedom Hosting was known for hosting child pornography. This is enough to make you a mark for all sorts. In fact, Freedom had already been under attack from Anonymous during Op Darknet because of the child porn. The FBI was able to compromise Freedom because they were using an outdated version, 17 ESR, of tor browser. This allowed the FBI to exploit bug CVE-2013-1690. Mind you, tor had already came out with a patch, but for some reason Eric did not think it important to update.

The FBI used a payload called Magneto that gave them Freedom's IP address, MAC address, and Windows host name with the unique serial number that ties a user to a site visit. One of, if not the, biggest mistake(s) he made was leaving a trail of payment records that linked him directly to the Freedom Hosting servers. The important thing to generalize in this case is that he probably wouldn't have got busted if he didn't host child porn in any form, or fashion. Oh yeah, I almost forgot, when the cops busted him he "dived" for his laptop to shut it down.

Lessons Learned from Eric:
1) Don't host Captain Picard [Child Porn] or Julian Bashir [Jail Bait]
2) Patch, patch, patch
3) Follow the money
4) Leave encrypted laptops in a powered down state when not in use!

Ross Ulbricht (Dread Pirate Roberts) [The Silk Road]:

I think, and I hope I'm not making an ass out of myself ;| most of you anons should have at least heard of the infamous Silk Road. Apparently, Mr. Ulbricht had linked himself to this onion on more than one occasion. In an effort, I believe, to market his site [The Silk Road] he would post around in clear net forums. The earliest references to "Silk Road" that the FBI could find over the clear net was a post made in a shroomery forum by a user going under the name of altoid. In fact, Ulbricht's habits almost made correlating a non-essential.

The FBI claims the former physics and engineering student even publicly alluded to his alleged criminal enterprise on his LinkedIn profile, with a statement describing how his goals had "shifted" in accordance with his libertarian economic views since leaving grad school at Pennsylvania State University.

This statement comes from a CNN web site under an article titled "How FBI caught Ross Ulbricht, alleged creator of criminal marketplace Silk Road." Of the other sites where the FBI found him marketing his site BitCoinTalk was one of them. With all of the effort he puts behind making sure that people knew how to get to The Silk Road, by explaining how to use tor and then by posting the link, as if the explanation wasn't enough, to his site. He makes it hard for me not to believe that he may be suspect. What makes it even worst is that Ulbricht's BitCoinTalk account handle was also altoid. He makes the very same mistake yet again by posting in the same forum [BitCoinTalk] a request for a "pro" IT guy, under an account also named altoid, and routing all replies to "rossulbritcht at" The request was titled "IT pro venture backed bitcoin startup."

The list goes on. He made little to no effort in shedding the connections between his true identity and the one with which he operated The Silk Road [Dread Pirate Roberts]. For instance, Dread Pirate Roberts had a link to the Mises Institute as part of his Silk Road forum signature and Ulbricht's Google+ profile show that he's also interested in the Mises Institute. He did stuff like this time and time again, like using tor to connect to StackOverflow and creating an account using his real name. Notice, he posted the operating system he uses, "ubuntu."

This is getting redundant so I think I'll stop here and just list what we can learn from Mr. Ulbricht. If you want to read in detail you can find slides and video here.  Basically, he made a plethora of connections to his real identity. He would go as far as the neighborhood Starbucks or library, which was just around the corner from his house, to logon to and administrate his Silk Road onion. The US Customs had intercepted all of his fake ID's, because although he changed his name on his id cards he never changed his face them. It was mistakes like these that lead to his arrest and the take down of The Silk Road.

Lessons Learned:
1) Keep online identities separate
2) Have a consistent story
3) Don't talk about personal interests
4) Don't volunteer information!

Thanks for reading, check out my YouTube videos, I have a lot of stuff on Tor and Kali. Follow me on Twitter, @gFogerlie, Google+ and Facebook and you can subscribe to me on Youtube if you want to keep up to date.


  1. Proxy sites help us in a lot of ways in our online time. The mainly significant is that a proxy site helps us to unblock or most favorite social site.   For more details : Professional Adviser

  2. At ~00:16:25 he says something like "W... host cryptography" - after looking around he actually means "Rubber-hose cryptanalysis".
    Just dropping this here, because I sadly don't have a frankenstein google account to comment anything on youtube.

  3. I’ve tried to download the TOR browser, the FreeNet browser, and several other browsers listed. The computer I’m using just says it is unable to locate the server. How the friclin HELL do I get onto this system??

    Ashley Jones

  4. The Security guy at work recommended AirVPN. It looks to be about $70/yr. Is there any reason to use that over PIA or any of the others if none of them save logs and things?

    VPN Services
    Best Dark net markets