Freedom Hosting was Torâs most popular hosting service since it was created in 2008. Freedom Hosting maintained servers for some of Torâs most infamous websites, including TorMail, long considered the most secure anonymous email operation online; major hacking and fraud forums such as HackBB; large money laundering operations; and virtually all of the most popular child pornography websites on the planet, the charge that has landed Eric Eoin Marques in custody. Famous child pornography websites such as Lolita City, The Love Zone, and PedoEmpire were customers of Freedom Hosting. 
FBI Malware Attack
The FBI acknowledged that it secretly took control of Freedom Hosting in July 2013, just days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors.
Freedom Hostingâs operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas. Itâs not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control.
On August 4, all the sites hosted by Freedom Hostingâeven those with no connection to child pornâbegan serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle, reporting back to a mysterious server in Northern Virginia. The FBI was the obvious suspect, but declined to comment on the incident. The FBI also didnât respond to inquiries from WIRED today.
But FBI Supervisory Special Agent J. Brooke Donahue was more forthcoming when he appeared in the Irish court yesterday to bolster the case for keeping Marques behind bars, according to local press reports. Among the many arguments Donahue and an Irish police inspector offered was that Marques might reestablish contact with co-conspirators, and further complicate the FBI probe. In addition to the wrestling match over Freedom Hostingâs servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.
Donahue also said Marques had been researching the possibility of moving his hosting, and his residence, to Russia. âMy suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the U.S.,â said Donahue, according to the Irish Independent.
The apparent FBI-malware attack was first noticed on August 4, when all of the hidden service sites hosted by Freedom Hosting began displaying a âDown for Maintenanceâ message. That included at least some lawful websites, such as the secure email provider TorMail.
Though many older revisions of Firefox were vulnerable to that bug, the malware only targeted Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundleâthe easiest, most user-friendly package for using the Tor anonymity network. That made it clear early on that the attack was focused specifically on de-anonymizing Tor users.
Perhaps the strongest evidence that the attack was a law enforcement or intelligence operation was the limited functionality of the malware.
But the Magneto code didnât download anything. It looked up the victimâs MAC addressâa unique hardware identifier for the computerâs network or Wi-Fi cardâand the victimâs Windows hostname. Then it sent it to a server in Northern Virginia, bypassing Tor, to expose the userâs real IP address, coding the transmission as a standard HTTP web request.
âThe attackers spent a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesnât allow them to download a backdoor or conduct any secondary activity,â said Vlad Tsyrklevich, who reverse-engineered the Magneto code, at the time.
The malware also sent a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.
The official IP allocation records maintained by the American Registry for Internet Numbers show the two Magneto-related IP addresses were part of a ghost block of eight addresses that have no organization listed. Those addresses trace no further than the Verizon Business data center in Ashburn, Virginia, 20 miles northwest of the Capital Beltway.
The codeâs behavior, and the command-and-control serverâs Virginia placement, is also consistent with whatâs known about the FBIâs âcomputer and internet protocol address verifier,â or CIPAV, the law enforcement spyware first reported by WIRED in 2007.
Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the targetâs machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.
Prior to the Freedom Hosting attack, the code had been used sparingly, which kept it from leaking out and being analyzed.