Former Tor developer helped the FBI unmask Tor users

A developer who used to work at Tor Project is the mastermind behind “Torsploit” (aka “Cornhusker”), the malware that was used by the FBI in 2012 to unmask visitors to three child pornography websites on the Dark Web, The Daily Dot has found.

unmask Tor users

As you might remember, in Operation Torpedo, the FBI seized three servers run by Aaron McGrath from Nebraska, and inserted the malware onto the several illegal sites that were hosted on them.

The malware targeted the Flash application inside the Tor Browser used by the sites’ visitors, and the app was forced into sending the visitors’ real IP address (hidden by the use of Tor) to an FBI server outside of the Tor network.

This resulted in the unmasking of at least 25 individuals who visited and used the sites, and up to now, 19 have been prosecuted and convicted. McGrath was sentenced to spend twenty years in prison.

The author of the malware

The author of the malware, Matt Edman, started working at Tor Project in 2008. At the time he was a graduate student, and he was put to work on developing the (now discontinued) Vidalia Tor GUI.

The Tor Project confirmed as much, and said that Edman only ever made code changes to that particular software. But the Tor Project community is close-knit, and no doubt he received much insight into the tools it creates – enough, at any rate, to help him create Torsploit years later.

Since leaving the Tor Project, Edman obtained a Ph.D. in computer science from Rensselaer Polytechnic Institute, and worked at various organizations. In 2012, while working at MITRE Corporation, he was assigned to the FBI’s Remote Operations Unit, and worked, with FBI Special Agent Steven Smith, on creating and deploying Torsploit.

The Tor malware was apparently used in several other FBI investigations, and Edman also later helped the FBI with the operation aimed at shutting down Silk Road and discovering who was behind it.

Today Edman works at consulting firm the Berkeley Research Group.

According to court documents from one of the cases that Operation Torpedo spawned, the Cornhusker malware is no longer in use. In fact, the FBI claims that they “lost” the malware’s code. Whether they actually did or not, it seems logical that the FBI never intended for it to be shared.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss