F.B.I. Uses Tor Browser to Identify CEO Scammers

The architecture of the Tor Browser confuses almost everyone. So, at the risk of seeming ridiculous, I will attempt to oversimplify how Tor works so that I can explain how the F.B.I. can use it as an NIT (Network Investigative Technique) tool.

Okay, imagine that web surfer, Joe, wants to visit a particular website. He may be worried about that website. Maybe it’s not safe. Maybe he doesn’t want anyone to know he’s visiting the site for one reason or another. So Joe takes some action to hide his identity.

Joe can use a VPN. However, he has heard that the operators of a VPN server still know who you are and, if forced by the government, would have to give up this information. But Joe has heard that there is a browser called, Tor, which can hide his identity, so he gives it a try. Still, Joe wonders, “how does it hide my identity?” Good question, Joe.

When Joe wants to visit a suspicious website through Tor, the address entered in the browser is sent to a router, (a.k.a. relay or node), which is an IP address of someone who has agreed to be part of the Tor network.

As seen in the diagram below, Joe’s request first goes to router A. Although router A can see that the request comes from Joe, because of encryption, it does not know what website Joe wants to eventually visit. Router A simply sends on the request to the next router which knows nothing about Joe or where he wants to go. Every time a request is sent on to these middle nodes, it is encrypted. These middle nodes are simply used as a way to obscure the source.

After going through at least three middle routers or nodes, Joe’s request finally arrives at the last router (router C in the diagram below). This is called the exit node. This router knows where Joe wants to go, even if it has no knowledge of Joe. After this exit node connects to Joe’s desired site, all communication between Joe and the site is encrypted and hidden.

tor diagram

It should be clear from the information above that if any of Tor’s nodes are vulnerable to manipulation, it would be the entrance and exit nodes. If someone, like the F.B.I., wanted to gain some control over the Tor network, these are the nodes they would need to control. It would be difficult, but, technically, not impossible to do this. In fact, if the F.B.I. controlled both entry and exit nodes during the sending of a request, they could de-anonymize any unlucky web surfer who was directed through both controlled nodes. However, according to the Tor Project co-founder, Nick Mathewson, the chances for this are about one in two million. Of course, the percentage increases when multiple node pairs are controlled.

That said, it is well known that U.S. law enforcement agencies have used Tor to de-anonymize users for years. In fact, they have done so two times in the last year alone. Sure, many Tor websites are used for illicit purposes (57%), as the following chart shows.

tor uses

However, Tor is also useful for those who want to remain anonymous in countries that limit freedom. Dissidents could inadvertently be unmasked by those who seek to de-annonymize users.

Recently, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, two Iraninan hackers, were indicted for their SamSam Ransomware attacks on Newark, the City of Atlanta, the Port of San Diego, LA’s Hollywood Presbyterian Hospital and more, which pocketed $6 million for the hackers and caused over $30 million in damages.


They apparently thought they would hide their activities by using Tor. They did not. Their use of Tor led to their exposure. However, de-anonymized or not, they will never be extradited to the U.S., and they are still actively using the SamSam exploit.

More importantly is the recent use of Tor to unmask organized crime rings that attempted to defraud companies through elaborate CEO scams. Using an email that pretends to come from the company’s CEO, the attackers contact the company’s accounts department and tell them to transfer money to a new vendor. In order to unmask the fraudsters the government set up a fake Fedex site and contacted the the criminals, telling them they would have to use this site to receive their payment. When the criminals, who were assumed to be using Tor, tried to contact the Fedex site to get their payoff, they would receive a message telling them not to use a proxy connection (“Access Denied. This website does not allow proxy connections.”) The F.B.I. hoped they could, in this way, get the criminals to access the site through their actual IP address and, thus, unmask themselves. It should be noted that any website can see if they are being accessed from a Tor node as all exit nodes are published for anyone to see. So, if the criminals were using Tor, they would be coerced into using their actual IP address or risk not being paid.

Although I’ve seen no mention of this by the F.B.I. or other sources, there is one other way that they could get around Tor to receive a criminal’s actual IP address. If they, posing as Fedex, required the criminals to download and fill out some documentation, they could bypass Tor, even if Tor was being used. The downloaded document could contain a beaconing program which would, when opened, send the IP address and other information back to the F.B.I. Such beacons could be placed in documents, images, or videos. In fact, this technique was used to identify child sextortionist, Buster Hernandez. His downloading and playing an F.B.I-infected video exposed his IP address. When they contacted his internet service provider, they gave up his real address. So, instead of Tor hiding his anonymity, it actually enabled the F.B, I. to expose him because Hernandez  believed he was safer than he actually was and let his guard down.  As United States Attorney Josh J. Minkler noted, “terrorizing young victims through the use of social media and hiding behind the anonymity of the Internet will not be tolerated by this office. Those who think they can outwit law enforcement and are above being caught should think again. Mr. Hernandez’s reign of terror is over.”

Unfortunately, the FedEx sting failed to accomplish its goal. The scammers suspected that something was up and backed out at the last minute. Since then, the F.B.I., I.C.E, and D.E.A. have been sued by the ACLU , who wants to know if innocent victims were exposed in stings like the one above.

The Tor browser is frequently updated and, recently, an Android version has appeared. In September, a shady firm which sells 0-day exploits, Zerodium, announced that it had discovered a previously unknown vulnerability in the Tor browser. Most informed observers of Zerodium believe they only made this announcement because they had already sold the exploit. They, in fact, may have other undisclosed exploits related to Tor. For this reason, Tor should be used with caution and with a VPN. Always apply updates as they appear. Anonymity cannot be guaranteed, but, at least for now, Tor is as good as it gets.


One thought on “F.B.I. Uses Tor Browser to Identify CEO Scammers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s