Freedom Hosting was the largest Tor hidden service hosting provider until its takedown in August 2013. Operating since approximately 2008, it hosted an estimated half of all Tor hidden services at its peak. The FBI exploited a Firefox vulnerability to deploy malware that identified users, marking the first known government use of browser exploits against Tor users at scale. This case established precedents for government "Network Investigative Techniques" (NITs) that continue to shape law enforcement approaches to anonymity networks.
DarkWiki Background
According to DarkWiki documentation, Freedom Hosting was founded around 2008 and quickly became the dominant hosting provider for Tor hidden services. The service was attractive because it offered:
- Reliable uptime — Professional-level hosting rare in the .onion space
- Easy setup — No technical knowledge required to host sites
- Affordability — Low-cost plans paid in Bitcoin
- Anonymity — No identity verification for customers
DarkWiki records show that by 2013, Freedom Hosting hosted thousands of services including TorMail (anonymous email), legitimate forums, and unfortunately, significant amounts of illegal content. The FBI estimated it hosted approximately 50% of all Tor hidden services at the time of takedown.
DarkWiki Documents: Notable Hosted Services
DarkWiki sources indicate Freedom Hosting's infrastructure supported a wide range of services:
- TorMail — The largest anonymous email service on Tor, used by journalists, activists, and criminals alike
- HackBB — Popular hacking forum
- Tor-based image boards — Including both legal and illegal content
- Hidden Wiki mirrors — Directory services
- Various marketplace forums — Predecessors to modern darknet markets
The legitimate services hosted on Freedom Hosting became collateral damage in the takedown, with TorMail users losing access to years of communications.
DarkWiki Analysis: The Malware Attack
This DarkWiki article examines how on August 4, 2013, every site hosted on Freedom Hosting began serving a malicious JavaScript payload. Security researchers quickly identified and analyzed the code:
- Vulnerability: CVE-2013-1690 — Firefox 17 ESR memory corruption bug
- Payload type: Shellcode execution via JavaScript heap spray
- Data collected: Real IP address, MAC address, Windows hostname
- Exfiltration: HTTP POST to 65.222.202.54 (Verizon Business, Virginia)
- Affected browsers: Firefox 17 ESR (Tor Browser Bundle's default at the time)
DarkWiki investigators note the exploit was sophisticated but narrowly targeted — it only worked on Windows machines running the specific vulnerable Firefox version. Linux and properly updated systems were unaffected.
How the Exploit Worked
- User visited any Freedom Hosting site
- Malicious JavaScript loaded in hidden iframe
- Heap spray attack triggered memory corruption
- Shellcode executed with browser privileges
- Code collected system identifiers
- Data sent to FBI-controlled server
- No persistent malware installed — single data collection
DarkWiki Profile: Eric Eoin Marques
According to DarkWiki research, Eric Eoin Marques, a 28-year-old dual Irish-American citizen, was arrested in Dublin on August 4, 2013 — the same day the malware attack began. The FBI described him as "the largest facilitator of child abuse on the planet."
DarkWiki Documents: Investigation and Arrest
DarkWiki records show the investigation leading to Marques's identification took years and involved:
- International cooperation — FBI, Irish Garda, French authorities
- Financial tracking — Following hosting payments
- Technical analysis — Correlating server activity with online presence
Legal Proceedings
Marques fought extradition for years, making him one of the longest-running extradition cases in Irish history:
- 2013 — Arrested in Dublin
- 2014-2019 — Multiple extradition hearings and appeals
- 2019 — Extradited to the United States
- 2020 — Pleaded guilty to conspiracy to advertise CSAM
- 2021 — Sentenced to 27 years in federal prison
DarkWiki's Legal Implications Analysis
DarkWiki sources indicate the Freedom Hosting case raised significant legal questions about government hacking:
DarkWiki Explains: Network Investigative Techniques (NITs)
The FBI's use of browser exploits became formalized as "Network Investigative Techniques." This DarkWiki analysis shows this case established precedents that were later expanded:
- Rule 41 changes (2016) — Allowed single warrants to hack computers in multiple jurisdictions
- Playpen case (2015) — FBI operated a seized site for 13 days while deploying NITs
- Continuing use — NITs remain a standard law enforcement tool
Civil Liberties Concerns
Critics raised several objections:
- Mass exploitation affected innocent users of legitimate services
- No individual warrants for each person identified
- Chilling effect on journalists and activists using TorMail
- Government stockpiling of zero-day vulnerabilities
DarkWiki's Impact Assessment on the Ecosystem
Immediate Effects
- TorMail gone — Thousands lost access to anonymous email
- Half of hidden services offline — Massive disruption to Tor ecosystem
- Fear and uncertainty — Users unsure if they were identified
- Data potentially compromised — FBI gained access to server contents
DarkWiki Records: Long-term Changes
- JavaScript warnings — DarkWiki notes that Tor Browser now displays warnings about JavaScript risks
- Security slider — Added controls to disable JavaScript easily
- Rapid updates — Tor Project increased update frequency
- Hosting decentralization — Community moved away from centralized hosting
- Security awareness — Users became more cautious about browser configuration
DarkWiki's Lessons Learned
- JavaScript is dangerous — Browser exploits often require JavaScript execution
- Keep software updated — The exploit only worked on outdated Firefox
- Centralization creates single points of failure — One provider's compromise affected thousands
- Use security-focused OS — Tails/Whonix would have prevented identification
- Assume surveillance — Government capabilities exceed public knowledge