Shutterstock

Carnegie Mellon university has hit back at claims the FBI paid it $1m (£654,932) to break Tor.

Many users of Tor were concerned when it was compromised last year -- and now the Tor Project, which develops and maintains the software, thinks it has found the culprit. In a blog post, the Tor Project placed the blame on the FBI, who claimed it had been working with Carnegie Mellon University.


Carnegie Mellon researchers developed a Tor-attacking system back in 2014 -- a system that was due to be talked about at the Black Hat security conference in 2014. The talk was pulled and since then the university has refused to respond to questions about what happened to the technique.

But Carnegie Mellon has now said claims it worked with the FBI were false. "In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed," it said in a statement. "The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."

The Tor Project continues to insist the university was paid by the FBI. "Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep," it said. "And then sift through their data to find people whom they could accuse of crimes." "It was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," the Tor Project claimed.

An investigation by Motherboard showed a "university based research institute" had assisted the FBI in identifying a drug dealer who had used Tor.


Brian Farrell, who worked for notorious drug marketplace Silk Road, was identified using this technique and a warrant used to search his home detailed an FBI source had provided "reliable IP addresses for Tor".

It's also thought this information may have been used in Operation Onymous, a worldwide operation that combined the FBI, Europol, Homeland Security and other agencies. The operation led to 17 arrests, 410 hidden services being shut down and the seizure of $1m (£650,000) in Bitcoin.

The Tor Project did not say where it had received the information -- naming only "friends in the security community". Tor Project spokesperson Kate Krauss told WIRED US that "many questions" remained around Carnegie Mellon's involvement with the FBI.