The Hacker News

In Brief

According to an investigation, Matthew Edman, a cyber security expert and former employee of the Tor Project, helped the FBI with Cornhusker a.k.a Torsploit malware that allowed Feds to hack and unmask Tor users in several high-profile cases, including Operation Torpedo and Silk Road.

Do you know who created malware for the FBI that allowed Feds to unmask Tor users?

It's an insider's job… A former Tor Project developer.

In an investigation conducted by Daily Dot journalists, it turns out that Matthew J. Edman, a former part-time employee of Tor Project, created malware for the Federal Bureau of Investigation (FBI) that has been used by US law enforcement and intelligence agencies in several investigations, including Operation Torpedo.

Matthew Edman is a computer scientist who specializes in cyber security and investigations and joined the Tor Project in 2008 to build and enhance Tor software's interactions with Vidalia software, cross-platform GUI for controlling Tor.

After 2009, Matthew was hired by a contractor working for defense and intelligence agencies, including the FBI, to develop an anti-Tor malware.
The Tor Project has also confirmed the same, saying, "It has come to our attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware."
Moreover, the team said Edman worked only on the Vidalia project that Tor dropped in 2013 and replaced it with other tools designed to improve the user experience.

Also Read: How Hacking Team and FBI planned to Unmask A Tor User.

Cases Solved with the Help of Former Tor Developer

Since 2012, Edman has been working at Mitre Corporation as a senior cyber security engineer assigned to the FBI's internal team, dubbed Remote Operations Unit, that develops or purchases exploits and hacking tools for spying on potential targets.

Due to his work for the Tor Project, Edman became an FBI contractor assigned a task to hack Tor as part of Operation Torpedo, a sting operation to identify owners and patrons of Dark Net child pornography websites that used Tor.

Also Read: How Spies Could Unmask Tor Users without Cracking Encryption.

Besides working on Operation Torpedo, Edman also helped the federal agency shut down Silk Road, the first most popular DarkNet drug marketplace, and arrest its convicted creator Ross Ulbricht.

According to testimony, it was Edman who did almost everything from tracking $13.4 Million in Bitcoins from Silk Road to tracing Ulbricht's laptop, which played a significant role in Ulbricht being convicted and sentenced to the life term in prison.

Cornhusker/Torsploit Malware to Unmask Tor Users

To unmask Tor users, Edman worked closely with FBI Special Agent Steven A. Smith to develop and deploy malware, dubbed "Cornhusker" or "Torsploit," that collect identifying information on Tor users.

Tor is an anonymity software used by millions of people, including government officials, human rights activists, journalists and, of course, criminals around the world to keep their identity hidden while surfing the Internet.

This is why, the Tor software is used by people to visit Dark Net websites, like child pornography sites, which are inaccessible via standard web browsers.

The Cornhusker malware exploited vulnerabilities in Adobe Flash Player to reveal Tor users' actual IP address to an FBI servers outside the Tor network.

Also Read: FBI paid $1 Million to University Researchers for Unmasking Tor Users.

The agency hijacked and placed Cornhusker on three servers that ran multiple anonymous child pornography websites. The malware then targeted the flaws in Flash inside the Tor Browser.

Adobe Flash Player has long been considered as unsafe by many security experts, and the Tor Project has long warned against using it. However, many people, including the dozens revealed in Operation Torpedo, make use of Flash inside their Tor Browser.

Though, according to court documents, Cornhusker is no longer in use, the FBI is using its own funded "Network Investigative Technique" (NIT) to obtain IP and MAC addresses of Tor users in the course of investigations.

However, the so-called network investigative technique has been considered as invalid by the court during a hearing on the burst of the world's largest dark web child pornography site, PlayPen.

On Monday, the opposition lawyers have filed a motion against the FBI to reveal the full source code of the malware it used to hack suspected visitors of PlayPen, or simply drop the case.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.