Operation Torpedo

Operation Torpedo was a 2011 operation in which the Federal Bureau of Investigation (FBI) compromised three different hidden services hosting child pornography, which would then target anyone who happened to access them using a network investigative technique (NIT).

Investigation History
The operation started after Dutch law enforcement compromised a hidden service called Pedoboard, and found it was physically located at a Nebraska web hosting company. The ensuing FBI investigation found that an employee, Aaron McGrath, was operating two child pornography sites at his work and one at his home. After a year of surveillance, the FBI arrested McGrath and took control of his three sites (PedoBoard, PedoBook, TB2) for a two-week period starting in November 2012.

Methodology
The FBI seized access to the web sites after his arrest and continued to run them for a two week period. During this time the websites (onion services) were modified to serve up a NIT in what is termed a "watering hole attack", which would attempt to unmask visitors by revealing their IP address, operating system and web browser. The NIT code was revealed as part of the case USA v Cottom et al. Researchers from University of Nebraska at Kearney and Dakota State University reviewed the NIT code and found that it was an Adobe Flash application that would ping a user's real IP address back to an FBI controlled server, rather than routing their traffic through the Tor network and protecting their identity. It used a technique from Metasploit's "decloaking engine" and only affected users who had not updated their Tor web browser. An investigation by The Daily Dot claimed that the NIT was created by former part-time employee of The Tor Project and Vidalia developer Matthew Edman and was internally known as "Cornhusker".

Results
The NIT was successful in revealing approximately 25 domestic users as well as numerous foreign users. The U.S. Department of Justice noted in December 2015 that besides McGrath, 18 users in the United States had been convicted as a result of the operation. One user caught by the NIT had accessed the site for only nine minutes and had since wiped his computer, yet a month-later police search of his home and digital devices found—through digital forensics—image thumbnails indicating past presence of downloaded child pornography, as well as text instructions on accessing and downloading child pornography. Another user was unmasked through his messages with an undercover FBI agent, and this user turned out to be Timothy DeFoggi, who was at that time the acting director of cybersecurity at the U.S. Department of Health and Human Services.