The FBI used a booby-trapped video to identify a California man who allegedly used the Tor network to anonymously extort sexually explicit material from minors online.

Buster Hernandez, 26, of Bakersfield, California, allegedly ran his sextortion campaign since at least 2012. It came to the attention of the FBI in late 2015 when the suspect allegedly used Facebook to contact a girl in Indiana. Using the moniker Brian Kil, FBI officials said, Hernandez claimed he had obtained "dirty pics" the unidentified minor had previously sent to a boyfriend. Hernandez then allegedly threatened to publish the images unless the girl sent additional sexually explicit photos.

Hernandez eventually posted multiple images to the Brian Kil Facebook account, according to an affidavit FBI agents filed in court. The images were allegedly accompanied by messages threatening to visit the girl's school and kill her and her friends using homemade pipe bombs and firearms in his possession.

Over the next year, Hernandez allegedly sent similar messages to at least two other girls. In all the cases, he used Tor or proxy services to mask the publicly identifiable IP address used by his Internet service provider. Law enforcement officials typically rely on those addresses to identify suspects.

In June, 2017, more than 18 months after the sextortion campaign started, FBI agents obtained a court order from US Magistrate Judge Debra McVicker Lynch of the Southern District of Indiana, authorizing a so-called Network Investigative Technique. The technique made it possible for the agents to learn the IP address the suspect was using to communicate with one of the victims. The FBI affidavit explained:

As set forth in the search warrant application presented to Judge Lynch, the FBI was authorized by the Court to add a small piece of code (NIT) to a normal video file produced by Victim 2, which did not contain any visual depictions of any minor engaged in sexually explicit activity. As authorized, the FBI then uploaded the video file containing the NIT to the Dropbox.com account known only to Kil and Victim 2. When Kil viewed the video containing the NIT on a computer, the NIT would disclose the true IP address associated with the computer used by Kil.

After receiving the video, Hernandez allegedly sent a photo of a knife attached to a text message threatening to kill Victim 2 and her entire family. By then, however, FBI agents got a major break on the case. The booby-trapped video revealed the public IP address Hernandez allegedly used. Agents then subpoenaed his ISP address. They began surveilling his Bakersfield, California, residence and monitoring its use of the Internet. Agents soon noticed that the Tor usage happened "almost continuously" when Hernandez's girlfriend was away at work.

"Based on the aforementioned, I believe that Buster Hernandez is 'Brian Kil' and used the Internet to cause Victims 1, 2, and 3 to produce and distribute child pornography to Hernandez," FBI Special Agent Andrew D. Willmann wrote in the affidavit. "I further believe that Hernandez used the Internet to threaten to use an explosive device at Plainfield and Danville High Schools [in Indiana] when Victim 1 refused to produce additional child pornography."

Not the first time

In the past, the FBI has used other types of Network Investigative Techniques to identify Tor users suspected of crimes. One of the more controversial instances happened in 2013. It involved the FBI taking over a child pornography website that used Tor to mask the identities of operators and visitors. Agents then embedded webpages with malicious JavaScript code that exploited what was then an unpatched vulnerability in the version of Firefox used by Tor. As a result, anyone who visited the site was exposed to the attack. Some privacy advocates criticized the technique for its breadth. The technique used to identify Hernandez, by contrast, was considerably more narrow.

Tor Network officials have long counseled journalists, political dissidents, and other users not to use Flash, QuickTime, and most other media players because they can often reveal the public IP address a computer is using. The affidavit didn't provide enough technical details to determine if Hernandez followed that advice when he allegedly viewed the booby-trapped video.