This story is over 5 years old.


Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers

Defense lawyers have been trying to get the code for the FBI’s network investigative technique since September.

On Wednesday, a judge ruled that defense lawyers in an FBI child pornography case must be provided with all of the code used to hack their client's computer.

When asked whether the code would include the exploit used to bypass the security features of the Tor Browser, Colin Fieman, a federal public defender working on the case, told Motherboard in an email, simply, "Everything."

"The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified," he continued.


Fieman is defending Jay Michaud, a Vancouver public schools administration worker. Michaud was arrested after the FBI seized 'Playpen', a highly popular child pornography site on the dark web, and then deployed a network investigative technique (NIT)—the agency's term for a hacking tool.

This NIT grabbed suspects' real IP address, MAC address, and pieces of other technical information, and sent them to a government controlled server.

The case has drawn widespread attention from civil liberties activists because, from all accounts, one warrant was used to hack the computers of unknown suspects all over the world. On top of this, the defense has argued that because the FBI kept the dark web site running in order to deploy the NIT, that the agency, in effect, distributed child pornography. Last month, a judge ruled that the FBI's actions did not constitute "outrageous conduct."

"The order yesterday requires disclosure of all the code components."

According to court documents in a related case, the FBI harvested approximately 1,300 IP addresses, and around 137 people have been charged so far. Motherboard found that the hacking campaign was global in scope, with computers in Greece, Chile and the UK being affected.

Since September, Michaud's lawyers have been trying to get access to the NIT code. It wasn't until January that Vlad Tsyrklevitch, the defense's consulted expert, received the discovery.


However, according to Tsyrklevitch, the code was apparently missing several parts. One of those was the section of the code ensuring that the identifier issued to Michaud's NIT-infection was truly unique, and another was the exploit itself used to break into his computer.

"This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud's computer, beyond the one payload that the Government has provided," the lawyers write in an earlier filing.

The code of NITs has been disclosed in the past. In a similar 2012 case called Operation Torpedo, the government provided details of its technique, which turned out to be a novel use of popular hacking-toolkit Metasploit. Specifically, the FBI used a Flash applet to make a direct connection over the internet, instead of routing the targets' traffic through Tor.

Now, it looks like the defense in this latest case will receive its own answers.

"The order yesterday requires disclosure of all the code components," Fieman told Motherboard on Thursday, but he didn't say when his expert would be receiving the code itself.

Peter Carr, a spokesperson for the Department of Justice, did not directly answer when asked whether the defense would be provided with the Tor Browser exploit.

"The court has granted the defense's third motion to compel, subject to the terms of the protective order currently in place," Carr wrote to Motherboard in an email.