Web-hosting provider Freedom Hosting II was taken down Friday and still offline as of late Monday

Robert McMillan
Feb. 7, 2017

A network of websites used by hackers and others to anonymously share information has itself been hit by a cyberattack.

The attack disabled a large chunk of the so-called Dark Web, knocking thousands of websites offline, cybersecurity and privacy specialists said. The anonymous attack, which hit a web-hosting provider named Freedom Hosting II, occurred on Friday and as of late Monday, they remained offline, they said.

The Dark Web is the term used for a network of servers that use anonymity software, in particular a version called Tor, to cloak their location. The Dark Web is used by a mixture of activists and privacy lovers looking to keep their identities secret and criminals distributing illicit materials like child pornography or data taken in cyberattacks. The online marketplace Silk Road used Dark Web servers to hide from law enforcement before it was shuttered in 2013 as part of a criminal investigation by federal authorities.

Friday’s attack knocked about a fifth of the Dark Web offline, according to Sarah Jamie Lewis, a former security engineer for Amazon.com Inc. who is now an independent researcher and operates the privacy-focused website Mascherari.press. Soon afterward, the attackers published a series of databases containing large amounts of information available on Freedom Hosting II, which was the largest hosting provider for anonymous websites, she said.

The databases include private messages between participants in several child pornography forums, and code from “command and control” servers used to operate networks of hacked computers, she said. Chris Monteiro, another independent cybersecurity researcher who is examining the Freedom Hosting II files that were released, said in a blog post that he, too, found material related to child abuse, as well as sites offering stolen online usernames and passwords.

Posts included in the data dump discuss child pornography, but had had their images removed, said Troy Hunt, another independent security researcher. “It’s the sorts of classes of sites that you’d expect to want to have anonymity,” he said.

Who operates Freedom Hosting II isn’t clear, and there isn’t publicly available information about how to contact them.

While the Tor anonymity software used by Freedom Hosting II is designed to obscure the identity and location of its users, the private messages could contain information that could be used to identify members, including mailing addresses, phone numbers or email addresses used by web services such as Gmail that don’t use anonymizing software. That information could be of use to law enforcement, although the disruption of such a large hosting provider could also impair ongoing law-enforcement investigations by causing any illegal activity to relocate, Ms. Lewis said. The Federal Bureau of Investigation didn’t respond Monday to a request for comment.

The attacker who claimed credit for the strike against Freedom Hosting II left an email address, but when contacted, declined to give an identity.

Although the data came from more than 10,000 websites, only a few thousand of them were actively being used, Ms. Lewis said. Many of the sites were anonymously run political blogs, she added.