A researcher known as @Deku_shrub, after he found a Reddit post mentioning an oddity, verified that an entity hacked Freedom Hosting II, one of the largest hosting platforms for hidden services. In 2013, the FBI indicted the creator and owner of the original Freedom Hosting, Eric Eoin Marques for hosting child pornography. Marques, a 31-year-old man from Dublin, fought against US extradition as soon as the arrest occurred. While he played no role in Freedom Hosting II—as far as the public knows—the hacker(s) mentioned a “zero tolerance policy for child pornography.”
The hacking group Anonymous claimed responsibility for the hack. Various media outlets have called the group everything from “freedom fighters” to “cyber terrorists” but their stance against against child pornography and similar forms of exploitation generally goes undisputed. For the most part, major hacks credited to anonymous involved a moral or ethical code. Lately though, critics argued that many Anonymous hacks are simply ordinary hacks with an inherent need for justification. Whatever the case may be regarding Freedom Hosting II, the hackers acted with their moral code—or, at the minimum, provided no valid ulterior motive. After asking to be paid in a trade for the data’s return.
At first, perhaps, the hack appeared financially motivated if solely based on the first message the hackers left for Freedom Hosting II admins. They asked for 0.1BTC in exchange for the entire 2.3GB MySQL database, excluding the child porn, of course.
Below is the message the hacker(s) left for the world to see:
“Hello Freedom Hosting II, you have been hackedWe are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ — but what we found while searching through your server is more than 50% child porn…Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database)We are selling all data (excluding cp) for 0.1 BTC. Send 0.1 BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and send your transaction id to [email protected] or [email protected] and We’ll get back to you with a full dump.Up to January 31st you were hosting 10613 sites. Private keys are included in the dump. Show full listWe are Anonymous. We do not forgive. We do not forget. You should have expected us.”
And, an archived screenshot of the page prior to Anonymous’s intrusion.
A full database dump, especially one contained private keys (as Sarah Jamie Lewis confirmed), costs far more than 0.1 BTC; some Reddit users called the attempted ransom a joke or “troll.” The site where much of the information first surfaced, pirate dot london, alerted readers that the hackers, or someone with access, changed the message on the front page.
The update via pirate dot london:
“Thanks for your patience, you don’t have to buy data ;) we made a torrent of the database dump download hereYou may still donate BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and support us.If you need to get in contact with us, our mail is [email protected]”
“Freedom Hosting II Anonymous hackers now giving away data for free in a torrent! fhostingesps6bly.onion fhostingesps6bly.onion fhosting.sql.gz.torrent,” the pirate dot london researcher tweeted. He then began restoring data and created a page with collections of restored .onion websites. The hack removed some botnets from active duty, he explained, additionally expressing his concern that the WordPress site “asshole ballet” would be the “cultural peak” of his work. Fortunately for Monteiro’s well-being, he found more than just “asshole ballet.” The growing list of his restorations can be found on his site.
Combined, and likely individually, Chris Monteiro (aka @Deku_shrub) and Sarah Jamie Lewis (aka @SarahJamieLewis) spent hours verifying or investigating the beached database. Before Monteiro began his restoration, he needed information from the increasingly popular darknet scanner, OnionScan. OnionScan, a tool developed by Lewis, unsurprisingly scans onion domains to help site admins find any leaks or vulnerabilities. It additionally can be used to create a statistical map of content on the darknet. These large “scans” contain analytical data that researchers would never see without the scan reports she publishes over at mascherari.press.
Lewis verified the authenticity of the hack and beached database with information from a 2016 scan. According to an OnionScan report from November 2016, FH2 hosted 15% – 20% of hidden. onion websites. The results of the November report allowed a cross-referencing of SSH fingerprints and “Hostname hacking among others,” she tweeted. “The fhosting…onion ssh fingerprint matches previously seen (in Nov) – it’s the same server. They got pwned.” She also published a list of every .onion address taken offline by the hack The list can be found here.
Added note: The hacker explained that the Freedom Hosting II owner likely knew that child pornography filled many of the sites on FH2. “There are several sites with many GB of uploaded cp,” the hacker wrote in an email. “There is a quota of 256 MB per host, which indicates that they paid for hosting and the FH2 owner likely knew about the content.”
In a follow-up email, the hacker said that he was not 100 percent sure that only one person ran FH2, “but there is only one user account. It is likely to be just one person behind it.”
All credit is due to both researches in this post for the images of dumps and restorations.