The Tor Project director claims the anonymous web browser was the victim of a $1m (£660,000) cyber attack orchestrated by the FBI and researchers at Carnegie Mellon University (CMU). Tor has branded the hack as a violation of trust that endangered innocent users.
It is claimed the hack led to the arrest of a staff member of the Silk Road 2 drug marketplace, but Tor questions the FBI's use of academic researchers to help its investigation, claiming "it is unlikely they could have gotten a valid warrant for CMU's attack...since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once."
A company blog post by the Tor Project continued: "Such action is a violation of our trust and basic guidelines for ethical research...this attack crosses the crucial line between research and endangering innocent users." The blog post came just hours after Vice's Motherboard, having reviewed a series of court documents, said the university had helped the FBI find Brian Farrell, who admitted in January 2015 to being 'DoctorChu', a Silk Road 2 staff member.
An FBI 'source of information'
Farrell's arrest, according to a statement by Special Agent Michael Larson, was aided by an FBI "source of information" who provided "reliable IP addresses for Tor and hidden services such as Silk Road 2...[and the identity of] at least another 17 black markets on Tor." This refers to Operation Onymous, an international effort that shut down 400 dark websites and led to 17 arrests, including six Britons.
The Tor Project accuses two Carnegie Mellon researchers − Alexander Volynkin and Michael McCord − of providing information to the FBI, as the time that this happened (early 2014) ties in with a known attack on Tor. In August that year, a month after the Tor Project fixed the vulnerability, the pair were due to give a presentation about how to de-anonymise Tor at the famous Black Hat conference.
'Payment to CMU was at least $1m'
The pair said they had tested their attacks on Tor in the wild, and the attacks could be replicated for as little as $3,000. But lawyers from the university stepped in to stop the talk from taking place, saying that neither the university nor its Software Engineering Institute had given permission for public disclosure of their findings.
The attack on Tor spanned from 30 January to 4 July 2014, the same period of time during which the FBI's source provided IP addresses of dark websites and their alleged users and staff.
The Tor Project's blog post continues: "Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes...We have been told that payment to CMU was at least $1m." This figure, Tor Project director Roger Dingledine told Wired, came from "friends in the security community".
'The government has declined to produce any additional discovery'
The defence of Silk Road 2 employee Farrell has asked for additional evidence of how he and other Tor users were discovered by the FBI in the spring and summer of 2014. However, his lawyers said: "To date, the government has declined to produce any additional discovery."
Speaking to Motherboard, Tor Project co-founder Nick Mathewson said: "If you're doing an experiment without the knowledge or consent of the people you're experimenting on, you might be doing something questionable. And if you're doing it without their informed consent because you know they wouldn't give it to you, then you're almost certainly doing something wrong. Whatever you're doing, it isn't science."
Senior computer researcher Nicholas Weaver said the institute that worked with the FBI was "almost certainly" Carnegie Mellon. But despite the strong circumstantial evidence, some important questions remain unanswered. The attack on Tor could have been carried out by another "university-based research institute," and it isn't clear if the FBI approached the institute with the plan of attacking Tor, or if the attack took place first, then the institute went to the FBI with its findings.
IBTimes UK has requested a comment from CMU, and will update this story if we get one.