In November of last year, a law enforcement agency deployed a Tor Browser exploit on a dark web child abuse site. Sources told Motherboard that the company which developed and sold the exploit was Exodus Intelligence, a US firm that also sold information about the attack to defensive clients.
Now, Logan Brown, the company's president and CEO, has elaborated on why Exodus provided the exploit. His comments give a glimpse into the dynamics of the hacking marketplace; especially relevant when investigators are increasingly turning to hacking tools to identify criminals who use anonymity technology.
"I wanted to help take a person down," Brown said during a recent Mozilla and Stanford Center for Internet and Society panel on government hacking, a video of which was posted on YouTube on Saturday.
"It wasn't such a deal of, am I supplying the government with something they're going to use against innocent people, but it was more of, 'we need help, can you help us?' Yes I can," he continued.
This particular exploit took advantage of a vulnerability in Mozilla's Firefox browser (the Tor Browser is based on Firefox, and uses much of the same code base). Last year, details of the attack were sent to Mozilla, when a user found the exploit targeting Tor Browser users in the wild. Mozilla patched the vulnerability.
Motherboard found that the exploit had been deployed on The Giftbox Exchange, a child abuse site that ran as a Tor hidden service. International policing organization Europol holds documents related to the site. According to one report, the accompanying malware was activated once a user logged into Giftbox.
But judging by Brown's comments, the agency that used the exploit may only have been after one target—even though it appears they deployed it in a wider fashion.
"It was kind of the shotgun approach," Brown said.
"Six hours after we supplied it to them, they threw it, they got their guy, but it was reckless, it got monitored, and released." Brown said Exodus does not work with that agency any more because of this case.
Brown also hit upon a point which often comes up around the exploit industry: how can suppliers be sure their code is going to be used responsibly?
"We can have all the legal paperwork we want, we can have all the regulations, we can have all the handshakes and all the agreements we want—end of the day, it's kind of an honor system," Brown said.
Indeed, exploit and malware clients from governments have been caught using hacking tools against journalists, activists, and dissidents. In one case, Ethiopia used spying technology from Italian surveillance company Hacking Team to monitor journalists in the US. Brown said Exodus had been approached by a customer from Ethiopia, but had declined to deal with them, and has also denied sales to "allied countries" too.
And in a similar way to how Brown said this exploit was used with a "shotgun approach," experts have said that other law enforcement hacking campaigns have been akin to using malware like a grenade, rather than a scalpel.
"They didn't care about being stealthy, they didn't care about any of the clean up," Brown said.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .