Reminder: Facebook Helped the FBI Hack a Tor User

~5 min read | Published on 2022-01-09, tagged Child-Porn using 1120 words.

To help the FBI identify a Tor user in 2017, Facebook paid a cybersecurity firm to take advantage of a zero-day exploit in Tails, a privacy-focused operating system.
Buster Hernandez, known online as “Brian Kil,” notoriously coerced high school-aged girls to send him “child erotica” or sexually explicit pictures and videos. According to court records, Hernandez coerced these teenagers from about 2015 through mid-2017. However, during the FBI investigation (1:17-cr-00183) that resulted in his arrest, none of the victims were minors. The child pornography charges applied to content received through January 2016, indicating that his victims were perhaps 16 or 17 years old at the time. (Note: some news articles have different timelines than the criminal complaint but it appears as if his victims all stopped being minors long before the police arrested Hernandez. Additionally, he seemingly targeted high school-aged girls in general as some of them were not minors when he contacted them.)


Hernandez, through possibly hundreds of Facebook profiles created through Tor, sent messages to three teenage girls who went to a high school in Plainfield, Indiana. The messages generally followed a pattern outlined below:
“Brian Kil” contacted random individuals (typically minors) by sending private messages that said, for example, “Hi [Victim Name], I have to ask you something. Kinda important. How many guys have you sent dirty pics to cause I have some of you?” If the teenager responded, Hernandez would demand additional pictures or videos and threaten to distribute the ones in his possession if the girl refused to comply.
[img=]Brian Kil also just pretended to have explicit content altogether.[/img]

Hernandez became something of a problem for Facebook as well as the Plainfield community.
Motherboard reported:
Hernandez was so notorious within Facebook that employees considered him the worst criminal to ever use the platform, two former employees told Motherboard. According to these sources, Facebook assigned a dedicated employee to track him for around two years and developed a new machine learning system designed to detect users creating new accounts and reaching out to kids in an attempt to exploit them. That system was able to detect Hernandez and tie different pseudonymous accounts and their respective victims to him, two former Facebook employees said.

Hernandez taunted Facebook employees, local law enforcement, and the FBI in some of his posts. Investigators never received anything but the I.P. addresses of Tor exit nodes when requesting information on “Brian Kil” from Facebook, email providers, and related services.

Brian Kil actually did better than most darkweb vendors as far as OPSEC goes.

So Facebook decided to hire a cybersecurity firm to help the FBI identify the user. They paid a cybersecurity consulting firm six figures to create a hacking tool that took advantage of a vulnerability in the video player that shipped with the Tails operating system. The cybersecurity firm’s tool, which they worked with a Facebook engineer to create, seemingly created a piece of malware disguised as a video file. When a Tails user attempted to view the video, the malware sent the user’s real I.P. address to a server controlled by the cybersecurity firm (or, at the end of the investigation, to a server controlled by alphabet boys).
Facebook gave the hacking tool to a third party who then passed it to the FBI.
In 2017, the FBI obtained authorization from a judge to deploy the Network Investigative Technique (NIT). The FBI described the file as a real video file with the malware attached to it.
[img=]Brian Kil seemed to believe the file or the DropBox account lacked content.[/img]

As outlined in the search warrant application presented to Judge Lynch, the FBI was authorized by the Court to add a small piece of code (NIT) to a normal video file produced by Victim 2, which did not contain any visual depictions of any minor engaged in sexually explicit activity. As authorized, the FBI then uploaded the video file containing the NIT to the account known only to Kil and Victim 2. When Kil viewed the video containing the NIT on a computer, the NIT would disclose the true IP address associated with the computer used by Kil.

After obtaining the IP address, the FBI received authorization to install and use pen registers and tap-and-trace devices on the IP. The FBI, through the use of the wiretap, learned that Hernandez accessed Tor nodes after his significant other left the house. They also identified 4chan threads Hernandez had accessed, among other things.
Facebook sources told Motherboard that they justified their involvement in the creation of a hacking tool because of the type of crime Hernandez had committed. The defendant pleaded guilty to 41 charges, including Production of Child Pornography, Coercion and Enticement of a Minor, and Threats to Kill, Kidnap, and Injure. Additionally, Facebook employees said that an upcoming Tails release had removed the vulnerable code from the video player.
A Tails spokesperson told Motherboard that, at the time, they “didn’t know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.”

I am sure I will get inaccurately branded by the usual suspect as a defender of pedophiles or something for publishing this article. The fact of the matter is that if these companies are doing this to one person, they are doing it to others. Although Facebook’s six-figure Tails hack might be an extreme example, data uncovered in the BlueLeaks hack revealed that companies do this kind of stuff for free:
A little-known investigative unit inside search giant Google regularly forwarded detailed personal information on the company’s users to members of a counter-terrorist fusion center in California’s Bay Area, according to leaked documents reviewed by the Guardian.

Other users are identified by more sophisticated methods, and while some are banned from YouTube, they appear to retain access to other Google services.

One user was identified by matching two separate Gmail addresses to a single Android device, which yielded the user’s name, age, address, and phone number.

That user had posted YouTube comments making anti-Jewish comments, praising white supremacist terrorists, including mass killers, and suggesting he may emulate them.

I suppose that as long as you are buying packs of marijuana on darkweb drug markets and not doing a racism, you might be safe for now. The feds openly and almost regularly use NITs during child exploitation investigations. But given their explicit training on parallel construction and limitless resources, I doubt we know about even half of the cases in which an NIT was deployed against Tor users.
Criminal Complaint: pdf, html, html2
Also, I guess it is time for an article on the Rich Uncle Pennybags situation.
Also also, I tried to use instead of throughout. I personally like .is better as a service but the use of Google captchas is obviously a problem. Plus, have you ever tried logging into Dread?

Comments (46)


@dnl Would you say twitter does the same? Interesting article thanks.


Best I can give you is an "I don't know." I expect that they do but I do not have any evidence of them acting as an extension of a LEA in the United States at least to the extent described in the article. Most of what I could find falls under your typical lawful compliance (i.e., turning over subscriber info after receiving a subpoena). I just act as if they do. And you are welcome. Thanks for reading.

$$$hit Fruit2022-01-10

The Ye Old Golden Rule: if they want you bad enough, they will find you… LE goes for the low hanging fruit and there is so much low hanging fruit that LE typically doesn’t bring out the old shit ladder to climb higher into the shit tree but rest assured, they have that rickety old shit ladder, missing steps and the whole 9 yards and sometimes they can use that old shit ladder to snatch a shit fruit from high in the old shit tree. 🌳


The easy solution to avoid falling victim to these type of exploits is to avoid habits. I don't understand how people boast about avoiding LE while repeating the same behavior with the same actions repeatedly. Don't do the same thing twice. It's true in the digital world as much as the real one.


Creating identities would be better advice. You shouldn't need or want an identity on the darknet. There's no reason for it unless you're a vendor and even then you shouldn't inject your ego into the formula. Much of proper opsec is having good habits.


rotate shield frequencies posting things like this on a known honeypot might not be the best idea either (:


Reminder of the day: don't use facebook for illegal activites. Also great reporting by the people working at darknetlive!

not really here2022-01-10

I always thought that video streams on tor were death.... i was right...

not really there2022-01-10

If you notice, the videos uploaded with the NIT didn't actually contain anything. LE can't simply host/share illegal content with NITs, not that I'm excusing or endorsing CSAM, but US LE operates under certain legal guidelines because otherwise their cases would fall apart in a court of law. This was a highly targeted operation that exploited Tails' video player through the unsafe browser mechanic, probably calling home through a TCP connection. I remember when the KAX17 news came out and people were theorizing that it was the FBI but I immediately rejected that premise because of how underfunded specific departments are in the FBI. Though I would agree with the author that there are probably NITs used in some investigations that we aren't aware of but I'd generally think as long as you don't consume CSAM, which nobody should, then you're probably safe from encountering much of it. The market stuff has been opsec failures and seizures.


LE is definitely allowed to share illegal content. Everytime they bust a pedo site they keep it online to catch more. Look at the articles DNL has on playpen.

re: gitd2022-01-11

I'm aware of the playpen case. They seized the server hosting the site and allowed criminals to continue interacting with the forum/site. The weren't posting/sharing CSAM. There's a big difference in these two scenarios and if they actually shared real CSAM, they open themselves up for lawsuits from the victims as well as entrapment arguments. Whether or not they ever have, I don't know, but none of the darknet NIT investigations/honeypots were fed created websites in which they themselves posted/shared/hosted actual CSAM content. Usually they've de-anonymized a site and taken over the server and/or investigated the crypto payments or wrote an NIT within the site's code. The FBI is an incredibly powerful entity with some of the top hackers but they are limited to the law. They can't even technically outright "hack" (damage your system) which is why they've argued heavily about their methods being called NITs and not "hacks".


How many times is NIT actually undercover feds that share csam? Task force Argos shared csam to keep cover for childs play and said it was for the greater good. Wouldnt be surprised if feds do the same. They have a history of taking illegal shortcuts.

re: hmm2022-01-11

I mean I wouldn't be terribly surprised if the FBI has, but up to this point I've seen nothing to indicate it's happened in regards to darknet investigations. Though I know they cooperate with one another and I wouldn't be surprised if they circumvent certain laws by allowing other country's federal agencies to do certain things they can't.


For the life of me i never understood why you defend these pedo's . This dude "coerced high school-aged girls to send him “child erotica” or sexually explicit pictures and videos"... shoulda been taken out by the barn and put to pasture..


no one is defending a pedo. stop taking parts of the article out of context faggot fed


Nobody is defending him but the techniques and methods used to capture anybody should be analyzed because they can be used against all people. You assume that LEA and tech companies always have the best intentions or will only use these methods for the worst criminals. Which has been proven wrong again and again in history. The US government told us citizens the Patriot Act would only be used against terrorists. How did that work out? (they've used those standards to spy on average citizens) They said they'd only ban extremists from twitter. How's that working out? (they've banned peaceful leftists from the platform on the behest of the US government's interests) His crimes are horrific and because of that, they're completely banking on your emotional reactions in order to justify it and then later use it for any purpose they deem is appropriate. Separate your feelings from logically analyzing the potential outcomes of normalizing these methods because the potential ramifications of much of these NIT investigations could affect more than just the people you deem should be "taken out by the barn and put to pasture". Ya fucking idiot.


17 isn't a pedo

re: lol2022-01-11

Maybe not but it ain't right neither.


fucking zuckeberg

Call me mayb3?2022-01-11

Well don’t we have all kinds on this thread…, I’m not here to judge, just to comment and observe in an open forum with a general “variety” of topics. We all do things we shouldn’t, life comes in many different forms like lab made Corona Viruses like Deltacron. If I told you I worked for the CIA and I was generally good with it for a variety of reasons, you’d call me a mad liar…


junior grade LT, with a 9 year financed hemi, ain't the same as the company bruh lol your Karen wife is wide open to bangin everyone but you on base broski


^ LMAO bruh he so mad he rage quit before we could even DoS em North Cali confirmed try HARDER LE, jesus army Intelligence doesn't give a shit about drugs and has no authority anyways. MPs just don't want the drunks to wonder on base or roll their durangos off-base. bad look


@GG Financed a Charger thank-u-very-much with my sign-up bonus. Reasonable rate and paid it off in three years. Rolling Durangos is civilian a LE specialty.

The Shit Abyss2022-01-11

You all should take it fucking 3asy on DNL too, big shoes to fill from their predecessor Deep Dot WeB, what would we do without them, could someone fill their shoes? God Speed Stepp3R DNL!!!


I wouldn't ever use Tails for a higher threat model, hell I would think twice before using it for normal surfing. Tails is crap and people should stop recommending it for higher threat models. The Tor Browser in Tails also ships with ublock origin which you can't remove, which straight out damages your opsec because very few people use any extensions at all.


Tails is such a complete joke, it's shocking >offline video player has network functionality and phones home >offline video player has access to your internet connection not through the proxy why


>muh pedo wouldn't be justified even if it was pedo keep your kids from posting nudes on facebook yourself lol wtf


yeah bro its totally the kids fault and grown ass men should be allowed to be degenerates and harass kids on social media and also 17 year olds are high functioning adults with a lot of real world experience and are totally incapable of making stupid and immature decisions. dumbass nigger


Think Pad + Qubes


imagine using the Zuckerjewbook in post 2014. lol


I know you zoomers require your socials for yourself worth but JFC LOW HANGING FRUIT So DNL is acting really fucking strange these days. Stay clear.


Megacorps work with the gov because they themselves are untouchable. Why would anyone trust anything that isn't under your complete, source, control? JFC now i get the pump n dump scheme the worse are reddiot niggas postin' like they protected on the clearnet here JFC don't u all understand DNL's track record? https://


but wikipedia has a lib bias thanks i'll pass NEXT


^ weaponized Poe's Law. Go back to the clearnet plz.


7b51d340: shut your dumb mouth & go back to Reddit, commiefag


> 90\% of the comments are posted by feds running some COINTELPRO-style op always has been lol <3 see some of you realllllll soon, sincerely a Fort Bumpfuck middle of nowhere, AZ US Army Intelligence Officer


oh yippy LARPing gamers have found the darknets :( sooo much edgelord cringe


I miss the internet pre-2004 honestly. Cheap laptops and then later smartphones, plus the cancer that is social media, basically ruins everything eventually. Alas, thank you DNL, you service was admirable.


Not defending this piece of garbage, but I am inclined to think he would have been safe from that exploit using qubes-whonix rather than Tails.


Remember kids, saying mean things about the Jews is the same as pedophilia in the eyes of the law


This basically goes back to when I was about 10 or 11 years old injecting RAT trojans into porn pics and sending them to weirdos on AOL chat rooms. Fed's going old school with the injections. I wouldnt open a downloaded video with an active internet connection. But pedos deserve this!


A bad man indeed. The only thing worse would be something like a legal institution installing cameras on Epstein's "Island of Dr Pedeau" to allow a year's worth of child molestation to take place for nothing but political leverage. Well, that and glory-rolling in the shit of your own hypocrisy. Hoover never really left the building. He's just wearing different clothes (again).


“employees considered him the worst criminal to ever use the platform” WTF? If they consider this dude to be the “worst” they haven’t seen shit. Imagine being so coddled that you think the worst user on your platform is someone who extorts nudes.


Considering that there's been a massive years-long media craze about a set of online communities that have been responsible for less than 100 deaths (incels), it's no surprise that coddled bitches would also find this to be something extraordinary. People need to leave their snow-white suburbs.


What I think is that anyone rich and powerfull enough (like fbi or fb) can just order a new "special 0day explit" release form tails or other "secured" software like Onion browser to catch someone who is special for them. No anonymity there anymore, too much code that you cant trust. The problem of untraceble Joe Dow is that noone interested in the momein in him. Thats it.


Facebook/Instagram are one of the BIGGEST platforms, that not only allows users to sell CP on their platform, they also aid in the sales by recommending other CP related accounts to users of that interest. Temple university did an investigation into them a couple months ago and EXPOSED the hell out of Facebook. Crazy how you got from spending 100k to stop a pedo, to helping thousands of pedophiles buy the exact same type of content.