The FBI paid Hacking Team to identify Tor users

Documents leaked online after the Hacking Team data breach revealed that the company supported the FBI in the investigation on Tor users.

While the security experts are continuing to analyze the impressive amount of data stolen from the Hacking Team, new revelation are circulating over the Internet.

Among the clients of the Italian security firm, there is also the FBI that acquired the popular surveillance software from the company. The experts discovered that the FBI paid the company to de-anonymize Tor users.


The FBI has spent nearly $775,000 on services and tools provided by the Hacking Team, internal emails confirm that the Remote Control System (RCS) tool was used by the law enforcement agency as a sort of “back up” for some other systems it ordinarily use.

“The FBI unit that is using our system seems like a pretty small operation and they have purchased RCS as a sort of back up to some other system they use.  They seem likely to renew, but they spent this year’s budget money on something else (so as not to lose the allocation).  There is a possibility of extra money freeing up on September” continues the content of the leaked email.

According to a series of emails exchanged between the company representatives and the FBI, the US law enforcement agency in September has bought the last version of the Remote Control System (RCS), aka Galileo. According to the company Galileo has the ability to reveal the IP address of a Tor user.

The FBI was in possessing only of the proxy IP address of the targets to infect that are using Tor to mask their IP. The FBI wanted to infect the suspect’s machine by forcing the download of a malicious file. The attack scenario starts with a classic spear phishing attack that relies on malicious attachments.

“We’ll need to send him an email with a document or PDF [attachment] to hopefully install the scout [Hacking Team’s software],” the FBI agent wrote in the email.

Once the victim is infected, it was a joke for RCS software to reveal the user’s IP address.

“if he is using TBB you will get the real IP address of the target. Otherwise, once the scout is installed…you can inspect from the device evidence the list of installed programs” states an FBI agent.

Internal emails confirm that the investigation conducted by the FBI were advantaged of Hacking Team’s service to de-anonymize Tor users.

“[The FBI] continue to be interested in new features all the more related to TOR, [virtual private networks] VPN and less click infections,” the same FBI agent said in other emails“In the past their targets were 20 per cent on TOR, now they are 60 per cent on TOR.”

Pierluigi Paganini

July 17, 2015

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...