Skip to content
Naked Security Naked Security

Hackers take down dark web host linked with child abuse images

Freedom Hosting II sites defaced by hackers who claim to have 75GB of data from more than 10,000 onion sites

Someone using the Anonymous tag has torn a gaping hole in a major Tor dark web host accused of being a home for thousands of child abuse websites.

At the weekend, visitors to websites hosted by the Freedom Hosting II service were reportedly greeted by a blunt defacement: “Hello, Freedom Hosting II, you have been hacked. We are disappointed,” it began before getting to the point: “We have a zero tolerance policy to child pornography – but what we found while searching through your server is more than 50% child porn…”

The attackers claimed to have compromised 75GB of data from 10,613 sites that were being hosted by Freedom Hosting II, plus a further 2.2GB MySQL database of user data. They initially asked for a token 0.1 Bitcoins ($105) in ransom, before leaking the data anyway, complete with a 21-point explanation of how they executed the attack

Within hours, researchers were trying to work out whether any of the data revealed the identities of site owners or users.

According to tweeted comments by Troy Hunt of Have I Been Pwned?, the cache contained 381,000 email addresses, many apparently genuine. Some 21% were already in the site’s pwned database, which means they were leaked in previous breaches: “Law enforcement will absolutely have this data, it’s *very* public. It also obviously has many real email addresses in it.”

As for the content of the sites, researcher Chris Monteiro summarises it as lots of child abuse in English and Russian, plus fraud sites, “fetish sites which might not even be illegal” and some botnets. Monteiro provides instructions on the resources you’ll need if you want to examine the data yourself, but please remember: this data might contain images of child sex abuse. Leave the examination of that data to law enforcement.

How important is Freedom Hosting II? Last October, researcher Sarah Jamie Lewis used OnionScan (a tool used to probe the dark web’s structure) to estimate that the service was being used by between 15% and 20% of dark web sites routed through Tor.

Even so, takedowns of this size are not unprecedented. In 2013, the alleged operator of the site’s forerunner, Freedom Hosting I, was arrested in Ireland after a major FBI operation that included hacking its servers to plant malware designed to unmask users’ PCs.

That incarnation was believed to account for a great deal of the child abuse images hosted on the dark web and yet new services quickly sprang up to fill the gap. Depressingly, the same will probably happen now that its successor has disappeared.

The latest compromise at least reminds the world that the dark web is not a supernatural zone beyond mortal ken. It remains an incredibly small place by internet standards and the services that run there – both unpleasant and well-intentioned – can be put at risk by the lack of diversity of hosting options on the dark web. Increasingly, when that happens, police, intelligence services and Internet vigilantes are quickly on hand to pour through the walls.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!