Skip to content
Naked Security Naked Security

Four men will be serving prison terms plus lifetimes of supervised release after producing and distributing imagery of their and others’ sexual abuse of children; and/or running multiple services for producers and consumers of child abuse imagery – services that they mistakenly thought were hidden away on the Tor anonymizing network.

The Department of Justice (DOJ) on Monday announced the sentencing of the four men, who had all previously pleaded guilty to conducting what the department called a worldwide child exploitation enterprise.

Chief US District Judge Waverly D. Crenshaw of the Middle District of Tennessee handed down these sentences to these convicts:

  • Patrick D. Falte, 29, of Franklin, Tennessee, was sentenced to 35 years in prison for engaging in a child exploitation enterprise, three counts of advertising child abuse imagery, and three counts of distributing child abuse imagery.

These remaining three men were all convicted of engaging in a child exploitation enterprise:

  • Benjamin A. Faulkner, 28, of Ontario, Canada, who was sentenced to 35 years in prison.
  • Andrew R. Leslie, 24, of Middleburg, Florida, who was sentenced to 30 years in prison.
  • Brett A. Bedusek, 35, of Cudahy, Wisconsin, who was sentenced to 20 years in prison.

Giftbox Exchange

The DOJ says that in July 2015, Falte created a website called the “Giftbox Exchange” as a Tor hidden service, meaning it could only be accessed by users through the Tor anonymity network. He used Bitcoin to pay for it – another tactic typically used by criminals trying to hide their tracks.

At the time that law enforcement shuttered the site in November 2016, it had over 72,000 registered users and 56,000 posts. The DOJ says that besides running the site on the Tor network in order to mask the IP addresses of its users, Falte and his co-conspirators also used other techniques to thwart law enforcement, including file encryption and cryptography.

The DOJ’s press release quoted US Attorney Don Cochran for the Middle District of Tennessee, who said that the four men’s sentences mean they’ll all be locked away where they can’t hurt children anymore:

The sentences imposed on these despicable individuals should ensure that they never have another opportunity to abuse another child. With all that we have, we will continue to hunt down the evil and abominable like-minded individuals who delight in abusing children and will bring them to justice.

Tor doesn’t hide all the tracks

This case is just the latest of a long string of reminders that in spite of the anonymity provided by the dark web’s clever encryption, you can still be tracked down. There have been many criminals who have thought pretty highly of their own skills at covering their tracks, including putting faith in the Tor network to keep them anonymous… yet still left tracks that investigators followed to their computers.

Tor is short for “The Onion Router. It provides online anonymity by encrypting network traffic and bouncing it around among a number of relays, also known as nodes, in the Tor network.

Instead of coming from your own IP number, traffic routed via Tor appears to come from the last relay (the exit node) in the randomly-chosen chain of Tor relays used for your connection.

According to the Tor Project, Tor relay operators have “no records of the traffic that passes over the network and therefore can’t hand over information about its origin.”

There are ways to get around the anonymity provided by Tor, however. The FBI infamously cooked up one such, planting police malware onto a dark web site called Playpen that was dedicated to child sex abuse. The FBI took it over and ran it for 13 days, planting a so-called network investigative technique (NIT) – what’s also known as police malware – onto the computers of those who visited.

The NIT forced more than 8,000 computers to cough up their IP addresses, MAC addresses; open ports; lists of running programs; operating system types, versions and serial numbers; preferred browsers and versions; registered owners and registered company names; current logged-in user names; and their last-visited URL.

It was a massive haul of evidence, and it led to the arrests of nearly 900 people worldwide. However, the courts ultimately decided that the underlying search warrant was, in fact, unconstitutional.

Another crook who used Tor, slipped up and didn’t get off was Ryan S. Lin: a then-25-year-old who pleaded guilty in April 2018 to seven counts of cyberstalking, five counts of distribution of child abuse imagery, nine counts of making hoax bomb threats, three counts of computer fraud and abuse, and one count of aggravated identity theft.

Lin, a computer science graduate from Rensselaer Polytechnic Institute, was savvy enough to use a two-pronged approach to protecting anonymity: both a virtual private network (VPN) and an anonymizing service to mask his true IP address. He was also smart enough to know that VPNs keep logs.

Fortunately for the FBI, he did a terrible job at hiding his tracks in spite of all his supposed tech smarts. When investigators got access to Lin’s Gmail account, they found that he’d sent himself two screenshots of what looked to be his iPhone. The images showed what apps were installed, including several apps for anonymous texting, encrypted email, and free burner telephone numbers.

Lin thought the IP address-anonymizing Tor service would protect him. He thought VPNs would hide him. He also seemed to put his faith in anonymous overseas texting services and overseas encrypted email providers that don’t respond to law enforcement and/or don’t maintain IP logs or other records.

In October 2018, he was sentenced to 17.5 years in jail.


This question is a blatant aside to the article and subject, but is the MAC useful at all to law enforcement?


I think, like any circumstantial evidence, ‘it depends’. The more details that corroborate the connection between user X, computer Y, server Z and activity A, the stronger the case gets for stating that X did A. I imagine MACs are particularly useful at the warrant stage, where the investigators have court permission to search a property or a certain computer – it’s supporting evidence that the search is fair and reasonable. (But IANAL so that might not be right at all -)


Verily, it makes sense in the corroborative and circumstantial department.
Thinking how ephemeral/localized a MAC is, I was feeling confused, envisioning
Yep your honor, that’s the MAC address that hit my web server!
…but re-reading gave me a bit better comprehension. Let’s just go with I was testing you.


Imagine that you are an investigator; you have formed a reasonable and informed opinion that someone at IP number X has been {spreading malware,hacking servers,uploading illegal pron,etc.}. A court agrees so you get a warrant to get the physical address and MAC address of the home router involved from the relevant ISP. If the physical address seems to be corroborated byother evidence-based suspicions, you might then get a search-and-seize warrant for computer equipment at that address. If, when you get there, you find a router that does indeed have the MAC address given by the ISP, plus a computer with content that aligns with the evidence you presented before being given the address…

…then you are probably in a good position to persist with the investigation, and perhaps even to convince your own lawyers that you are being fair, and ultimately to convince prosecutors to take an active interest in the case. The more details that “add up”, the more likely a prosecutor is going to be to be convinced that there’s not only a case to answer but a chance of proving it to a jury beyond reasonable doubt.


The MAC info is only useful when by other means the suspect is caught , and computer equipment seized, to which the FBI can match and confirm that this device is indeed the computer that was responsible for the downloads , thus hold up in a court of law


Also a bit of an aside, but:

“The DOJ says that besides running the site on the Tor network in order to mask the IP addresses of its users, Falte and his co-conspirators also used other techniques to thwart law enforcement, including file encryption and cryptography.”

Of course the DOJ pointed that out. Got to stay on-message to build the case for those encryption backdoors.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!