Update — the database has now been leaked and my ongoing analysis can be found over here

Compromise

Earlier today a Reddit user running a dark web crawler reported that all websites hosted by Freedom Hosting II had been compromised and were now displaying the following message:

Hello Freedom Hosting II, you have been hacked We are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ — but what we found while searching through your server is more than 50% child porn… Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses. All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database) We are selling all data (excluding cp) for 0.1 BTC. Send 0.1 BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and send your transaction id to [email protected] or [email protected] and We’ll get back to you with a full dump. Up to January 31st you were hosting 10613 sites. Private keys are included in the dump. Show full list We are Anonymous. We do not forgive. We do not forget. You should have expected us.

Update

As of approximately 17:00 GMT the landing page has been updated to say:

Thanks for your patience, you don’t have to buy data ;) we made a torrent of the database dump download here You may still donate BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and support us. If you need to get in contact with us, our mail is [email protected]

Verification

Privacy researcher Sarah Jamie Lewis used a customised ‘onion scan’ tool in October last year and found that Freedom Hosting II represented 15-20% of active onion sites detected based on matching SSH fingerprints.

The hack appears to be genuine. Not only are the tested hosted sites compromised, the main customer portal is already compromised, as this too is displaying the same message. fhostingesps6bly.onion was one of the primary onion addresses of Freedom Hosting II, the un-hacked version can be seen via this archived capture.

Freedom Hosting II portal — when it was working

The Bitcoin address listed by the anonymous hackers 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU at the time of writing has not received any payments. Selling access to hacked data rather than giving it away is not typical behaviour for Anonymous.

Brand legacy and follow up

Freedom Hosting II is the brand successor to the original Freedom Hosting, formally run by Irishman Eoin Marques, similarly notorious for hosting child pornography and fraud sites.

The original Freedom Hosting was taken down by the FBI in conjunction with a JavaScript 0-day attack on its users back in 2013. It is reasonable to except that law enforcement will be highly interested in the hacked data as it must intersect with operations against the worst of the worst sites under active investigations. In many cases this will mean bringing investigations to a premature close with some suspects evading justice, but in other cases providing a wealth of data on serious criminal operations.

Update — the database has now been leaked and my ongoing analysis can be found over here