Investigators only need one slip-up.
The US Department of Homeland Security identified several suspected users of a dark web child pornography site, according to recent court filings. Agents didn't do this with a fancy exploit or a set of hacking techniques, however. Instead, they found a workaround: users of the dark web site posted links to child pornography that was hosted on a file sharing service, so investigators obtained IP addresses from that host.
The news highlights that even though Tor is generally considered as a robust way to protect your identity online, users can still make mistakes that lead to their unmasking.
The dark web site isn't named in any of the court documents. Instead, it is simply referred to as Bulletin Board A, and in one hearing transcript a law enforcement agent states the site at one point had at least 23,000 members.
In short, users of this dark web site would post links to child pornography that were hosted on US-based file sharing service ziifile, along with a password to the file. Investigators then obtained a court order for information on who allegedly connected to those webpages.
"The storage service provided, among other information, business records that contained the IP addresses connected to the downloading of the specific files," according to a court filing from government attorneys in a related case.
In all, Motherboard found three cases that appear to relate to this website and file sharing service. In December, David Skally, from Rhode Island, pleaded guilty to possessing child pornography; Jack Bean, Jr. from Massachusetts, pleaded guilty to similar offenses in February, and a third suspect, Larry Reece, from Virginia, was also identified by law enforcement. (At the end of March, a judge dismissed the indictment against Reece: the defense argued there was not enough evidence that Reece actually downloaded any child pornography hosted on the file sharing site, or that he was actually a member of the dark web child pornography board.)
It appears some suspected users of the site may have visited file sharing service outside of Tor simply because routing traffic through an anonymity network can be particularly slow.
"The network is very slow, so in order for them to download the content quickly they have to use file-sharing sites outside of the network," Special Agent Elizabeth De Jesus, from Homeland Security Investigation's Cyber Crimes Center, said during a recent hearing in a related case.