In early 2015, the FBI embarked on a massive hacking campaign, delivering malware to thousands of criminal suspects who visited a dark web child porn site.
The operation was known to affect over a thousand computers in the US, and to reach as far afield as Chile and Greece. Now, it has emerged that the FBI also compromised 50 computers based in Austria, with activists warning of the FBI's expanding extraterritorial reach when it comes to hacking.
The FBI's "Operation Pacifier" campaign centred around a dark web site called Playpen. The FBI briefly took over the site, and sent a network investigative technique (NIT)—the agency's general term for a piece of malware—to visitors of certain child pornography-related threads. That malware grabbed suspects' IP addresses, MAC addresses, and other technical information.
Earlier this year, Austrian MPs sent a letter to the country's parliament, asking for more information on child pornography and sex tourism cases. In response, politician Johanna Mikl-Leitner wrote that Austrian authorities cooperated in Operation Pacifier, showing for the first time that the FBI hacked computers in the country.
According to her letter, a list of 50 Austrian IP addresses were evaluated by a federal intelligence unit and used to pursue suspects of possession and distribution of child pornography. The IP addresses led investigators to "countless child pornography files," according to a translation of the letter, which is dated March 2016. "Extensive investigations are still underway," it continues.
Thomas Soxberger from the Austrian parliament press office confirmed in an email that, "the IP addresses were found through Operation Pacifier and lead [sic] to further investigations by Austrian police."
"The dramatic expansion of the FBI's extraterritorial reach raises serious questions"
The Austrian government document says that its actions were carried out in collaboration with Europol. A Europol presentation previously uncovered by Motherboard showed that the agency has generated 3,229 cases as part of Operation Pacifier, so the 50 Austrian cases may be included within that figure.
The FBI, which was the agency that actually deployed the malware, also hacked computers in Greece, Chile, Denmark, Colombia, and potentially Turkey and the UK. Both Europol and the FBI declined to comment for this story.
In the US, dozens of lawyers have tried to suppress evidence obtained by the malware, many of them arguing that the warrant used to authorise these searches was invalid.
"But the FBI's deployment of malware went even further, transcending national boundaries and infecting untold numbers of computers scattered around the world. It is hard to imagine how a magistrate judge sitting in the Eastern District of Virginia could possibly sign off on an operation of this magnitude," Scarlet Kim, a legal officer from activist group Privacy International, told Motherboard in an email.
"The dramatic expansion of the FBI's extraterritorial reach raises serious questions," Kim continued. "How will other countries react to the FBI pursuing law enforcement activities in their jurisdictions without prior consent? Would the US welcome similar hacking operations carried out on US residents by other countries? Is the FBI violating the laws of foreign jurisdictions by hacking devices located in them?"