Malware and hacking tools are established parts of the Federal Bureau of Investigation's toolkit when it comes to unmasking criminal suspects on the Tor anonymity network. In a new case revolving around someone blackmailing children, FBI agents sent the suspect a digitally-poisoned movie file that obtained the target's real IP address.
Though the FBI has used hacking techniques in a wide, controversial manner, the tactic used here highlights how the bureau can identify suspects in a much more targeted way too.
Monday, prosecutors announced charges against Buster Hernandez, 26, of Bakersfield, California. Hernandez is charged with threats to use an explosive device and sexual exploitation of a child. He is suspected of using the moniker "Brian Kil."
Since 2015, Brian Kil has used social media, email, and VoIP to communicate with a number of underage female victims and extort sexual photos from them, according to the criminal complaint. Under duress, some victims sent explicit images and videos to Kil.
When Kil used sites like Facebook to harass victims, investigators found he was always hidden either behind an anonymous proxy or the Tor network, meaning authorities could not simply subpoena relevant companies for the suspect's IP address.
"Your time is running out. You though [sic] the police would find me by now but they didn't. They have no clue," Kil wrote to one of the victims. As the harassment, threats, and publication of sexually explicit photos continued, law enforcement even held a community forum at Plainfield High School in January last year to discuss the case. Kil allegedly forced one of his victims to attend and report back, according to the complaint.
On June 9, Magistrate Judge Debra McVicker Lynch authorized the use of a Network Investigative Technique (NIT), an FBI blanket term for malware, exploits, and hacking tricks. The idea, the complaint adds, was to obtain Kil's real IP address.
The complaint explains how the FBI's tactic worked.
In this case, the FBI was authorized to add a small piece of extra code to a video file produced by one of the victims. Posing as the victim, the FBI then sent the booby-trapped file to Kil via Dropbox.
"Uploading now. Did you get it," a message from the undercover FBI agent to Kil reads, according to text messages included in the complaint. (The video did not include any depictions of a minor engaged in sexually explicit activity, the complaint reads).
Judging by the complaint, the NIT was successful. "When Kil viewed the video containing the NIT on a computer the NIT disclosed the true IP address associated with the computer used by Kil," the document adds.
Armed with the IP address, investigators then filed an emergency subpoena with the relevant internet service provider and were given a physical address. After intercepting communications to and from that IP address, investigators found someone viewed a photograph of the Columbine killers, according to the complaint. Kil, it turned out, had posted the same photo when he threatened the Plainfield School District in 2015. Physical surveillance showed that resident Buster Hernandez was always present when Tor was being used in the home.
Several recent cases have shown the FBI using hacking tricks in a targeted manner. In May, Forbes reported on an investigation in which the FBI used a similar technique but with Word documents rather than a video file.
These stand in stark contrast to the agency's broader use of malware. Motherboard found the FBI used a Tor Browser exploit to hack over 8,000 computers in 120 different countries.
Although this latest case doesn't highlight any vulnerabilities in the Tor network itself, it does act as a reminder that there are ways of deanonymizing people in a targeted way using novel or unorthodox law enforcement techniques.