Pedophiles connecting to a concealed child pornography site got an unwelcome surprise last week, courtesy of the hacktivist group Anonymous. Lolita City, a child pornography site run on over a concealed “darknet,” has been taken down by Anonymous members, and account details of 1,589 users from the site’s database were posted as evidence.
The takedown is part of Anonymous’ Operation Darknet, an anti-child-pornography effort aimed at thwarting child pornographers operating on on the Tor network. Anonymous’ attack was focused on a hosting service called Freedom Hosting, which the group claims was the largest host of child pornography on Tor’s anonymized network. “By taking down Freedom Hosting, we are eliminating 40+ child pornography websites,” Anonymous claimed in its statement. “Among these is Lolita City, one of the largest child pornography websites to date, containing more than 100GB of child pornography.”
Based on a secure networking technology originally developed by the US Navy, Tor routes traffic through a collection of volunteer servers scattered across the Internet, making monitoring of what is being viewed or where communications are coming from difficult. The Tor network also hosts a private “dark” top-level domain, .onion (which is not an official TLD), via its Hidden Service Protocol; these sites are visible only to Tor users or those using a Tor gateway such as tor2web.org.
Because of its anonymity, Tor is widely used by individuals and groups seeking to communicate without being surveilled by authorities, employers, or eavesdroppers watching packets on public WiFi networks, as well as those wishing to visit websites anonymously without having their IP address recorded. According to the Tor Project’s own metrics, the service has recently been averaging over 400,000 users per day.
The Tor network was heavily used in Egypt earlier this year by dissidents to get around the Mubarak regime’s Internet shut-down, and is used by bloggers in Syria to communicate with the outside world. The network is also used by some who want to publish other sorts of material and conceal themselves from prying eyes, including pirated movie and software torrent publishers (which has made some Tor server providers the target of DMCA takedown notices). It's also attracted child pornographers and the pedophiles who are their customers.
However, as revealed last December, the anonymity offered by Tor isn’t foolproof. While the IP addresses of sites on the Tor network are concealed, they have a digital fingerprint that can be used to identify services hosted from a single location, and track visits to that site. And while it blocks some services that are typically used for denial of service attacks and other hacks within the Tor networks, such as UDP, .onion sites remain just as vulnerable to hacking as sites on the open Internet.
The Anonymous operation against Lolita City began on October 14, when members discovered links to child pornography on a .onion site called The Hidden Wiki. According to the group’s statement, Anonymous members removed the links, but they were reposted by a site administrator. Anonymous then moved to shut down the site with a denial of service attack. Additionally, the hackers matched the digital fingerprints of links on the site to Freedom Hosting. After sending a message demanding that the hosting service remove the content, Anonymous’ hackers were able to exploit the PHP site with a SQL injection attack and extract the user database before launching a denial of service attack. “The server was using hardened PHP with escaping,” Anonymous said in its statement. “We were able to bypass it with with UTF-16 ASCII encoding.”