FBI hackers took down a child porn ring

fbi hackers
How does the FBI crack down on child porn on Tor? By hacking, spying and conducting home raids.

The FBI has resorted to hacking to hunt down pedophiles hiding anonymously on the Internet.

The Justice Department just closed a historic case, a massive investigation called Operation Torpedo. And now that details are coming into focus, it's clear that we're in a new era: FBI agents are taking on the role of hacker spies.

The FBI has resorted to court-authorized mass hacking, which pushes legal boundaries. Visit the wrong website, click on a picture -- and the FBI can slip into your computer.

Operation Torpedo started in 2011 when police in the Netherlands found a large child porn site and gained administrative access to it. They found that the Web server was physically located inside a data center at Power DNN, a Web hosting service located in Bellevue, Nebraska. According to court records, Dutch cops then tipped off the FBI.

With a judge's approval, the FBI started spying on the Omaha, Nebraska, home of one Power DNN employee, Aaron McGrath.

In late 2012, federal agents burst into his home and caught McGrath signed in as the administrator of PedoBook, a social media site where people shared photos of child pornography.

McGrath quickly closed the laptop -- immediately locking the data inside with encryption. But investigators were somehow "able to determine the password and unlock the computer," court records say.

That gave agents administrative access to the website. But they still couldn't identify the website's visitors.

The site was on the Dark Web, which means people could only access the website by using the Tor browser. Tor hides their location by bouncing Internet traffic signals around the globe.

The FBI was granted a search warrant for a "network investigative technique," allowing agents to slip computer code into photos on the child porn website. Every time a website visitor clicked on an image of a naked child, their computer also downloaded extra data that reported back to the FBI the computer's true IP address and type of operating system.

In unsealed court documents from 2012, FBI Agent Jeffrey Tarpinian describes this hack as "the only available investigative technique with a reasonable likelihood of securing the evidence necessary to prove... the actual location and identity of those users."

The exact method used by the FBI is detailed in other court records. Agents added Flash software to the hijacked porn site, exploiting the fact that Flash is notoriously vulnerable to hacking. If visitors used an outdated version of Tor -- and didn't set their computers to block Flash -- that Flash app was able to establish a direct connection and reveal their IP address.

That means the FBI didn't break Tor's anonymity. It was only able to catch the slowest, dumbest of the bunch.

Among them: One 22-year old from Ashford, Alabama, who promised to produce images of his yet unborn daughter while she was still in her mother's womb. Agents stopped him before the act. He's now serving a 15-year prison sentence.

A 42-year old boasted about the many girls he raped in the Philippines. He's now serving 20 years.

Then there's the user who went by PT***eater, who worried investigators because he warned he was on the verge of attacking a child.

"I am tired of... this fantasy," he wrote on the site. "I need to kill an infant or toddler for real."

The FBI had a few clues: In private messages on PedoBook, he said he lived in the Washington area. And agents found he had used the same AIM username when signing up for a regular porn website on the open Internet. An FBI subpoena to AOL gave them an IP address. Another subpoena to Verizon gave them a physical address in Germantown, Maryland.

It belonged to Timothy DeFoggi, the top cybersecurity official at the Health and Human Services Department, who in court testimony claimed he had top secret clearance and experience working with the CIA and NSA.

When two FBI teams stormed into DeFoggi's dark home at 5:30 a.m. in April 2013, they found him in his underwear on the floor hunched over his laptop, according to later testimony by agents in federal court. An FBI agent shouted for him to back away from the computer. DeFoggi didn't. The agent kicked him away from the laptop. The Tor browser window had been closed -- but the computer was still downloading a file from a child porn video site called the OnionPedo Video Archive.

He was eventually sentenced to 25 years in prison.

The FBI's hacking methods have been challenged in court. In one Operation Torpedo case, a defense attorney claimed the mass hack was "overreaching of law enforcement." Another defense attorney argued that the FBI unfairly sneaked up on his client. The FBI got permission to hack, but the search warrant required notifying the suspect of the electronic search within 30 days.

In both instances, a federal judge disagreed.

Critics have also raised questions about whether it was legal for the FBI to essentially maintain a child porn site and keep it up and running on its watch.

In a briefing with news reporters in December, Justice Department officials acknowledged that these investigations are costly, slow and difficult.

Operation Torpedo took longer than three years, and just over "half a dozen" children were rescued, prosecutors said. The child pornography sites had more than 13,000 active members combined. In the end, only 19 men were sentenced to prison.

What's worse, officials say they're finding more evidence of child sexual abuse on the Dark Web than ever before. Before the FBI took own these particular sites, image galleries racked up huge numbers of views. A single collection of images, labeled "Melinda - my daughter," was viewed more than 467,000 times.

"They're hiding in plain sight... we remain powerless to some extent," said one senior Justice Department official who was authorized to speak without being named. "That's what creates this sense of urgency."

CNNMoney Sponsors