That custom-built malware that's tracking down Tor network users? Turns out it might not be the FBI behind it after all. It looks like it might be the NSA.
After the Firefox JavaScript exploit was uncovered, there was a rush to figure out who was behind it. At first, that looked like the FBI. The IP address the malware phoned home to belonged to a defense contractor, and was geolocated near Reston, Virginia, near Arlington—the FBI's backyard. Given some of the content on the Darknet, and similar domestic stings for child pornography, it had FBI written all over it. But it turns out the specific IP address belongs to a block owned by the NSA.
As Ars points out, this could be someone being deeply incompetent and leaving the traceable IP address. Or it could be a calling card, the NSA letting Tor network users know that it is in the room, maybe meant to scare them off the privacy services entirely.
The malware itself collected geolocation data for individual users, instead of the typical username/password combo most malware goes for. That's one reason why everyone figured it was the FBI at first. The NSA being behind the curtain, though, doesn't mean the FBI won't get its hands on the data, though. The NSA admitted late last month that the agency shares its information with other organizations, like the DEA or FBI, for individual cases involving matters like drugs and child pornography.
So, that's where we stand. The NSA seems to be peeking its head into the deep internet, and it's bringing its friends, too. [Ars Technica]
Image via Shutterstock