At the end of last year, Mozilla hurriedly patched a zero-day vulnerability for Firefox that had been used against targets in the wild. Shortly after, Motherboard found that the related exploit had been deployed against visitors of a dark web child pornography site called The Giftbox Exchange, and sources said that a law enforcement customer had purchased the same exploit. The malware was supposed to reveal the real IP address of a site visitor.
Now it has emerged that Europol, the European Union’s (EU) law enforcement agency, is likely connected to an investigation into this website. The news highlights that as criminals continue to use anonymization technology such as Tor, investigators are increasingly turning to exploits and hacking tools in order to police the so-called dark web.
Videos by VICE
In December, Motherboard filed an access request with Europol for documents concerning The Giftbox Exchange, or Giftbox for short. On Thursday the agency said it had found two related files: a PowerPoint presentation and an operational document classified as EU Restricted. This classification is used to protect information which if disclosed could be “disadvantageous” to the goals of the EU, according to a document from the European Commission.
Europol refused to release the documents themselves, but the agency’s reasoning still gives context around the recent activity on Giftbox.
“The documents contain sensitive operational information intended for law enforcement use only, the disclosure of which would undermine the ongoing operations by the law enforcement authorities of the Member States and third countries in their fight against the sexual exploitation of children,” an email from Europol reads.
According to an entry on the Uncensored Hidden Wiki, a sort of encyclopedia for the dark web, Giftbox launched in July 2015, and had posts in English, German, French, Spanish and Dutch. The site allegedly had some 45,000 users at one point.
In November last year, someone deployed malicious Javascript from Giftbox. This code, some of which is publicly available and resembled that used by the FBI on a selection of other dark web child abuse sites, was designed to break through the protections of the Tor Browser and obtain a visitor’s real IP address. It was allegedly deployed after a user logged into the site, and Giftbox shut down shortly after the code was discovered. (According to the Uncensored Hidden Wiki entry, the site is still down). Around the time of the attack, the payload of the malware pointed to an IP address of 5.39.27.226; a server in France hosted by OVH.
Two sources previously told Motherboard that Exodus Intelligence, a US-based research company, sold the exploit used on Giftbox to at least one law enforcement customer last year.
Europol assists the 28 EU Member States in criminal investigations, and on its website Europol points specifically to terrorism, money laundering, and organised fraud. It also highlights online radicalisation and human trafficking.
“The networks behind the crimes in each of these areas are quick to seize new opportunities, and they are resilient in the face of traditional law enforcement measures,” Europol’s website reads.
Europol has been part of other investigations into dark web child abuse. In February 2015, the FBI hacked over 8,000 computers in 120 countries, and obtained suspects’ IP addresses. Some of that information was then passed to Europol, who disseminated it to law enforcement bodies across Europe. According to a Europol presentation previously discovered by Motherboard, the agency generated over 3,000 cases from the hacking operation. When Motherboard has asked Europol for comment on this case, the agency has consistently directed all queries to the FBI, saying that the US law enforcement agency was the leader of the operation.
But that might not be the case for Giftbox. The FBI did not lead any investigation into the child abuse site, an FBI official told Motherboard.
A Europol spokesperson told Motherboard in an email, “As per the response provided by Europol regarding your public access request, we can confirm that the Agency identified two documents as falling with its scope, but we cannot go into details of any involvement in investigations surrounding this site. On a side note, please be informed that in accordance with its mandate, Europol does not conduct investigations but supports and strengthens operational activities of Member States.”
Update: This piece has been updated to include a statement from Europol.