Tech by VICE

An Admin's Foolish Errors Helped the FBI Unmask Child Porn Site 'Playpen'

Unsealed documents show a misconfigured server and some poor opsec helped lead law enforcement to their target.

by Joseph Cox
May 16 2016, 3:00pm

Image: adriagarcia/Flickr

Sites hosted on the so-called dark web are forcing law enforcement to use novel and powerful techniques to unmask them. But sometimes suspected criminals make it easier for the feds.

Recently unsealed court documents reveal that "Playpen," one of the largest and most infamous dark web child pornography sites, was shut down partly owing to its administrator's own mistakes.

"Due to a misconfiguration of the server hosting the TARGET WEBSITE [Playpen], the TARGET WEBSITE was available for access on the regular Internet to users who knew the true IP address of the server," a search warrant application for intercepting communications on Playpen from February 2015 reads. The search warrant and other documents were unsealed in the case of Richard Stamper, who was arrested on suspicion of child pornography charges.

"Basically, Playpen must have set their [child pornography] site to [a] default [web server setting], meaning if you typed in the IP address you could see the Playpen site," Thomas White, a UK-based activist and technologist, explained in an encrypted chat. "Whereas if they set another default like 'server not found,' then you could only access Playpen by typing the correct .onion address." This means that law enforcement could verify that an IP address belonged to a specific site.

"An FBI Agent, acting in an undercover capacity, accessed IP address 192.198.81.106 on the regular Internet and resolved to TARGET WEBSITE," the document continues. That address pointed to a server in North Carolina, hosted by a company called CentriLogic.

The FBI was tipped off about Playpen's IP address by a foreign law enforcement agency, as noted in other, redacted versions of the warrant. This recently unsealed version includes detail on how that IP address was left exposed.

It is not clear how the foreign law enforcement agency discovered Playpen's real IP address in the first place. But the main administrator of the site, who the FBI suspects is Steven Chase from Florida, was clearly aware of the problem and actively trying to fix it, according to the search warrant application.

"FBI agents know this by reading his private messages from the copy of the TARGET WEBSITE that was seized pursuant to the aforementioned search warrant," the document continues.

Playpen's suspected administrator apparently also leaked identifying information about himself.

Chase allegedly connected to the server, as well as to the PayPal account used to pay for the hosting provider, from an IP address assigned to his home in September and November 2014, instead of through the Tor network. This meant that a subpoena to Paypal revealed where the person paying for the server was likely located.

On top of this, Chase allegedly connected to a Playpen administrator account from his mother's house a number of times between December 2014 January 2015.

Mistakes are often what leads to the capture of suspected dark web criminals. In the case of drug marketplace Silk Road, creator Ross Ulbricht posted his personal email address in an advert asking for help with the site, and the FBI claimed the location of the site's server was identified because of a leaky CAPTCHA system.

Meanwhile Blake Benthall, a suspected administrator of the second iteration of Silk Road, registered a server with an identifying email address. One alleged dark web drug dealer even went so far as to trademark his brand in his own name.

The suspected owner of one of the largest dark web child pornography sites was evidently no different, and perhaps the most foolish of them all.