Reminder: Facebook Helped the FBI Hack a Tor User

To help the FBI identify a Tor user in 2017, Facebook paid a cybersecurity firm to take advantage of a zero-day exploit in Tails, a privacy-focused operating system.

Buster Hernandez, known online as “Brian Kil,” notoriously coerced high school-aged girls to send him “child erotica” or sexually explicit pictures and videos. According to court records, Hernandez coerced these teenagers from about 2015 through mid-2017. However, during the FBI investigation (1:17-cr-00183) that resulted in his arrest, none of the victims were minors. The child pornography charges applied to content received through January 2016, indicating that his victims were perhaps 16 or 17 years old at the time. (Note: some news articles have different timelines than the criminal complaint but it appears as if his victims all stopped being minors long before the police arrested Hernandez. Additionally, he seemingly targeted high school-aged girls in general as some of them were not minors when he contacted them.)

A picture of Tails


Hernandez, through possibly hundreds of Facebook profiles created through Tor, sent messages to three teenage girls who went to a high school in Plainfield, Indiana. The messages generally followed a pattern outlined below:

“Brian Kil” contacted random individuals (typically minors) by sending private messages that said, for example, “Hi [Victim Name], I have to ask you something. Kinda important. How many guys have you sent dirty pics to cause I have some of you?” If the teenager responded, Hernandez would demand additional pictures or videos and threaten to distribute the ones in his possession if the girl refused to comply.

A picture of Brian Kil also just pretended to have explicit content altogether.

Brian Kil also just pretended to have explicit content altogether.

Hernandez became something of a problem for Facebook as well as the Plainfield community.

Motherboard reported:

Hernandez was so notorious within Facebook that employees considered him the worst criminal to ever use the platform, two former employees told Motherboard. According to these sources, Facebook assigned a dedicated employee to track him for around two years and developed a new machine learning system designed to detect users creating new accounts and reaching out to kids in an attempt to exploit them. That system was able to detect Hernandez and tie different pseudonymous accounts and their respective victims to him, two former Facebook employees said.

Hernandez taunted Facebook employees, local law enforcement, and the FBI in some of his posts. Investigators never received anything but the I.P. addresses of Tor exit nodes when requesting information on “Brian Kil” from Facebook, email providers, and related services.

A picture of Brian Kil actually did better than most darkweb vendors as far as OPSEC goes.

Brian Kil actually did better than most darkweb vendors as far as OPSEC goes.

So Facebook decided to hire a cybersecurity firm to help the FBI identify the user. They paid a cybersecurity consulting firm six figures to create a hacking tool that took advantage of a vulnerability in the video player that shipped with the Tails operating system. The cybersecurity firm’s tool, which they worked with a Facebook engineer to create, seemingly created a piece of malware disguised as a video file. When a Tails user attempted to view the video, the malware sent the user’s real I.P. address to a server controlled by the cybersecurity firm (or, at the end of the investigation, to a server controlled by alphabet boys).

Facebook gave the hacking tool to a third party who then passed it to the FBI.

In 2017, the FBI obtained authorization from a judge to deploy the Network Investigative Technique (NIT). The FBI described the file as a real video file with the malware attached to it.

A picture of Brian Kil seemed to believe the file or the DropBox account lacked content.

Brian Kil seemed to believe the file or the DropBox account lacked content.

As outlined in the search warrant application presented to Judge Lynch, the FBI was authorized by the Court to add a small piece of code (NIT) to a normal video file produced by Victim 2, which did not contain any visual depictions of any minor engaged in sexually explicit activity. As authorized, the FBI then uploaded the video file containing the NIT to the Dropbox.com account known only to Kil and Victim 2. When Kil viewed the video containing the NIT on a computer, the NIT would disclose the true IP address associated with the computer used by Kil.

After obtaining the IP address, the FBI received authorization to install and use pen registers and tap-and-trace devices on the IP. The FBI, through the use of the wiretap, learned that Hernandez accessed Tor nodes after his significant other left the house. They also identified 4chan threads Hernandez had accessed, among other things.

Facebook sources told Motherboard that they justified their involvement in the creation of a hacking tool because of the type of crime Hernandez had committed. The defendant pleaded guilty to 41 charges, including Production of Child Pornography, Coercion and Enticement of a Minor, and Threats to Kill, Kidnap, and Injure. Additionally, Facebook employees said that an upcoming Tails release had removed the vulnerable code from the video player.

A Tails spokesperson told Motherboard that, at the time, they “didn’t know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.”

I am sure I will get inaccurately branded by the usual suspect as a defender of pedophiles or something for publishing this article. The fact of the matter is that if these companies are doing this to one person, they are doing it to others. Although Facebook’s six-figure Tails hack might be an extreme example, data uncovered in the BlueLeaks hack revealed that companies do this kind of stuff for free:


A little-known investigative unit inside search giant Google regularly forwarded detailed personal information on the company’s users to members of a counter-terrorist fusion center in California’s Bay Area, according to leaked documents reviewed by the Guardian.


Other users are identified by more sophisticated methods, and while some are banned from YouTube, they appear to retain access to other Google services.

One user was identified by matching two separate Gmail addresses to a single Android device, which yielded the user’s name, age, address, and phone number.

That user had posted YouTube comments making anti-Jewish comments, praising white supremacist terrorists, including mass killers, and suggesting he may emulate them.

I suppose that as long as you are buying packs of marijuana on darkweb drug markets and not doing a racism, you might be safe for now. The feds openly and almost regularly use NITs during child exploitation investigations. But given their explicit training on parallel construction and limitless resources, I doubt we know about even half of the cases in which an NIT was deployed against Tor users.

Criminal Complaint: pdf, html, html2

Also, I guess it is time for an article on the Rich Uncle Pennybags situation.

Also also, I tried to use archive.org instead of archive.is throughout. I personally like .is better as a service but the use of Google captchas is obviously a problem. Plus, have you ever tried logging into Dread?

It's Called We Engage In A Mild Amount of Tomfoolery
5d8075b0 Sun, Jan 9, 2022

Also also, I tried to use archive.org instead of archive.is throughout. I personally like .is better as a service but the use of Google captchas is obviously a problem. Plus, have you ever tried logging into Dread?
lmao dnl bringin heat

102bca10 Sun, Jan 9, 2022

@dnl Would you say twitter does the same? Interesting article thanks.

5d5f3010 Sun, Jan 9, 2022

Best I can give you is an “I don’t know.” I expect that they do but I do not have any evidence of them acting as an extension of a LEA in the United States at least to the extent described in the article. Most of what I could find falls under your typical lawful compliance (i.e., turning over subscriber info after receiving a subpoena). I just act as if they do.

And you are welcome. Thanks for reading.

262023d0 Mon, Jan 10, 2022

The Ye Old Golden Rule: if they want you bad enough, they will find you…

LE goes for the low hanging fruit and there is so much low hanging fruit that LE typically doesn’t bring out the old shit ladder to climb higher into the shit tree but rest assured, they have that rickety old shit ladder, missing steps and the whole 9 yards and sometimes they can use that old shit ladder to snatch a shit fruit from high in the old shit tree. 🌳

25fd3980 Mon, Jan 10, 2022

The easy solution to avoid falling victim to these type of exploits is to avoid habits. I don’t understand how people boast about avoiding LE while repeating the same behavior with the same actions repeatedly. Don’t do the same thing twice. It’s true in the digital world as much as the real one.

3d68f300 Mon, Jan 10, 2022

Creating identities would be better advice. You shouldn’t need or want an identity on the darknet. There’s no reason for it unless you’re a vendor and even then you shouldn’t inject your ego into the formula.

Much of proper opsec is having good habits.

6d82f630 Thu, Jan 13, 2022

rotate shield frequencies

posting things like this on a known honeypot might not be the best idea either (:

f4dbb7f0 Mon, Jan 10, 2022

Reminder of the day: don’t use facebook for illegal activites. Also great reporting by the people working at darknetlive!

5308efd0 Mon, Jan 10, 2022

I always thought that video streams on tor were death….

i was right…

cea08190 Mon, Jan 10, 2022

If you notice, the videos uploaded with the NIT didn’t actually contain anything. LE can’t simply host/share illegal content with NITs, not that I’m excusing or endorsing CSAM, but US LE operates under certain legal guidelines because otherwise their cases would fall apart in a court of law.

This was a highly targeted operation that exploited Tails’ video player through the unsafe browser mechanic, probably calling home through a TCP connection.

I remember when the KAX17 news came out and people were theorizing that it was the FBI but I immediately rejected that premise because of how underfunded specific departments are in the FBI.

Though I would agree with the author that there are probably NITs used in some investigations that we aren’t aware of but I’d generally think as long as you don’t consume CSAM, which nobody should, then you’re probably safe from encountering much of it. The market stuff has been opsec failures and seizures.

dd2df940 Mon, Jan 10, 2022

LE is definitely allowed to share illegal content. Everytime they bust a pedo site they keep it online to catch more. Look at the articles DNL has on playpen.

089dd420 Mon, Jan 10, 2022

I’m aware of the playpen case. They seized the server hosting the site and allowed criminals to continue interacting with the forum/site. The weren’t posting/sharing CSAM.

There’s a big difference in these two scenarios and if they actually shared real CSAM, they open themselves up for lawsuits from the victims as well as entrapment arguments. Whether or not they ever have, I don’t know, but none of the darknet NIT investigations/honeypots were fed created websites in which they themselves posted/shared/hosted actual CSAM content.

Usually they’ve de-anonymized a site and taken over the server and/or investigated the crypto payments or wrote an NIT within the site’s code.

The FBI is an incredibly powerful entity with some of the top hackers but they are limited to the law. They can’t even technically outright “hack” (damage your system) which is why they’ve argued heavily about their methods being called NITs and not...

e4ec9b40 Tue, Jan 11, 2022

How many times is NIT actually undercover feds that share csam?
Task force Argos shared csam to keep cover for childs play and said it was for the greater good. Wouldnt be surprised if feds do the same. They have a history of taking illegal shortcuts.

4d82dda0 Tue, Jan 11, 2022

I mean I wouldn’t be terribly surprised if the FBI has, but up to this point I’ve seen nothing to indicate it’s happened in regards to darknet investigations. Though I know they cooperate with one another and I wouldn’t be surprised if they circumvent certain laws by allowing other country’s federal agencies to do certain things they can’t.

3431d340 Mon, Jan 10, 2022

For the life of me i never understood why you defend these pedo’s . This dude “coerced high school-aged girls to send him “child erotica” or sexually explicit pictures and videos”… shoulda been taken out by the barn and put to pasture..

dab810b0 Mon, Jan 10, 2022

no one is defending a pedo. stop taking parts of the article out of context faggot fed

ac1ec900 Mon, Jan 10, 2022

Nobody is defending him but the techniques and methods used to capture anybody should be analyzed because they can be used against all people. You assume that LEA and tech companies always have the best intentions or will only use these methods for the worst criminals. Which has been proven wrong again and again in history.

The US government told us citizens the Patriot Act would only be used against terrorists. How did that work out? (they’ve used those standards to spy on average citizens) They said they’d only ban extremists from twitter. How’s that working out? (they’ve banned peaceful leftists from the platform on the behest of the US government’s interests)

His crimes are horrific and because of that, they’re completely banking on your emotional reactions in order to justify it and then later use it for any purpose they deem is appropriate.

Separate your feelings from logically analyzing the potential outcomes of normalizing these methods...

a317a3d0 Mon, Jan 10, 2022

17 isn’t a pedo

d1867c20 Tue, Jan 11, 2022

Maybe not but it ain’t right neither.

b9e3b2a0 Mon, Jan 10, 2022

fucking zuckeberg

f7c19bc0 Tue, Jan 11, 2022

Well don’t we have all kinds on this thread…, I’m not here to judge, just to comment and observe in an open forum with a general “variety” of topics. We all do things we shouldn’t, life comes in many different forms like lab made Corona Viruses like Deltacron. If I told you I worked for the CIA and I was generally good with it for a variety of reasons, you’d call me a mad liar…

812a5db0 Thu, Jan 13, 2022

junior grade LT, with a 9 year financed hemi, ain’t the same as the company bruh lol

your Karen wife is wide open to bangin everyone but you on base broski

b0aaa2a0 Thu, Jan 13, 2022

^ LMAO bruh he so mad he rage quit before we could even DoS em

North Cali confirmed

try HARDER LE, jesus army Intelligence doesn’t give a shit about drugs and has no authority anyways. MPs just don’t want the drunks to wonder on base or roll their durangos off-base. bad look

60bf94b0 Thu, Jan 13, 2022


Financed a Charger thank-u-very-much with my sign-up bonus. Reasonable rate and paid it off in three years. Rolling Durangos is civilian a LE specialty.

0048e090 Tue, Jan 11, 2022

You all should take it fucking 3asy on DNL too, big shoes to fill from their predecessor Deep Dot WeB, what would we do without them, could someone fill their shoes? God Speed Stepp3R DNL!!!

84e6c170 Tue, Jan 11, 2022

I wouldn’t ever use Tails for a higher threat model, hell I would think twice before using it for normal surfing. Tails is crap and people should stop recommending it for higher threat models. The Tor Browser in Tails also ships with ublock origin which you can’t remove, which straight out damages your opsec because very few people use any extensions at all.

84180a80 Tue, Jan 11, 2022

Tails is such a complete joke, it’s shocking

offline video player has network functionality and phones home
offline video player has access to your internet connection not through the proxy

a633bb00 Tue, Jan 11, 2022

muh pedo
wouldn’t be justified even if it was pedo
keep your kids from posting nudes on facebook yourself lol wtf

10203df0 Tue, Jan 11, 2022

yeah bro its totally the kids fault and grown ass men should be allowed to be degenerates and harass kids on social media and also 17 year olds are high functioning adults with a lot of real world experience and are totally incapable of making stupid and immature decisions. dumbass nigger

73acb8c0 Wed, Jan 12, 2022

Think Pad + Qubes

232e41f0 Thu, Jan 13, 2022

imagine using the Zuckerjewbook in post 2014. lol

5ce3aa20 Thu, Jan 13, 2022

I know you zoomers require your socials for yourself worth but JFC


So DNL is acting really fucking strange these days. Stay clear.

42e3d270 Thu, Jan 13, 2022

Megacorps work with the gov because they themselves are untouchable. Why would anyone trust anything that isn’t under your complete, source, control? JFC now i get the pump n dump scheme

the worse are reddiot niggas postin’ like they protected on the clearnet here JFC don’t u all understand DNL’s track record?

https:// en.wikipedia.org/wiki/NSA_spying_scandal

fe1c33d0 Thu, Jan 13, 2022

but wikipedia has a lib bias thanks i’ll pass


7b51d340 Thu, Jan 13, 2022

^ weaponized Poe’s Law.

Go back to the clearnet plz.

92f82480 Fri, Jan 21, 2022

7b51d340: shut your dumb mouth & go back to Reddit, commiefag

cd5d0a70 Thu, Jan 13, 2022

90% of the comments are posted by feds running some COINTELPRO-style op

always has been lol

<3 see some of you realllllll soon,

a Fort Bumpfuck middle of nowhere, AZ US Army Intelligence Officer

c1b125b0 Thu, Jan 13, 2022

oh yippy LARPing gamers have found the darknets :(

sooo much edgelord cringe

c0e8bce0 Thu, Jan 13, 2022

I miss the internet pre-2004 honestly. Cheap laptops and then later smartphones, plus the cancer that is social media, basically ruins everything eventually. Alas, thank you DNL, you service was admirable.

49267770 Fri, Jan 14, 2022

Not defending this piece of garbage, but I am inclined to think he would have been safe from that exploit using qubes-whonix rather than Tails.

c5cc29b0 Tue, Jan 18, 2022

Remember kids, saying mean things about the Jews is the same as pedophilia in the eyes of the law

f1525ca0 Tue, Jan 18, 2022

This basically goes back to when I was about 10 or 11 years old injecting RAT trojans into porn pics and sending them to weirdos on AOL chat rooms. Fed’s going old school with the injections. I wouldnt open a downloaded video with an active internet connection. But pedos deserve this!

ee23cf00 Wed, Jan 19, 2022

A bad man indeed. The only thing worse would be something like a legal institution installing cameras on Epstein’s “Island of Dr Pedeau” to allow a year’s worth of child molestation to take place for nothing but political leverage. Well, that and glory-rolling in the shit of your own hypocrisy. Hoover never really left the building. He’s just wearing different clothes (again).

0fa907c0 Fri, Jan 21, 2022

“employees considered him the worst criminal to ever use the platform”
WTF? If they consider this dude to be the “worst” they haven’t seen shit.
Imagine being so coddled that you think the worst user on your platform is someone who extorts nudes.

1d1e9fd0 Sat, Jan 22, 2022

Considering that there’s been a massive years-long media craze about a set of online communities that have been responsible for less than 100 deaths (incels), it’s no surprise that coddled bitches would also find this to be something extraordinary. People need to leave their snow-white suburbs.

66b2c8a0 Thu, Jan 27, 2022

What I think is that anyone rich and powerfull enough (like fbi or fb) can just order a new “special 0day explit” release form tails or other “secured” software like Onion browser to catch someone who is special for them. No anonymity there anymore, too much code that you cant trust. The problem of untraceble Joe Dow is that noone interested in the momein in him. Thats it.

New comments are disabled after ten days in an attempt to limit spam.