When Dutch police took the notorious Hansa marketplace offline last month, they had a message for the underground site’s pseudonymous drug dealers: we know who you are. The question, of course, was how.
Hansa existed on the dark web, and required a special web browser called Tor to access. Tor is designed to protect its users’ privacy by keeping the true location of their computers anonymous. And yet, police said they would be able to unmask some of Hansa’s users all the same.
On Friday, The Daily Beast appeared to have figured out why. It reported that Dutch police may have uploaded a specially crafted Microsoft Excel spreadsheet to Hansa’s site, with hidden code inside designed to phone home to police.
When a user opened the spreadsheet, it would silently connect to a server controlled by police. Investigators would receive their real IP address, and not the anonymous IP address they would otherwise be assigned by Tor. Number in hand, there’s a good chance they could get that user’s real name and address from their internet service provider.
In many cases, police don’t have to go to such lengths. Some criminals unwittingly give up their IP addresses. But the technique likely used against Hansa’s users is becoming increasingly necessary as criminals get better at covering their tracks.
‘Designed to avoid suspicion’
There are myriad ways for authorities to get the IP addresses of their targets during criminal investigations. Some, such as the approach used by Calgary Police in a 2012 investigation, are relatively simple.
In that case, Detective Sean Joseph Chartrand of the Calgary Police Service entered a Yahoo chat room posing as an underage girl, court filings show. A man named Michael J. Graff, using a pseudonym, started chatting with Chartrand. Graff sent a series of sexually explicit messages and photos, along with an email address, and invited Chartrand — who he believed was named Ashley — to contact him there.
That was Chartrand’s in. He used a now-defunct service called SpyPig to hide a tiny invisible image in an email, and sent it to Graff. When Graff opened the email, his computer retrieved the image from SpyPig’s server — and in the process, revealed the IP address of his computer to SpyPig and Calgary Police.
“Det. Chartrand’s email using the SpyPig code was specifically designed to avoid suspicion and conceal the SpyPig tracking function,” reads a filing from the case.
Kent Teskey, the criminal defence lawyer in the case, was unaware of other cases where similar techniques have been used, as were other privacy lawyers and researchers contacted by CBC News.
Network investigative techniques
The service used by Calgary Police isn’t very sophisticated, nor is it exclusively used by police. Internet marketers, for example, have embedded tiny invisible images inside emails for years to track who opens their emails, at what time, and from where.
But in cases where a carefully crafted email or link may be suspicious or impractical, police have turned to more advanced and covert techniques.
In the Hansa drug market investigation, the tracking code was reportedly hidden inside an Excel file listing recent transactions. Similar code was hidden inside a video that contacted an FBI server when played.
But nothing compares in scope or scale to an FBI investigation in 2015, where the agency installed spyware on over 1,000 computers that accessed a child porn site called Playpen. The FBI refers to its hacking tools as network investigative techniques (NIT).
It’s unclear whether police in Canada — who typically decline to comment on operational matters — have deployed similar software here.
If you have a tip, you can contact this reporter securely using Signal or WhatsApp at +1 416 316 4872, through off-the-record messaging at email@example.com, or via email at firstname.lastname@example.org.