FBI Allegedly Issued Staggering $1 Million Bounty For Internet Scofflaws

Steve Ambrose

A prominent digital privacy group has alleged that the FBI was behind a breach that occurred last year on the their network, and that they might have paid a $1 million prize to Carnegie Mellon University (CMU) for showing them how to do it.

The Tor Project — who administrates over Tor, an encrypted site that allows users to browse the web anonymously — published a post Nov. 11 that says CMU analysts were paid to hack into the Tor network and uncover the identity of users. The group believes two researchers, who presented at a cyber conference last year, were involved in the breach. (RELATED: FBI Director Ties Spike In Urban Crime To Cops’ Fear Of Doing Their Jobs)

“The Tor Project has learned more about last year’s attack by Carnegie Mellon researchers on the hidden service subsystem,” the post read. “Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes…We have been told that the payment to CMU was at least $1 million.”

Tor is a platform that traffics Internet channels through virtual tunnels in an effort to increase user privacy. It’s a favorite among journalists, non-governmental organizations, and others for its universally heralded encryption technology. Legitimate purposes aside, criminals who peddle illegal goods and services also prefer its use as an effort to hide their activities from law enforcement. (RELATED: Net Neutrality Trumping Privacy Undercuts The U.S.-EU Data Safe Harbor)

Tor noticed a series of intrusions in July 2014 that were attempting to reveal the network users. They determined that from Feb. 2014 to July 2014, all users “should assume they were affected” by the breach.(RELATED: Hackers Could Breach Energy Department’s Nuclear Facilities)

A representative for Carnegie Mellon University told The Daily Caller News Foundation they had no comment on the Tor allegations.

The blog did not reveal the source of the allegations, but as evidence of the breach, the Tor Project pointed to details from an annual cyber conference.

During Black Hat, a cybersecurity conference that took place the first week of August 2013, one of the presentations included a panel titled: “You Don’t Have To Be The NSA To Break Tor: Deanonymizing Users On A Budget.”

Alexander Volynkin, a research scientist at the CERT Cyber Security Solutions directorate, and Michael McCord, a software vulnerability analyst on the Forensic Operations and Investigations team at Carnegie Mellon University’s CERT, presented the talk.

Screen Shot of Presenter at Black Hat Conference in 2014 Screen Shot of Presenter at Black Hat Conference in 2014

A summary of their presentation reads:

“In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity. In our analysis, we’ve discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months. The total investment cost? Just under $3,000. During this talk, we will quickly cover the nature, feasibility, and limitations of possible attacks, and then dive into dozens of successful real-world de-anonymization case studies, ranging from attribution of botnet command and control servers, to drug-trading sites, to users of kiddie porn places.”

In the blog, Tor said of the alleged incursion that:

“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses “research” as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”

Follow Steve Ambrose on Twitter