Article Lead Image

An in-depth guide to Freedom Hosting, the engine of the Dark Net

Tor users were compromised. Is Silk Road next?

 

Patrick Howell O'Neill

Trending

Posted on Aug 4, 2013   Updated on Jun 1, 2021, 9:59 am CDT

Eric Eoin Marques, 28—the “largest facilitator of child porn on the planet,” according to the FBI—was recently arrested and is currently in an Irish jail awaiting the conclusion of his extradition trial. The FBI aims to bring Marques to trial in the United States. If convicted, Marques faces up to 30 years in prison.

Although the anonymous nature of Tor makes confirming identities difficult, all signs point to Marques being one of the most important men on the Dark Net: He’s allegedly the founder of Freedom Hosting, Tor’s most popular hosting service since it was created in 2008. 

Freedom Hosting maintains servers for some of Tor’s most infamous websites, including TorMail, long considered the most secure anonymous email operation online; major hacking and fraud forums such as HackBB; large money laundering operations; the Hidden Wiki, which, until recently, was the de facto encyclopedia of the Dark Net; and virtually all of the most popular child pornography websites on the planet, the charge that has landed Marques in custody. Famous child pornography websites such as Lolita City, the Love Zone, and PedoEmpire were customers of Freedom Hosting.

While Marques’s Dark Net identity has not yet been confirmed by authorities, the FBI’s description of “largest facilitator of child porn on the planet” applies to the founder of Freedom Hosting more than anyone.

An Eric Marques runs an Irish hosting company called Host Ultra Limited, according to a SoloCheck.ie company report. He also owns an account on the webhostingtalk.com forum, where he made 785 posts, first discovered by gray hat hacker SHG.Nackt. On that forum, Marques promoted his business and solicited advice about anonymizing tools such as Virtual private networks.

“The charges [against Marques] relate to images on a large number of websites described as being extremely violent, graphic and depicting the rape and torture of pre-pubescent children,” reported The Independent.

Every Freedom Hosting website went down simultaneously at around 6:40am ET on Saturday morning, about the same time news of Marques’s arrest hit the Internet. If and when the websites have returned since the downtime, many have been infected with Javascript exploits that may be able to identify visitors by grabbing a user’s cookies, logins, and IP address to send “home”—which, in this case, is the Verizon-owned IP address 65.222.202.53. The previously unknown exploit only affects Firefox version 17, which is exactly the version Tor uses.

Freedom Hosting’s famously laissez faire terms of use stated that it does not give customers permission to upload any illegal files—but “if you chose to do so anyway, we are not responsible for your actions.” This was widely seen as winking permission to use the hosting without regard for the law of any land.

A Freedom Hosting account cost a one time fee of $5 or was free with an invite from an existing member. It offered unlimited space and bandwidth, an onion domain (“xxx.onion”), “Fast Network with 24/7 Uptime,” PHP and MySQL support with unlimited MYSQL databases, “No javascript or cookies required to login, Upload a zip with your files and extract on server, FTP Access, and Daily Snapshot Backups—Kept for 1 month.”

For five years, both law enforcement and hacktivist vigilantes seemed incapable of shutting down the largest child pornography services on the Internet—virtually all of which were Freedom Hosting customers—thanks to the technology provided by Tor. Today, all of the major websites hosted by Freedom Hosting are down or are suspected of having been infected with malicious code. No one is sure how Marques was tracked down.

An administrator of the famous 4Pedo forum noticed “unknown Javascript” on his own website on Saturday.

“Unknown Javascript in the board pages pointing to iframe to a Verizon server on the open web!” wrote 4Pedo’s owner. “They are inserted by Freedom Hosting! I would consider Freedom Hosting compromised! They are also in other TLZ and other site pages! Stay away from all Freedom Hosting sites including TLZ [The Love Zone], LC [Lolita City], TorMail, all of these are hosting on Freedom Hosting ! All boards have been deleted to protect you! If the boards come back up, it is not met running the site anymore! All admin/mod accounts have been deleted!”

The Javascript exploits now widely assumed to have originated from the FBI or Verizon have been posted publicly around the Web.

Freedom Hosting first gained mainstream attention in 2011 when Anonymous attempted to shut down the service and the child pornography websites it hosted using Distributed Denial of Service attacks in an offensive called Operation Darknet. 

The story was a big public relations win for Anonymous, usually an extremely polarizing entity.

“It was the right thing to do. Period,” wrote Ars Technica commenter Reflex-croft. “Too bad they can’t focus all their efforts on stuff like this, it would be nice to be able to rally behind them unequivocally.”

“kudos!… this is where you should be doing!” wrote astut945. “shutdown those child porn sites!”

The most popular child pornography website attacked, Lolita City, hosted 100 gigabytes of photos and video during the 2011 offensive.

The sites involved were disabled. IP logs were released and mapped. This proved that the websites were not invulnerable. Anonymous took a victory lap.

Anywhere from a few minutes to a little over a day later, the attacks ceased and the war was over. All the sites were restored.

By June 2013, Lolita City boasted 14,969 members and growing, 10 times its membership during Operation Darknet. The 100 gigabyte figure was shocking in 2011. By 2013, the website hosted over one million pictures and thousands of videos. The Anonymous offensive had actually provided major publicity for the child pornography sites and their patron, Freedom Hosting.

Operation Darknet involved some of Anonymous’s most notable members. Sabu (Hector Xavier Monsegur), the Bronx-based hacker, LulzSec founder and FBI informant was one of the principal organizers of Operation Darknet, leading many to wonder to what extent the FBI had knowledge of those Dark Net raids. Sabu became an FBI informant in August 2011 after pleading guilty to a dozen criminal counts, reported the New York Times. Operation Darknet was executed in October 2011.

#opDarkNet will be releasing logs of actual pedophiles utilizing Lolita City’s services. 190 IPs from actual users of the site. And IP map.

— The Real Sabu (@anonymouSabu) November 2, 2011

At the very least, the FBI was fully aware of the raids into the Dark Net and allowed them to proceed. The question is, who was directing the operation if Sabu was, at that point, a puppet doing the FBI’s bidding?

Before Operation Darknet, Freedom Hosting offered hosting to the public for a small price. After the Anonymous attacks, Freedom Hosting became a private, invite-only service for a full two-year period in order to protect itself. To become a Freedom Hosting customer, you had to be invited by someone who was already a customer.

This process is not as difficult as it sounds. Invites were handed out to anyone who so much as earned the respect of another customer. In fact, I earned a personal invite to Freedom Hosting earlier this year after one customer enjoyed the articles I’d written about the Dark Net. I politely declined the offer.

That said, Freedom Hosting invites have been highly prized for the full two years they’ve existed. Invites were common topics of conversations on every popular onion forum. Many members asked or even begged for invites while others offered money.

Last month, after two years, Freedom Hosting changed its policy drastically. The service’s founder said he’d always wanted to bring the service public once again but that he didn’t have an ecommerce platform secure enough to operate the risky business. 

“I created Onion Bank,” announced the founder last month, “which has been in (slow) development for almost two years!”

The bank offered all the services of a normal bank plus escrow, merchant services, money laundering, and above all, the bank would handle everything anonymously. On the back of this Bank, Freedom Hosting went public once again, offering anonymous onion hosting to whomever could pay for it. The bank caught the attention of many prominent Dark Net businesses, but it’s impossible to say how widely it was adopted in its month of existence.

Freedom Hosting’s trademark promise was that it would never look in on websites under its care. Over several years, only a handful of public complaints were made that a Freedom Hosting administrator did look in but most forgave the eyeballing as necessary maintenance.

Freedom Hosting remained the most trusted and popular hidden service hosting business until yesterday’s seismic events. 

There is no word on how the police identified and then apprehended Marques. Worried Tor users immediately wondered if the famously tough-to-crack technology had finally been solved by law enforcement. However, the fact that Freedom Hosting websites have been injected with malicious code suggests that law enforcement still cannot crack Tor outright and that they need to rely on other methods.

One possibility is that Marques was caught through social engineering techniques. Multiple anonymous sources say that, likely because they lack the capability to launch an effective technical offensive against Tor-protected targets, law enforcement has been on a steady social offensive against websites such as Freedom Hosting and the famous Tor black market Silk Road. There have been multiple unconfirmed reports—after all, almost any report from the Dark Net is unconfirmed—that important members of the Silk Road community have been contacted by law enforcement this year in an effort to find helpful intelligence and, ultimately, take down Silk Road and its founder, Dread Pirate Roberts.

After such a monumental bust on the Dark Net, the natural follow-up question has been asked and asked again: Is Silk Road next?

For running what may be a $45 million dollar per year black market, Dread Pirate Roberts can be considered in something of a tie with Freedom Hosting’s founder for the title of most wanted man on the Dark Net. While Freedom Hosting places no limit on what its customers can do. Roberts explicitly forbids the trading of child pornography on Silk Road, among other verboden items.

It’s not known how much progress law enforcement has made in their fight against Silk Road, which is self-hosted, a move made possible and necessary by the millions of dollars moving through the market. When contacted by journalists, various American law enforcement agencies have acknowledged that they are aware of Silk Road but have let on little else. It’s commonly accepted that police are closely monitoring the black market and its forums.

On the Tor Talk email list, members have noted a “very large drop in the number of onions,” which is what Tor websites are called due to the multiple layers of protection they provide. Some are estimating that half of all onion sites were hosted on Freedom Hosting. This event could add up to thousands of total hidden services lost.

Photo via Raindrops_on_roses/Flickr

Share this article
*First Published: Aug 4, 2013, 3:30 pm CDT