New Documents Reveal the FBI May Have Hacked Every TorMail User Illegally

In 2013, the FBI took down Freedom Hosting and with it, brought down a minimum of 23 child pornography sites. The seizure of child pornography (CP) servers was considered a win by law enforcement and many Tor users. However, recently unsealed documents reveal just how far the FBI stepped outside the law.

During the investigation, agents discovered a connection between an email service and many CP websites. The FBI was then given a warrant to hack 300 users of TorMail, the email service in mentioned.

TorMail was an encrypted mail platform that allowed users to send and receive emails over the Tor network. The FBI was allowed to hack TorMail users after discovering that both TorMail and the CP sites were hosted on the same server. tormail.png

Documents explicitly clarified that only the 300 target accounts listed in the affidavit were to be hacked.

The ACLU fought to have the documents unsealed in September and the Department of Justice ultimately published them in redacted form. The released documents confirmed the suspicions and theories of many cybersecurity researchers and TorMail users alike. motion.png


“That is, while the warrant authorized hacking with a scalpel, the FBI delivered their malware to TorMail users with a grenade,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an email.

The suspicion that the FBI operated outside the scope of their warrant existed almost immediately. The “hack” was not discreet. As revealed in the affidavits, the type of “hacking” performed by the FBI was a network investigative technique (NIT). This malware, according to Greg Virgin, former NSA employee turned cyber security consultant, did not “crack” Tor encryption. It circumvented anonymity altogether.

Malware was only to be deployed once one of the “target” users entered their TorMail username and password, the affidavits explained. However, within a week of the arrest of the Freedom Hosting owner, TorMail users started reporting otherwise. Users were met with an error page before being able to access the TorMail log-in page.

Researchers looked at the source code of of the “Down for Maintenance” message that was displayed on every Freedom Hosting website. A hidden iframe tag was discovered that loaded “a clump” of javascript code from a location in Virginia.


Security researchers dissected the code and it wasn’t long before Mozilla made a statement. The code exploited a critical memory management vulnerability in Firefox, the company said. Tor, being based on Firefox, consequently suffered from the same vulnerability. The “Down for Maintenance” error page that presented itself to TorMail users ultimately exposed their identities.

Wired reported that the FBI’s malware looked up the victim’s MAC address and Windows hostname. The NIT then transmitted the identifying data to a server in Virginia. Data was sent via HTTP, outside of Tor, revealing the victim’s IP address.

Joseph Cox, a contributor to Vice’s Motherboard, spoke with a former TorMail user who confirmed the error page “appeared before you even logged in.

The email Christopher Soghoian sent to Motherboard continued:

The warrant that the FBI returned to the court makes no mention of the fact that the FBI ended their operation early because they were discovered by the security community, nor does it acknowledge that the government delivered their malware to innocent TorMail users. This strongly suggests that the FBI kept the court in the dark about the extent to which they botched the TorMail operation.

“What remains unclear is if the court was ever told that the FBI had exceeded the scope of the warrant, or whether the FBI agents who hacked innocent users were ever punished,” he continued.

Motherboard reached out to the FBI for comment and heard back from Christopher Allen, a spokesperson for the FBI. “As a matter of practice the FBI narrowly tailors warrants, and we do not exceed the scope of those warrants,” he said.

CEO and CTO of Popular Bitcoin Exchange Arrested

Bitcoin exchange owners are notoriously known for being in trouble with the law. From the imprisonment of Mark Karpelès, the CEO of bitcoin exchange Mt. Gox to the Cripsty exchange case, many have found themselves facing the law on money related charges. This time, the CEO, CTO and head of IT of a well-known Bitcoin exchange are facing charges of drug possession and improper exhibition of a dangerous firearm.

The aforementioned exchange is Paxful, a peer to peer market in which users are allowed to buy and sell Bitcoins with alternative payment methods like paypal and amazon/ebay gift cards. The exchange is known to be a breeding ground for scam artists that prey on sellers that accept refundable methods and use the exchange as a method to cash out from hacked paypal accounts, bought on deepweb markets.

It all started on Friday when Artur Shaback, head of IT at Paxful was spotted by local area residents being photographed by Ivan Suhharev, CTO of Paxful, with a mask over his face while holding an automatic rifle on the balcony of a Del Rio Apartment penthouse on 1100 Collins Avenue, Miami. The apartment belongs to Mohamed Yousseff, CEO of Paxful. This, apparently, isn’t new to the exchange operators, as a quick look through social media was enough to discover more pictures of them toting Yousseff’s gun.

The Police was called to investigate and surrounded the apartment where they found Artur Shaback, Ivan Suhharev and Mohamed Azab Yousseff. After searching the apartment, Police found a switchblade, an AR-15 with 500 round live ammo along with a box containing cocaine, hashish and drug paraphernalia. Federal agents were also on the scene after several people dialed 911 in panic.

The trio was released the following day after posting bail and they will face another bond hearing shortly. While only Yousseff faces charges of hashish and cocaine possession with the intent to distribute, all 3 of the Paxful employees mentioned will face charges of improper exhibition of a dangerous firearm. Even though police is still investigating the legality of the firearm and ammunition, Mohamed Youssef could face up to 5 years in prison on drug charges.

Paxful is yet to make an official comment regarding the situation, but trading will continue as usual on the exchange, according to website moderators.