Links between a exploit targeting users of the Tor network and US spy and law enforcement agencies should now be consider tenuous, researchers say.
The attack involved a JavaScript exploit targeting an old version of Firefox then commonly used in the Tor Browser Bundle. It served to identify the IP addresses of vulnerable users and tie them to the Freedom Hosting Tor Hidden Services they were visiting.
Reverse engineering efforts found the small Windows executable within a variable dubbed Magneto found a user's MAC address and Windows hostname and obtained their IP address by sending the user to a US server located in Virginia.
IP address checks on the server led some in the research community to consider US contractor the Science Applications International Corporation (SAIC), the NSA or FBI as being behind the exploit.
Ensuing research by Mike Tigas, the developer of the Onion Browser Tor iOS application, however revealed that the tracking methods by which the US authorities were fingered, specifically via a DomainTools utility, were inaccurate as they were based on the old class system of IP address allocation.
"Had it been the early ’90s, the IP address of Torsploit's (the exploit) command and control server would have suggested that it belongs to SAIC, but a change made over the years in how IP addresses are assigned makes it a much less convincing piece of evidence," Tigas said in an article on ProPublica.
Yet Magneto's absence of traditional blackhat malware capabilities coupled with its appearance across darknet sites in the days before the FBI netted Eric Eoin Marques, the suspected owner of Freedom Hosting on child pornography charges, and took down a string of Tor hidden services led to a convincing argument that law enforcement were indeed behind the malware.
"Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by a LEA (law enforcement agency) and not by blackhats," researcher Vlad Tsyrklevich who reversed Magneto said.
The IP addresses linked to the exploit were tied to unspecific records within Verizon Business in a block range compromising of more than 2 million addresses.
"That’s a large, nonspecific swath of internet that tells us nothing but that these IPs might use some Verizon Business service, or some client of Verizon Business," Tigas said.
"From the available evidence, it seems like it’s jumping the gun to say that the web and command and control servers associated with the exploit are owned by the US Government."
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
