Facebook helped the FBI identify a Tor user in 2017, they paid a cybersecurity firm to take advantage of a zero-day exploit in the Tails operating system.
Buster Hernandez, was known online as “Brian Kil,” he notoriously coerced high school-aged girls who sent him sexually explicit pictures and videos. According to records from the court, Hernandez coerced these teenagers from 2015 to 2017. However, during the FBI investigation that lead to his arrest, none of the victims were minors. The child pornography charges applied to content received from January 2016, indicating that his victims were 16 or 17 years old at the time. (Note: some news articles have different timelines than the criminal complaint but it appears as if his victims all stopped being minors long before the police arrested Hernandez. Additionally, he seemingly targeted high school-aged girls in general as some of them were not minors when he contacted them.)
Hernandez, tcreated hundreds of Facebook profiles created through Tor, he sent messages to three teenage girls who went to a high school in Plainfield, Indiana. The messages generally followed the pattern below:
“Brian Kil” contacted random individuals (typically minors) by sending private messages that said, for example, “Hi [Victim Name], I have to ask you something. Kinda important. How many guys have you sent dirty pics to cause I have some of you?” If the teenager responded, Hernandez would demand additional pictures or videos and threaten to distribute the ones in his possession if the girl refused to comply.
Hernandez mocked Facebook employees, the FBI and local law enforcement in some of his posts. Investigators never received anything but the I.P. addresses of Tor exit nodes when trying to get information on “Brian Kil” from Facebook, email providers, and related services.
Facebook Hired a cybersecurity firm
Facebook decided to hire a cybersecurity firm to help the FBI identify Hernandez. They paid a cybersecurity consulting firm six figures to create a hacking tool that took advantage of a vulnerability in the video player that shipped with the Tails operating system. The cybersecurity firm’s tool, which they worked with a Facebook engineer to create, seemingly created a piece of malware disguised as a video file. When a Tails user attempted to view the video, the malware sent the user’s real I.P. address to a server controlled by the cybersecurity firm (or, at the end of the investigation, to a server controlled by alphabet boys).
Facebook gave the hacking tool to a third party who then passed it to the FBI.
In 2017, the FBI obtained authorization from a judge to deploy the Network Investigative Technique (NIT). The FBI described the file as a real video file with the malware attached to it.
Sources from Facebook told Motherboard that they justified their involvement in the creation of a hacking tool because of the type of crime Hernandez had committed. The defendant pleaded guilty to 41 charges, including Production of Child Pornography, Coercion and Enticement of a Minor, and Threats to Kill, Kidnap, and Injure. Additionally, Facebook employees said that an upcoming Tails release had removed the vulnerable code from the video player.
A Spokesperson from Tails told Motherboard that, at the time, they “didn’t know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.”