A dark web tycoon pleads guilty. But how was he caught?

When the enterprising cybercriminal Eric Eoin Marques pleaded guilty in an American court this week, it was meant to bring closure to a seven-year-long international legal struggle centered on his dark web empire. 

In the end, it did anything but.

Marques faces up to 30 years in jail for running Freedom Hosting, which temporarily existed beyond reach of the law and ended up being used to host drug markets, money-laundering operations, hacking groups, and millions of images of child abuse. But there is still one question that police have yet to answer: How exactly were they able to catch him? Investigators were somehow able to break the layers of anonymity that Marques had constructed, leading them to locate a crucial server in France. This discovery eventually led them to Marques himself, who was arrested in Ireland in 2013.

Marques was the first in a line of famous cybercriminals to be caught despite believing that using the privacy-shielding anonymity network Tor would make them safe behind their keyboards. The case demonstrates that government agencies can trace suspects through networks that were designed to be impenetrable.

Marques has blamed the American NSA’s world-class hackers, but the FBI has also been building up its efforts since 2002. And, some observers say, they often withhold key details of their investigations from defendants and judges alike—secrecy that could have wide-ranging cybersecurity implications across the internet.

“The overarching question is when are criminal defendants entitled to information about how law enforcement located them?” asks Mark Rumold, a staff attorney at the Electronic Frontier Foundation, an organization that promotes online civil liberties. “It does a disservice to our criminal justice system when the government hides techniques of investigation from public and criminal defendants. Oftentimes the reason they do this kind of obscuring is because the technique they use is questionable legally or might raise questions in the public’s mind about why they were doing it. While it’s common for them to do this, I don’t think it benefits anyone.”

Freedom Hosting was an anonymous and illicit cloud computing company running what some estimated to be up to half of all dark web sites in 2013. The operation existed entirely on the anonymity network Tor and was used for a wide range of illegal activity, including the hacking and fraud forum HackBB and money-laundering operations including the Onion Bank. It also maintained servers for the legal email service Tor Mail and the singularly strange encyclopedia Hidden Wiki.

But it was the hosting of sites used for photos and videos of child exploitation that attracted the most hostile government attention. When Marques was arrested in 2013, the FBI called him the “largest facilitator” of such images “on the planet.”

Early on August 2 or 3, 2013, some of the users noticed “unknown Javascript” hidden in websites running on Freedom Hosting. Hours later, as panicked chatter about the new code began to spread, the sites all went down simultaneously. The code had attacked a Firefox vulnerability that could target and unmask Tor users—even those using it for legal purposes such as visiting Tor Mail—if they failed to update their software fast enough. 

While in control of Freedom Hosting, the agency then used malware that probably touched thousands of computers. The ACLU criticized the FBI for indiscriminately using the code like a “grenade.”

The FBI had found a way to break Tor’s anonymity protections, but the technical details of how it happened remain a mystery. 

“Perhaps the greatest overarching question related to the investigation of this case is how the government was able to pierce Tor’s veil of anonymity and locate the IP address of the server in France,” Marques’s defense lawyers wrote in a recent filing. 

In the original indictment, there is little information beyond references to an “investigation in 2013” that found a key IP address linked to Freedom Hosting (referred to in the document as the “AHS,” or anonymous hosting service).

Marques’s defense lawyers said they received only “vague details” from the government, and that “this disclosure was delayed, in part, because the investigative techniques employed were, until recently, classified.”

Peter Carr, a Justice Department spokesperson, said the letter is “not in the public record.” The defense attorneys did not respond to questions.

US government agencies regularly find software vulnerabilities in the course of their security work. Sometimes these are disclosed to technology vendors, while at other times the government decides to keep these exploits for use as weapons or in investigations. There is a formal system for deciding whether an issue should be shared, known as the Vulnerabilities Equities Process. This is meant to default toward disclosure, under the belief that any bug that affects the “bad guys” also has the potential to be used against American interests; an agency that wants to use a major bug in an investigation has to get approval, or else the bug will be publicly disclosed. US officials say the vast majority of such vulnerabilities end up disclosed so that they can be fixed, ideally increasing internet security for everyone. 

But if the FBI used a software vulnerability to find Freedom Hosting’s hidden servers and didn’t disclose the details, it could still potentially use it against others on Tor. This has observers concerned.

“It’s not uncommon to play these games where they hide the ball about the source of their information,” the EFF’s Rumold says.

Tor is free software designed to let anyone use the internet anonymously by encrypting traffic and bouncing it through various nodes to obfuscate connections to the original users. Users could include Americans sick of being tracked by advertising companies, Iranians attempting to circumvent censorship, Chinese dissidents escaping national surveillance, or criminals like Marques attempting to stay ahead of international police. The users are diverse in every way, but software vulnerabilities can affect all of them.

In a 2017 criminal case, the US government put the secrecy of its hacking tools above all else. Prosecutors chose to drop all charges in a case of child exploitation on the dark web rather than reveal the technological means they used to locate the anonymized Tor user. 

Freedom Hosting’s closure was the first in a series of stunning successes by international law enforcement that shut down some of the most high-profile criminal websites in history. 

Two months after Marques was caught, the free-wheeling marketplace Silk Road was shut down in another FBI-led operation. After facilitating at least hundreds of millions of dollars in sales, Silk Road became a symbol of the apparent invulnerability of the criminals inhabiting the dark web. Although it lasted  less than three years, it was clear that Silk Road’s founder, nicknamed Dread Pirate Roberts, felt invincible. Close to the end, the anonymous figure was giving interviews to magazines like Forbes and writing political essays about his cause and the ideology behind it.

Then, in October 2013, Ross Ulbricht—a 29-year-old online bookseller—was arrested in San Francisco and charged with running Silk Road. He was eventually sentenced to life in prison, a punishment that far exceeds whatever Marques might receive at his sentencing date in May.

Freedom Hosting and Silk Road were just the most well-known dark web sites that were brought down by law enforcement despite the anonymity that Tor is meant to provide.

“We can’t have a world where a government is allowed to use a black box of technology from which spring these serious criminal prosecutions,” Rumold says. “Defendants have to have the ability to test and review and look at the methods that are used in criminal prosecutions.”