Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

Tor Project: FBI Paid Researchers $1M to Unmask Users

The Tor Project, the organization behind the Tor anonymity network, claims the FBI paid Carnegie Mellon University “at least $1 million” to help the agency deanonymize users suspected of conducting criminal activities.

The Tor Project, the organization behind the Tor anonymity network, claims the FBI paid Carnegie Mellon University “at least $1 million” to help the agency deanonymize users suspected of conducting criminal activities.

The Tor network helps users maintain their anonymity online by routing traffic through a series of relays operated by individuals and organizations all over the world. In January 2014, more than 100 machines joined the Tor network as relays and attempted to deanonymize people who operated and accessed Tor hidden services.

The offending relays were identified by the Tor Project in July 2014 and removed from the network. The Tor Project also released at the time a new version of its software to close the vulnerability exploited by the attackers.

It’s believed that these attacks were conducted by a group of Carnegie Mellon University researchers who had planned to disclose their findings at the Black Hat USA conference in August 2014. However, the academics had not provided too many details on the methods they used to the Tor Project, and the Black Hat talk was suddenly canceled in July apparently due to the fact that the university had not approved the content of the presentation for public release.

In the abstract of their Black Hat presentation, researchers said they had found a method to “break Tor anonymity” and deanonymize hundreds of thousands of clients and thousands of hidden services within a couple of months. The experts noted that they had tested their findings in the wild.

Now, Tor Project Director Roger Dingledine claims the FBI paid Carnegie Mellon University at least $1 million to attack hidden services in an effort to find potential criminals.

“There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board. We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once,” Dingledine said.

Advertisement. Scroll to continue reading.

“Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users,” he added.

Court documents obtained by Motherboard show that an unnamed source of information (SOI) provided the FBI reliable IP addresses for Tor hidden services between January and July 2014. The information was used to shut down websites on the dark web that sold illegal goods and services, including the Silk Road 2.0 drug bazaar. The operation, announced in November 2014 by law enforcement in Europe and the United States, resulted in the arrests of 17 suspects.

Some have speculated that Carnegie Mellon University might have helped authorities unmask the suspects by launching a sustained attack on the Tor network, and now there is new evidence to support this theory.

A motion filed last week in the case of a Silk Road 2.0 staff member who was arrested in January revealed that the man’s involvement with the drug bazaar was determined based on information from “a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”

Dingledine believes this incident can set a dangerous precedent.

“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute,” Dingledine said. “Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”

Contacted by SecurityWeek, Carnegie Mellon University said, “We have no comment.”

*Updated with response from CMU

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Cybercrime

A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...