Following up on its takedown of a Tor-based child pornography host, a group within the Anonymous “hacktivist” group has published the Internet addresses of 190 alleged pedophiles. To do so, they allegedly collaborated with members of the Mozilla Foundation to create a modified Tor browser plugin which collected forensic data about the users. Members of the group also claim that a member of Tor’s developer team is the operator of the hosting service that serves up several child pornography sites.

The Tor privacy network uses a set of special protocols that can be used to allow anonymous browsing of the Internet and access to hidden “.onion” sites—a “darknet” of webpages, collaborative spaces and other Internet resources hidden from the view of the wider Internet. The Tor network conceals the location of these services, though attacks within the network can “fingerprint” them to gain information about them and use other methods to get a general idea of their location.

A recent security update to Tor corrected some vulnerabilities that made it possible to identify users by the security certificate they used to connect to sites. Anonymous claims to have used the update as the basis for a social engineering attack on pedophiles that it used to install an altered version of the Tor software so that it could collect forensic information on their use of the “Hard Candy” page of Hidden Wiki, a .onion site with links to child pornography, and of the “Lolita City” child pornography site on a Tor-based Web hosting service called Freedom Hosting. The OpDarkNet team of Anonymous has been conducting an ongoing denial of service attack on these sites.

“One week prior to October 27th, 2011,” the OpDarkNet wrote in a statement, “We [ ] performed ‘Operations Security’ against the developers of Tor. We quietly listened on irc.oftc.net channels #tor and #tor-dev to find when the next major release of Tor would be.”

Learning of the scheduled security update on October 27, the group claims they “secretly contacted our friends at The Mozilla Foundation, Developers of Firefox, for them to authorize a developer signer certificate for ‘The Honey Pawt’, a TorButton that we Anon created to funnel all originating traffic to our forensic logger.” The plugin was designed specifically to track usage of visits to a hidden Tor site providing links to child pornography, as well as the “Lolita City” site previously attacked by the group, and send them to a logger host set up by Anon.

The group gained certification for the Firefox plugin on October 26, according to the group’s claim. “Our TorButton aka "The Honey Pawt" did not contain any malware or virus. It was developed according to the Firefox/Mozilla Foundation guidelines,” the group claimed.

That's a claim that Mozilla has denied. In an e-mail interview with SecurityNewsDaily, Mozilla's Justin Scott said, "I've checked in with the add-ons team over here and no one at Mozilla was contacted by Anonymous in an official capacity. We also do not issue certificates for add-ons." The "Honey Pawt" add-on isn't in the Mozilla add-ons marketplace, he added, and "all add-ons available in the marketplace have been reviewed by a member of the add-ons team per the review process."

On the day of the Tor security release, the Anonymous hackers stopped their denial of service attack on the two target sites, and posted a message on the “Hard Candy” child-porn directory about the Tor security update, linking to their plugin download. When downloaded, the “Honey Pawt” plugin replaced the existing TorButton installation on the targets’ browsers. The hackers then collected data for 24 hours, before resuming their denial of service attacks on the sites.

The addresses collected span the globe, resolving to customers of ISPs including NTT in Japan, Sprint, and British Telecom. But there's no telling if the IP addresses are those of actual pedophiles. Original claims by the group placed the number of IP addresses at over 1,500.

Anonymous also claims to have discovered the identity of the operator of Freedom Hosting. The hackers have accused privacy advocate Mike Perry—developer of the TorFlow network monitoring tool and the Torbutton Firefox plugin—of operating the host through a “shell company” called Formless Networking LLC. Perry has denied the claims at length in his blog. “I seem to be the target of a vigilante lynch mob (or a subset of one),” he wrote, “who will not dispose themselves of the notion that I run a service called Freedom Hosting (despite having evidence in their possession to the contrary). I am not sure exactly why they are targeting me, but I strongly suspect it is meant as a distraction campaign at a key time in Tor's funding and development cycle."

In a recent e-mail to the tor-talk discussion list, Perry said that the information Anonymous had posted showed he had nothing to do with Freedom Hosting, since it was hosted on a machine running BSD Unix. “If you pull the [N]etcraft data for any of my servers going back 15 years, you'll see I've never put a BSD machine on the Internet,” he wrote. “I've never even gotten [BSD] to install on anything other than one computer I found in a dumpster. I reinstalled the computer with a proper OS, and then put it back in the dumpster.”