nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

FBI's spyware-laden video claims another scalp: Alleged sextortionist charged

Fed's NIT punches through Tor anonymity shield

By Iain Thomson, 9 Aug 2017

The FBI’s preferred tool for unmasking Tor users has brought about another arrest: a suspected sextortionist who allegedly tricked young girls into sharing nude pics of themselves and then blackmailed his victims.

As we learned from previous investigations, the Feds have a network investigative technique (NIT) up their sleeve that can potentially identify folks using the anonymizing system Tor.

The NIT involves a specially crafted video file – such as this one – that when downloaded and opened causes the media player to ping an FBI-controlled server somewhere on the internet. If this happens, and if the surreptitious connection does not go through the Tor network, it will leak the public IP address of the user to the Feds. This information can be used to identify the person's ISP and, with a subpoena, the subscriber's identity, leading to their arrest.

In this case, the tool was used against Buster Hernandez, 26, who was charged [PDF] on Friday with multiple counts of sexual exploitation of a child, threats to use an explosive device, and threats to injure. Hernandez, of Bakersfield, California, was allegedly running a five-year reign of terror by using Facebook to extort children to send him pictures of themselves naked.

“Terrorizing young victims through the use of social media and hiding behind the anonymity of the Internet will not be tolerated by this office,” said US Attorney Josh Minkler. “Those who think they can outwit law enforcement and are above being caught should think again. Mr Hernandez’s reign of terror is over.”

Using the name “Brian Kil,” Hernandez is accused of sending young Facebook users messages claiming he had compromising pictures of them and threatened to post them online unless the youngsters sent more nude snaps. He allegedly warned them that if they went to the police he would come after them – at one point threatening to blow up one victim’s school, prosecutors say.

In December 2015, the FBI were brought in after a year-long investigation by cops in Brownsburg, Indiana, where two of the victims lived. The police couldn't work out who Kil really was because he was using Tor to cover his tracks online, thus successfully remaining anonymous. One victim had been terrorized by Kil for 16 months, it is claimed. Every time Facebook shut down his account, Kil would reappear with a new profile, we're told.

When one of the girls finally refused to send any more pictures, Kil made threats against her school again via Facebook, saying: “I am coming for you. I will slaughter your entire class and save you for last.” He further made threats to law enforcement, declaring on the social network: “I will add a dozen dead police to my tally ... Try me pigs, I will finish you off as well.”

The threats caused two schools to be closed for the day. Kil told a second victim to go to public meetings about the threats, and relay to him any leads that were reported regarding Kil’s identity. He also bragged that investigators were inept.

“Everyone please pray for the FBI. They are never solving this case lmao,” he wrote. “Can’t believe the FBI is still wasting there (sic) time on this. I’m above the law and always will be.”

Oh, really?

Not so, it seems. On June 9, 2017, the Feds got a judge’s permission to deploy the NIT. Kil had ordered one of his victims to send him pictures and videos of herself and given her the address of a private Dropbox account to upload them to, so the NIT-laden video file was sent by the g-men to his cloud account.

The NIT reported the public IP address of Kil shortly afterwards, and an emergency subpoena was sent to the ISP Bright House Networks, who found it was registered to a woman in Bakersfield, California. Hernandez was registered as an occupant of the property.

On June 12, the FBI were authorized by another judge to put a tap on the internet connection for the house and it found that Tor was being accessed regularly from the property using the Bright House Networks pipe.

The agents got another court order on June 17, requesting surveillance of communications from the suspect's IP address. This showed an occupant was regularly accessing 4chan and looking at pornography on the picture sharing site Imgur, and they also intercepted images of some of the victims.

On July 19, the Feds installed a camera on top of a telegraph pole outside the house. A review of the footage four days later showed a woman leaving the home every morning at 7am and coming back at around 7pm. Hernandez was also spotted entering and leaving the house.

A review of the bugging records showed that the Tor internet sessions started almost as soon as the woman left the house. Once they had collected all the data, the Feds moved in and made their arrest. Hernandez was, as we said, charged this month.

“This was a unique and complex investigation that highlights the tenacity, perseverance, expertise and dedication of the FBI Indianapolis’ Crimes Against Children Task Force and was a top priority. Innovative techniques were utilized, solutions to roadblocks created and partnerships with key private sector partners were developed,” said Jay Abbott, Special Agent in Charge of the FBI’s Indianapolis Division.

“I stood in front of concerned parents and community members and told them we would find the person who had been victimizing these young girls and, with the tireless work of our agents and partners, we never gave up.”

If convicted, Hernandez is facing a mandatory minimum sentence of 15 years in prison, with a maximum of 30 years inside. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing