FBI Unmasked CP Website User Using A Spyware

2 minute read

Posted by: Benjamin Vitáris

October 5, 2015

Do you remember Luis Escobosa? He has been caught for accessing, using and downloading pictures and media files from different child porn websites. The FBI arrested the Staten Island man last Friday, however, this is not the interesting fact here, it is the case that the FBI has uncovered how have they caught the CP user.

A huge website (PlayPen) with almost 215.000 users has been seized by the FBI March 2015, however, before they finally put the site out of its misery, the feds have loaded spyware on the website and ran PlayPen for a few weeks to track and trace users of the CP site. Luis Escobosa was busted by the FBI using this technology, the man already admitted that he has used these kinds of websites, however, what he did not know is the fact that the FBI was running a hidden server that has been spamming spyware on his computer while using PlayPen.

Spywares have been used for a while by the FBI. The court documents of the Luis Escobosa case do not tell us much information about the whole bust, however, the feds have made a good use of spywares before. According to other cases where NIT (network investigative techniques) were used, court documents state that the software has been developed by a white hat hacker named HD Moore and it was bundled in the Metasploit Decloaking Engine.

The process how the spyware works goes by this: a file, typically a Flash file, is hosted by a seized child porn website, and sent to web browsers when users of the site visit the hidden service via Tor. This Flash file is run in Adobe’s plugin and establishes a direct connection to an FBI-controlled server on the public internet without going through Tor. After these steps have been done, in most cases, the feds can read off the users’ IP addresses and catch the user for using CP websites.

Regarding the case of Luis Escobosa, the spyware reported back he was using a computer in Staten Island via Verizon’s fiber service. After determining his home address from the internet service provider using a subpoena, FBI agents got a search warrant and snatched the man’s computers in late June.

According to investigators, Escobosa thought he kept no copies of illegal content on his PC, but agents found 115 child sex abuse images stored in the thumbnail cache of his Tor browser – plus logs of IRC chats with other users of child porn websites. After he was arrested, Escobosa said nothing and demanded a lawyer, then admitted to the Feds he had surfed websites looking for images containing CP.

Updated: 2015-10-05