Freedom Hosting 2: Conclusion

In this fourth and final post in the series, I will point out some remarkable items that didn’t fit into the more general analyses of the previous articles. I will also mention a few avenues of investigation that didn’t pan out. Finally, I will try to pull all of these loose threads together into some final conclusions.

Unclustered Sites

In the first post of this series, I used a clustering technique to identify sites that seemed to be running similar software. Then I was able to analyze all of the similar sites in a single pass in the second and third posts of the series, saving a lot of time compared to analyzing each site individually.

Although many sites belong to a large cluster, roughly half of all the sites belong to a small cluster or no cluster at all. I don’t want to review hundreds of these sites by hand, but I also don’t want to overlook any sites that might have interesting data… what to do?

MySQL offers a relatively straightforward solution: the information_schema contains metadata about all of the databases on the server so I can query for sites with interesting metadata. Many of these sites were set up and then never really used, which would cause them to have a lot of empty or small tables. I queried MySQL to show me all of the tables on the entire server that have at least 100 rows of data.

+--------------------+--------------------------+------------+
| table_schema       | table_name               | table_rows |
+--------------------+--------------------------+------------+
| 22vm7e2rbrc4mna6   | wp_options               |        132 |
| 236ugk7dsvshvfaw   | wacko_config             |        156 |
| 236ugk7dsvshvfaw   | wacko_cache              |        577 |
| 236ugk7dsvshvfaw   | wacko_acl                |        420 |
| 25fe6zdtumtx3n3k   | wp_options               |        113 |
| 26byhjxf6hhajvuz   | countries                |        206 |
| 2fddoesfroveovke   | phpbb_user_notifications |        184 |
| 2fddoesfroveovke   | phpbb_sessions           |        759 |
...snip...
| zwov6knqgdhfw2mq   | phpbb_qa_confirm         |        191 |
| zwov6knqgdhfw2mq   | phpbb_modules            |        206 |
| zwov6knqgdhfw2mq   | phpbb_migrations         |        168 |
| zwov6knqgdhfw2mq   | phpbb_config             |        296 |
| zwov6knqgdhfw2mq   | phpbb_acl_roles_data     |        409 |
| zwov6knqgdhfw2mq   | phpbb_acl_options        |        122 |
| zwov6knqgdhfw2mq   | phpbb_acl_groups         |        130 |
| zxhopaxquuwbriwj   | mybb_templates           |        868 |
| zxhopaxquuwbriwj   | mybb_settings            |        278 |
| _fhosting          | sql                      |      15360 |
| _fhosting          | ftp                      |      15246 |
| _fhosting          | domains                  |      14261 |
+--------------------+--------------------------+------------+
2240 rows in set (10.65 sec)

This results in over 2,000 tables, but many of these tables match patterns I already know about. For example I can remove all of the phpbb_ and mybb_ tables, since I already reviewed those in my post about forums on Freedom Hosting 2. After filtering out several categories like that, I whittled the list down to about 800, which seems like a reasonable number to eyeball.

Some of the resulting tables have obvious meanings, such as zen_products_description. Some of the names are eye-catching (one table is called xxx—but it’s just a list of usernames) and others sound very boring (e.g. qa_words). I looked at each group of tables and quickly tried to guage if there might be something there. If so, I investigated it further by looking at data in that table and the other tables on the same site. The rest of this article covers the noteworthy finds.

Advertising & tracking

The site ggoenh4wlsbzxpki runs a web analytics package that includes advertising and engagement metrics. It’s basically Google Analytics for the dark web! This particular site was running ads for a site called “The CC Buddies”, which is another site on FH2. It’s not clear to me how ad tracking would even work inside the Tor browser, since the Tor browser isolates third party cookies by default. This database does include clickstream data for its ads, however, showing us what ads users clicked on, when they clicked them, and what URLs were being advertised!

Here’s an example of the event data collected by this site:

[
    {
        "timestamp": 1457016616,
        "event_type": "dom.movement",
        "cursor_x": "1343",
        "cursor_y": "2171"
    },
    {
        "timestamp": 1457016616,
        "event_type": "dom.movement",
        "cursor_x": "1431",
        "cursor_y": "2153"
    },
    {
        "timestamp": 1457016616,
        "event_type": "dom.click",
        "dom_element_name": "(not set)",
        "dom_element_value": "(not set)",
        "dom_element_id": "(not set)",
        "dom_element_class": "(not set)",
        "dom_element_tag": "BODY",
        "page_url": "http://nkna77c37nculpeh.onion/index.html",
        "page_width": 1600,
        "page_height": 789,
        "html_element_text": "",
        "dom_element_x": "0",
        "dom_element_y": "0",
        "click_x": "1452",
        "click_y": "2149"
    },
    ...

This event data tracks things like when the user moved their mouse and what items they clicked on. This type of extensive tracking is common on the open web, but I was really surprised to find this happening on the dark web, where privacy is supposed to be protected at all costs.

There are also referrers in this dataset, i.e. sites that sent traffic to one of the tracking domains. This next example shows somebody searching for “paypal cc” on Torch (a Tor search engine), getting a result for “The CC Buddies”, and then clicking that link.

id: 267705315
url: http://torchtorsearch.com/index/search/0-4?q=paypal+cc&x=0&y=0
site: torchtorsearch.com

Here’s an example where a user searches for “the cc buddies” on Bing (!) and clicks through to their dark web site (apparently via a Tor2Web bridge like onion.to).

id: 1075372074
url: http://www.bing.com/search?q=the+cc+budies&qs=n&form=QBRE&pq=the+cc+budies&sc=0-17&sp=-1&sk=&cvid=65E
5BFCDFC044BC089DB8C5E41DA7227
site: www.bing.com

The next referral comes from SIGAINT, which was an anonymous, Tor-based e-mail service. This log entry shows a user browsing their sent mail and clicking a link to The CC Buddies.

id: 1083987900
url: http://sigaintevyh2rzvw.onion/mail/src/read_body.php?mailbox=Sent&passed_id=1&startMessage=1
site: sigaintevyh2rzvw.onion

I didn’t realize that the Tor browser transmits referer data until I found this! This is definitely a surprising violation of the privacy I would expect in Tor browser.

To make a loooooong story short, the web analytics for an illegal dark web site are extremely engrossing (to me, at least) but I’ll move on to the next topic.

Bengali Covert Channel

The site kmbpe4qmbmsb2juv is very curious. It is a phpBB forum, but I ignored during my earlier forum analysis because it has zero posts. It caught my eye when I was looking at table sizes because despite having zero posts and the name “Demo”, it contains 132 private messages. This is strange, to say the least. My guess is that this site was set up as a covert channel for private communications. It was made to look like an inactive site to anybody who happened to wander across it, but for those in the know it was a place to exchange sensitive messages, many of which are written in Bengali.

The private messages have subject lines like these:

Some of the posts are written in Romanized Bengali and others in Bengali script. (The name of the table itself is tebol_privmsgs, and “tebol” is the Romanization of the Bengali word for “table”.) Islam is one of the frequently mentioned topics, but the other topics are harder to discern. Many messages appear to have been deleted.

Unfortunately, the message bodies appear to be encoded, and I was not able to determine how to decode them. Here’s an example of the “Important Directives” mesage:

         msg_id: 114
message_subject: ""JORURI DIK_NIRDESHONA""
   message_text: hQIMAy8fNizE8D+IAQ//XApdnQKNIGDf6PV/B8/re/sximUerKp+uQGjpETcHHHw
wM6+rsZHe1QP3cMMqc0CF4YGfNiDRI6d6Ab2GHd3Rgm+GI4RguM98BsxUkWnVwub
Nh+dqpecKnGZ0bfhONhExq0FoB0A3+ZsskzF6c/2NPERFSgoA8XGYECGhv9GllGN
BglyNzwH+fOiARn65hUQMcPCe8+58VwRcCI33OPDOk+qAGFeuAAiX6Lk/G1oB18b
gp7IqIFEeb/Qv2xQS3ZDbh1x6/lxhCNYds+et21zv89NceEYjdyp/+29SwZXH9+7
...snip...
Fyw7O4BQobn8KNnowja9s5XiEBEsI8/RlS6RmVf5NFYPhmrJ0A9KQHLQsNVrs6R7
erg2XO2d/F43TKXZWfmnsHUq2eSgXElmEFwrrz9TAApfNPeXpWY16JRMJ1Au1Gdh
lBeKltW0ZY3i0fD957PIHtrqTMaPWSOoXpYd3xQvmi2QfKPMs9txYl8pQjKg9MZF
x4i2wX58
=lTGs

My guess is that some type of external encryption is being used and then base64-encoded. Some of the messages have more than 2 parties, i.e. there may be 3 or 4 accounts on a message thread. The accounts have vague names like bitekiller, ccleaner, and eraser. I have to admit, this site has left me scratching my head. I really don’t know what to make of it. (If you have some ideas, reach out to us on Twitter!)

Dead Ends

Before I get into the worst part of this material, I want to briefly mention several lines of investigation that did not pan out and a few surprises about what I didn’t find in this data.

Despite identifying several chat websites in this dataset, I was surprised to find that none of the chat sites are very big. There are a couple sites with 100-200 users and 1000-2000 posts that appear to have operated for a short time and then went into disuse. I had planned to dedicate an entire post to chat rooms similar to the post on forums but I didn’t find enough compelling material to write an entire post about it.

I also expected to find more marketplaces. Although there are a few markets present, they tend to have more listings than actual users—or sales. I suspect that savvy marketplaces doing lots of illicit business recognize that trusting a third party to provide infrastructure is risky. You’re trusting them not to conduct surveillance on you. You’re trusting them not to hand over your data to law enforcement. You’re trusting them to have good security and not get hacked and leak your data to the public. (Oopsie.)

Overall, I suppose the thing that surprises me most about FH2 is just how little activity there really is. When we throw out all of the tiny sites, all of the unused sites, and all of the sites overrun with spam, we can see that there are only a few sites with any significant amount of activity.

Out of the small number of sites that were very active, there is one clear theme that emerges. The rest of this post explores that theme.

Search Engine

The most revelatory site in this entire data set is oqc2m77eiwp3sbkp, which is a dark web search engine. This engine had indexed 4,061 dark web sites, including onion name, title, and description. The site allowed users to find onions by searching for keywords, and it logged each search that was made. The top 25 searches are:

These results indicate that the search engine was mostly used to locate illicit or illegal dark web sites, overwhemingly child exploitation.

The search engine also keeps track of which search results users clicked on on in the search results, so we can see which sites were most popular. (Keep in mind that this search engine covers the entire dark web, not just Freedom Hosting 2.) These are the top 25 sites:

This data also suggests that child exploitation content was one of the main objectives of search engine users. Note that the third most popular site, bw67bvmjmwgiw4oc, is one of the FH2 sites contained in the dump, but it does not contain any database tables. It could be that the site was a scam, or it could be that the site was only serving static files. Given the site’s popularity, I lean towards the latter explanation. It suggests a fairly simple website that—unlike forums that depend on user participation—would have been created and maintained by a small number of individuals.

This search engine was apparently a business: it contains two advertisement banners. (This is one of the few instances in which images are available in the database dump; these images were stored in binary fields in the database.)

These images are a bit corrupted, so they are cut off at the bottom. This must not have been a great business: the two ads received 162 combined clicks. The search engine also featured an onion listing with various categories that was much more popular than the search engine, receiving 7x more visitors.

Human Trafficking

One of the most alarming sites is an apparent marketplace for human sex trafficking called ffcos5cxbswsl4yr. I cannot tell if this is a legitimate site or a scam. On the one hand, the site requires payment in a cryptocurrency called “hungercoin”, which appears to be a scam in itself. The site also requires high up-front payments before even beginning negotiations.

On the other hand, the data shows two completed orders, one in London in 2015 and another in Denver, Colorado in 2016. A few days after the 2015 order, a user with the same name complained to the “customer support” that he got cheated:

paulperv2: It was bad enough you let me down and did not deliver now you take the acount and cheat me on money.

paulperv2: I was a fool to belive you.

The other user who purchased did not lodge a complaint, however.

There are two more accepted payments from a user named redseven who was also in contact with the site’s customer support. Here’s a small snippet from a long conversation so you can see how depraved this site is:

redseven: I wanted to ask if you could supply a girl in Canada in the Vancouver Area. But I’m also prepared to buy a girl completely, underage youngest you can get? I can pay up to 20,000US or CDN Dollars for a girl depending on age, will be cash on delivery. I’m serious, not playing a game. Thanks.

admin: We can sell you a girl, you choose her age. The price is not very different. A girl of 15 years old costs 25,000 USD approximately. Just tell us the age you want and we send the final price.

I have no way of knowing if this is a scam, or maybe even a law enforcement sting, but it does look like a significant amount of money (~$2,000) was sent from this user to the site, and they exchanged some documents using some file sharing links that have since expired.

Tox Directory

Tox is a Tor-based chat system that allows anonymous texting and video calls. One of the sites I found is called toxdirskqkvuogte, and as its onion name suggests, it is a directory where Tox users can meet each other. There’s nothing inherently evil about this idea; it’s sort of like taking out a personal ad and listing your phone number.

This site, however, has a distinct focus on child exploitation. Each user can post their Tox ID so that others can reach them, but they can also post messages describing what their interests are, even posting photographs of themselves or things they are interested in. These are almost 3,000 messages from users like this, and almost all of them are inconceivably offensive. Here are a few of the least offensive messages (relatively speaking, of course) that convey the purpose of this site.

breaker: Experienced pedophile with girls and boys. Pedomoms welcome real only please

pandoratect888: Want to talk to other childlover online ! all subject, open to all conversation ! Add me on tox

Cozzie: Im 26 yo pervert with 25 yo wife who knows about my preferences

Most of the messages are more horrifying than these, and there were also over 1,000 photos posted with names and descriptions that sound even worse. (None of the images are included in the database dump, but image metadata is present, e.g. file names.) Presumably, these users make introductions on this site and then switch over to using Tox for private chats and video sessions.

The entire site appears to be coded from scratch to facilitate child exploitation, including database tables that include fields like what ages users are attracted to, which countries they are willing to travel to, what “interests” users have, and even warning labels about dangerous users. The following SQL query shows the top 10 thing that users listed as an interest (each user can select multiple interests).

MariaDB [toxdirskqkvuogte]> select count(*), i.name from td_interests i
inner join td_properties_interests pi on pi.int_id = i.id
inner join td_properties p on p.id = pi.prop_id group by i.name order by 1 desc limit 10;
+----------+-----------------------+
| count(*) | name                  |
+----------+-----------------------+
|      950 | Girls                 |
|      786 | Have sex (with child) |
|      768 | Chatting              |
|      663 | Meet in-person        |
|      625 | Moms                  |
|      605 | Pussy (hairless)      |
|      560 | Blowjob               |
|      553 | Virgins               |
|      548 | Pussy (tight)         |
|      491 | Sluts                 |
+----------+-----------------------+
10 rows in set (0.07 sec)

A system for labeling users based on reputation seems to have been created but never actually used:

MariaDB [toxdirskqkvuogte]> select id, name from td_attributes;
+----+--------------------------------------------+
| id | name                                       |
+----+--------------------------------------------+
|  1 | Confirmed Person as Real                   |
|  2 | Confirmed Have Access to Child(ren)        |
|  3 | Confirmed Have Dog                         |
|  4 | Confirmed Have Horse                       |
|  5 | Confirmed Have Sex-toys (dildo, vib, etc.) |
|  6 | Confirmed Child-porn Producer              |
|  7 | Confirmed Site Staff Member                |
|  8 | Confirmed Pregnant                         |
|  9 | Labelled as DANGEROUS                      |
+----+--------------------------------------------+
9 rows in set (0.00 sec)

MariaDB [toxdirskqkvuogte]> select count(*) from td_properties_attributes;
+----------+
| count(*) |
+----------+
|        0 |
+----------+
1 row in set (0.00 sec)

Image Boards

As I have established in this post as well as earlier posts in this series, child exploitation is a serious problem on the dark web. While examining these stand-alone sites, I found 3 sites that are image sharing boards for child exploitation multimedia. An image sharing board is simply a place where people can post images, and some of them have the ability to vote or comment on images. On the light web, there are plenty of social image sharing sites like Imgur or TinyPic, but these light web sites police their users aggressively to remove illegal content.

The first dark web image board is 46vnnzhzwdvfe774, which is called “El Paraiso Kiddo” (Kiddie Paradise). It had 46,444 users and 8,965 images posted. (The images were not included in the database dump, but we can infer their existence from image metadata such as filenames.) This site allowed users to vote on photos and leave comments, so it has extremely detailed data about which users were viewing each image. The second image board is gxmrzk2s56oxzb3e, which doesn’t have a name stored in the database, but it has 636 users and 7,699 images posted with comments in three different languages: English, Spanish, and German. The third image board is qu3luqplnrd664z5, called “7chan”. It had 1,250 users and 2,983 images posted.

What do these numbers mean? 30,000 images—most of which indicate child sexual abuse—is simply a staggering number. To put it in contrast: out of all the sites that met the criteria I described at the outset, only three of those were image sharing boards. All three of those image boards deal specifically with child exploitation.

FH2’s terms of service stated:

We have a zero tolerance policy to child pornography.

My analysis indicates that this policy was not enforced in the slightest. To the contrary, the operator of this site was at best negligent and at worst complicit in the distribution of child exploitation materials. In this regard, Freedom Hosting 2 follows in the same tracks as its predecessor Freedom Hosting, an earlier operation that was taken down by the FBI. The operator of Freedom Hosting was extradicted to the U.S. earlier this year, but the operator of Freedom Hosting 2 remains at large.

Conclusion

This post tackled some very difficult material. I have tried to remain objective about FH2, treating it as a dataset and trying to keep a personal distance from it. It is easier to ignore unpleasant facts than it is to confront them, but I believe that confronting them is necessary. If you have read this far, thank you for sticking with it.