Activist project Baneki Privacy Labs has traced the IP space used in an exploit targeted at Tor users over the darknet back to the National Security Agency's Autonomous Systems.
The outfit tracked the IP address to a facility owned by US defense contractor Science Applications International Corporation (SAIC). This was later linked to addresses allocated by the contractor to the NSA.
It appeared on some Freedom Hosting darknet sites including Tormail shortly before the arrest of Eric Eoin Marques currently held in Ireland on foot of an extradition request by the FBI.
Marques faced four charges relating to alleged child pornography offences with a total of 30 years jail. His arrest Saturday coincided with mass outages across the darknet affecting popular services like Tor Mail, HackBB and the Hidden Wiki which were run on Freedom Hosting, a company largely suspected to be operated by Marques.
Researchers said the exploit appeared only to break anonymity of users and did not compromise user systems.
“Because this payload does not download or execute any secondary backdoor or commands, it's very likely that this is being operated by a [law enforcement agency] and not by black hats [malicious hackers],” Vlad Tsyrklevich, a reverse engineer based in New York, wrote in a post.
He later tweeted that “it only sends back hostname/MAC address/UUID [to identify which site you visited].”
Tor project leader Roger Dingledine said he did not think the attack modified a victim's computer, but said “it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden [Tor] services.”
The FBI declined to comment on any malware.
"An individual has been arrested as part of an ongoing criminal investigation," a spokeswoman told SC. "Because this matter is ongoing, we are unable to provide further comment."
Frequent calls to the Tor phone number listed on the website could not be completed due to high call volume. Emails to the Tor media account were not immediately returned.
With Darren Pauli.