Elaborate Anonymous Sting Snags 190 Kiddie Porn Fans

Some of the internet's sleaziest users must be freaking out today, having been outed by Anonymous as visitors to child porn forums. Vigilante Anonymous hackers are taking their war on underground kiddie porn to a new level by posting the IP addresses of people they claim are pedophiles.

Anonymous has been waging a month-long campaign to rid the digital underground of child porn called OpDarkNet. So far, their attacks have been limited to taking down forums and websites where pedophiles trade child porn on a shadow internet known informally as the "dark net."

But now the hackers say they're sick of waiting around for law enforcement to act against the users of those sites. "They'll take forever… due process for some of these guys are so weak," one hacker told us in a chat room. "The best way for Law Enforcement to react is for us to release it. They can chose to follow or not."

The list of 190 IP addresses posted by Anonymous today is the product of an elaborate sting—nicknamed "Paw Printing"—that wouldn't look out of place in an FBI investigation. Thanks to some quick coding and strategic planning, Anonymous hackers were able to trick visitors to a popular kiddie porn forum into downloading bugged software which tracked their every move for 24 hours.

Here's how it went down: The pedophiles on the dark net use the anonymizing network Tor to hide their tracks. Earlier this month, OpDarkNet learned of an upcoming update to Tor about a week before its release by hanging out in the chat room used by Tor developers. They realized the update would be a perfect opportunity to set a trap.

Tor users "are very scared about Tor being hacked," one OpDarkNet hacker told us, so they'd rush to install any software update if they thought it would patch a critical security hole. Their confidence must have been shaken with the recent attacks against the dark net by Anonymous, as well.

Elaborate Anonymous Sting Snags 190 Kiddie Porn Fans

In a 24-hour coding frenzy, OpDarkNet created a booby-trapped version of a popular browser plugin used to connect to Tor. With the normal version, a user's traffic is sent to many different Tor "nodes" in a way that obscures their internet activity. But the booby-trapped version was programmed to send all the traffic to a node controlled by OpDarkNet—a honey pot. OpDarknet could then log all the traffic to their server and pinpoint the IP addresses of Tor users who thought they were hidden.

On the day of the legitimate Tor update, October 27th, OpDarkNet hackers advertised their bogus update on a popular undeground child porn directory called Hard Candy. "DUE TO RECENT SECURITY ISSUES CAUSED BY ANONYMOUS AND FRENCH RESEARCHERS, PLEASE INSTALL A UPDATED TOR CLIENT LOCATED HERE," they wrote. According to the OpDarkNet hacker, 190 people downloaded their bugged plugin. OpDarkNet then logged the users' internet traffic for 24 hours with a program nicknamed "Whiny da Pedo," revealing their IP addresses, and tracking their visits to underground child porn forums.

The logs we've seen are incredibly detailed, tracking users' visits not just to the Lolita City child porn forum we wrote about earlier, but to Facebook and Twitter as well. According to a map of the addresses released by OpDarkNet, users all over the world were snagged by the sting—but the majority were in the U.S.

Nick Mathewson, a Tor developer, said such a sting would be possible. "We seriously recommend that users who want our actual software get it from our website... not from some random third party," he said.

The OpDarkNet hackers say they've tried to contact Interpol and the FBI with the IP addresses, but their hope that law enforcement might follow up on the tip seems misplaced. A European Commission official told the political site NewEurope that authorities take "note of the role played by Anonymous," but "removal of child pornography sites should be organised through properly co-ordinated law enforcement." It's no surprise that Interpol and FBI would be wary of any evidence offered up by a group that usually is on the other side of their investigations.

As for the people whose IP addresses are now publicly linked with child porn—we imagine they're busy finding the nearest swamp to bury their hard drives in. After rumor of the sting hit the dark net, an administrator added this note to the top of the Hard Candy forum that had been targeted:

"If you were stupid enough to install the recently linked Tor button 'update'... then your anonymity has no doubt been compromised. As a result you should consider running anti-virus/malware programs and/or fully wiping your hard drives."