The FBI Identified a Tor User

No details, though:

According to the complaint against him, Al-Azhari allegedly visited a dark web site that hosts “unofficial propaganda and photographs related to ISIS” multiple times on May 14, 2019. In virtue of being a dark web site—­that is, one hosted on the Tor anonymity network—­it should have been difficult for the site owner’s or a third party to determine the real IP address of any of the site’s visitors.

Yet, that’s exactly what the FBI did. It found Al-Azhari allegedly visited the site from an IP address associated with Al-Azhari’s grandmother’s house in Riverside, California. The FBI also found what specific pages Al-Azhari visited, including a section on donating Bitcoin; another focused on military operations conducted by ISIS fighters in Iraq, Syria, and Nigeria; and another page that provided links to material from ISIS’s media arm. Without the FBI deploying some form of surveillance technique, or Al-Azhari using another method to visit the site which exposed their IP address, this should not have been possible.

There are lots of ways to de-anonymize Tor users. Someone at the NSA gave a presentation on this ten years ago. (I wrote about it for the Guardian in 2013, an essay that reads so dated in light of what we’ve learned since then.) It’s unlikely that the FBI uses the same sorts of broad surveillance techniques that the NSA does, but it’s certainly possible that the NSA did the surveillance and passed the information to the FBI.

Posted on January 17, 2023 at 7:02 AM29 Comments


thorvold January 17, 2023 8:27 AM

The filing mentions that it is referencing a purported Top Secret document “Exhibit 2” from the timeframe of 2013. Based on that info, I am assuming this is a document purportedly from the Edward Snowden leak. The current policy of the government is that a classified document that is leaked is still classified until officially de-classified at a later date. Public access != Unclassified. The government is not going to acknowledge that the document is indeed classified in an open context because that would then confirm that the information contained in the document is likely true. Potentially the “fact of” information that the lawyer obtained in that document and then references in his motion may also be classified.

This would make the motion a derivatively classified document based on the inclusion of classified information in it. If the government managed to convince the judge that the information was still classified, then that would show the need required to seal the motion, without actually stating in open writing that the document was indeed true.

Will January 17, 2023 9:29 AM

The gist of the article is that the US government could have compromised the website, or the website may have been a honeypot, or they may have ways of unmasking TOR traffic generally.

But isn’t it more likely that they compromised the machine he used to access the dark web instead?

Winter January 17, 2023 9:44 AM

A known way to re-identify an IP address over Tor is when the user enables javascript support. If you do so, it is advised to use the browser in a VM with the IP address shielded. This is especially true when the user does not use the Tor browser, but accesses Tor using SOCKS5 on a regular browser.

If the FBI already had access to the dark web site, it could install Javascript code to get at the IP address.

Another, fairly unlikely way, is to look for searches on public fora in the open for certain websites just before the access.

A real killer would be asking for translating the offending page in open Google Translate just after you accessed it via Tor. Google can be fickle when used over Tor, it generally blocks access from Tor.

Clive Robinson January 17, 2023 10:46 AM

@ Bruce, ALL,

Re : The cost of catching a tiddler.

“There are lots of ways to de-anonymize Tor users.”

Yes there are[1] but non of them are “resource inexpensive”, thus as with angling,

“You only throw the bait where you’ve a good idea there is a fish that will bite.”

Thus I’d be more interested in what the suspect allegedly did to first attract attention to themselves.

After that we know it’s more likely to be “Methods” rather than “sources”.

It’s knowing if the first flagging up event was just technical or involved human agency. If the latter wether it was an error by the suspect or somebody else “provided confidential information”.

1, If technical, We all have a problem.
2, If Suspect error, Some others have a problem.
3, If Confidential source, Similar others have a problem.

The last does not overly concern me on the “If you can’t do the time…” principle I avoid doing that sort of “crime” thing.

The second I suspect is actuall quite probable on the “Johnny can’t encrypt” principle. This unfortunately is a major failing of most encryption systems going all the way to BC times.

If it’s the first then I’m very concerned because that has the implication that there is a fault in the standards, protocols or algorithms, which is likely to effect a great number of other systems not just Tor.

Hopefully we get to find out, and find out fairly soon.

[1] When you think about it at a fundemental level there are two issues,

1.1, All traffic is point to point.
1.2, All traffic is bidirectional.

Together these guarenty that all such connections are tracable, with enough resources to gather the needed information.

Due to Tors fixation with “low latency” this makes “tracking in the time domain” relatively painless and no amount of encryption no matter how clever can hide the time domain information. Nor can encryption hide the data flow domain information, all it can hide and often not well at all is the “traffic content”.

TRX January 17, 2023 11:22 AM

This all assumes it wasn’t something so simple as a piece of malware running that passed all his keystrokes on to an FBI host.

Winter January 17, 2023 11:27 AM

Another discussion of the OP at Hacker NEws:

Scroll down:

I wouldn’t get so excited about this. There have been tons of javascript exploits to leak IP addresses in the past, it’s more likely that than the FBI running thousands of servers.

Winter January 17, 2023 11:42 AM

To counter my own arguments, it seems it is not that easy anymore to leak your IP address over Javascript.

See this discussion on Reddit:

In the grey old days, long ago, it used to be parallel calls of web addresses in plain TCP/IP traffic inside complicated pages. But the Tor browser seems to block all know ways to do that.

Best guess to me, beside that they did not break Tor, but only use that as a cover for what they really did, is that the FBI used a zero-day in the browser of the accused. Or that he logged into a honeypot site and his credentials gave him away.

JonKnowsNothing January 17, 2023 12:19 PM


re: It’s unlikely that the FBI uses the same sorts of broad surveillance techniques that the NSA does, but it’s certainly possible that the NSA did the surveillance and passed the information to the FBI.

The high probability is that the FISA Courts (1) granted warrants for the overseas surveillance, which is the province of the NSA.

All such photos and documents as contained on that site are watermarked by USA LEAs (and maybe other LEAs). This is similar to the watermarks on other “illegal materials”. MITM insertion and interception, allows the LEAs to collect the images and replace any intercepted requests for download or browser pre-fetch (2) with a watermarked version (aka Honey Pot). There are teams of LEAs that are dedicated to finding and tagging all such illicit images, as in moderation decisions, there are always more to discover, watermark and/or block.

Since the end user is inside the USA, that requires a special FISC Warrant, which is a boomerang warrant. Normally the NSA stops at USA borders, but with a boomerang warrant they can follow the pipe directly inside the USA. In theory the NSA doesn’t do this often but in practice it is done a lot. The NSA Collect It All strategy is that the collection is not “viewed by humans” and is sorted by computer, so it remains within their legal boundaries to collect. If they are going to use any of this already collected material and if the target is inside the USA, they need a boomerang warrant to access and analyze the USA end of the pipe. They do not need any authorization to analyze the other end of the pipe outside of the USA.

After 9/11, some aspects of this revealed the scope of investigations inside the USA and in foreign countries. The FBI, Dept of Defense (Dod), the CIA and NSA all have presence in the field. It was a bit of a surprise when it was disclosed that the DoD was doing interrogations of renditioned/kidnapped US Citizens in foreign countries.

afaik All the agencies continue to work outside of the USA.


1) Foreign Intelligence Surveillance Act (FISA)

The Act created the Foreign Intelligence Surveillance Court (FISC) to oversee requests for surveillance warrants by federal law enforcement and intelligence agencies.

2) Browsers do a pre-fetech for images. All you need to do is access a page and the browser presumes you are going to look at all the images. They pre-fetch an image to reduce the display render time as you look at the page. The browser pings the source image host for their “counters”. This process is done as if you visited and viewed the item even if you closed the window without ever seeing the displayed image.

AlexT January 17, 2023 12:50 PM

I don’t know much about the specifics of this case but is he “only” charged for visiting this site or was the de-anonymization the basis for probable cause for a search warrant that tuned up further evidence ?

If the former I guess they will have to somehow come clean about how they did it (even in a semi restricted setting): they can’t just say “we know he did it because we tell you so”.

If the latter parallel construction comes to mind.

Certainly a story to follow.

SpaceLifeForm January 17, 2023 1:03 PM

Re: NSA passed info to FBI

Yes, that would be a top choice given EO 12333.

Related to this I believe:


A new policy will empower U.S. agencies to hack into the networks of criminals and foreign governments, among other changes.

Sam January 17, 2023 1:45 PM

I wonder if this is connected to KAX17.

The fact that a well-resourced and persistent group has been running hundreds of entry and middle Tor nodes since at least 2017 has been stuck in my head since the group was first noticed by Nusenu in Dec 2021.

KAX17’s significant resources, use of Azure hosting, and seemingly non-monetary motive for intercepting Tor traffic has always made me wonder if KAX17 is a three-letter agency of the US government.

Clive Robinson January 17, 2023 3:57 PM

@ Bruce, ALL,

A quick lookup via search engines gives, the alledged person via an other article[1] as,

“Muhammed Momtaz Al-Azhari, of Tampa, Florida”

Searching on that pulls up a whole bunch of interesting information.

Judging from which it looks like he, his father, and sister[2] were very probably on various watch lists. He having returned to the US having spent three years in a Saudi Jail for trying to join ISIS.

Apparently he was actualy arrested in a faux weapons buy sting operation where he had been given money and talked into purchasing a hand gun and silencer.

There is a whole lot more about him looking up other information etc.

So there is apparently quite a bit more to the story.

Any way it’s 9PM and my vegi-pasta sauce is cooked, so time to go make the pasta and “slurp on the shirt” 😉

[1] From

[2] Apparently the sister was shot dead by the action of a couple of police officers less than a couple weeks after her brothers arrest. There is apparently “overhead” video –which I’ve not seen– showing a police officer approaching her saying something and then she pulls a knife from her bag, a chase follows and she was fatally shot by another police officer.

Ted January 17, 2023 4:17 PM

There’s a lot going on here. The court records for this case (US v. Al-Azhari) are pretty extensive.

I’m trying to read through an earlier document: the government’s response to Alazhari’s motion for the disclosure of FISA materials.

I can’t yet determine if this has any relation to “Exhibit 2” from the court doc in the OP. From that filing:

The motion also posits a second way in which the Government may have determined the IP address. Exhibit 2 goes to the likelihood that the Government relied on this second method.

Note: The first method is the “network investigative technique.”

There was also some beef about the use of aerial surveillance. Honestly, it seems like this guy was dropping bread crumbs the size of loaves.

Anonymous January 17, 2023 5:02 PM

Sam, I doubt KAX17 is related to this (at least not directly).

That threat actor has the strange combination of large resources and sophistication, but bad OPSEC. They attempted to (naively) influence the Tor mailing list by joining and complaining that bad relays shouldn’t be removed so quickly and that they should be given the benefit of the doubt, but he used the same email address there as he used in his contact for his first few malicious relays.

If KAX17 was run BY a three letter agency, they would not have had such awful OPSEC. This smells like a one man job (or at least one person at the helm), not something performed by a carefully-compartmentalized team well a well-defined mission put on paper.

As for this particular incident, I’d wager that it has nothing to do with an attack against the Tor network itself. While low-latency mixnets are vulnerable to various attacks, those attacks are never very good at targeting individuals. It’s significantly more likely that the user was already compromised. After all, he and his family were already on terrorist lists, and it’s likely that the FBI was aware he used Tor…

However, another possibility is that they used a targeted website fingerprinting attack. They knew he had connections to ISIS. They probably had a list of ISIS-related darknet websites. Surely they also had a tap on his internet. While website fingerprinting attacks really don’t work against random people visiting random websites, if you have one person you’re specially-targeting and you want to know if he visits one of several specific sites, WF attacks are absolutely practical.

lurker January 17, 2023 6:11 PM

re browser prefetching

Back in the day there used to be a browser prefs setting “Download images with text”, so the user could choose to read plain text, and look at the pix later, if relevant. Some browsers may still do this.

Web pages these days from professional orgns and MSM are horribly bloated. I saved one last week, complete according to my browser, 3.7MB, including a 800k jpg, ad thumbnails, and a couple of dozen each of stylesheets and javascripts, leaving 26k of stripped marked up html. Some of the scripts could well have beem LEA, I’m too lazy to check ’em all …

lurker January 17, 2023 6:18 PM

re “empower[ing] U.S. agencies to hack into the networks of [ … ] foreign governments,”

It might be against the law to do that in some places. Good luck a) proving where it happened, and b) prosecuting the US agency.

somedude January 17, 2023 6:59 PM

this is more like parallel construction than breaking tor (although it can be done probably).

JonKnowsNothing January 17, 2023 7:23 PM

@lurker, @All

re: pre-fetched image thumbnails

The hidden danger from browser behavior for the indirect user is this:

  • If the thumbnails are of illegal material (1)
  • Then the thumbnail alone, has already tagged you with a watermarked version of the illegal files.

The user has no way to prevent any MITM interception and no way to prevent the watermarked honey pot from being down streamed into your device or hidden cache area.

This is co-related to the new definitions and expansion of USA Espionage Act, where nearly everyone is eligible to be prosecuted for Espionage, just by reading the Morning News, watching the latest This Just In reports on TV or getting push-pull notices from media organizations. Following any topic of “similar interest” to LEAs may put you on their Fly Ointment List.

Having any illegal material on your device, personal or work system, whether you looked at it or not, maybe enough to land you a very long stay in an uncomfortable location, not necessarily in your own country.

Travel is hazardous. Not Traveling is equally hazardous.


1) the definition of illegal varies by jurisdiction and country

JonKnowsNothing January 17, 2023 7:47 PM

@Clive, @Bruce, ALL

re: Searching … pulls up a whole bunch of interesting information

It might be useful to have a highly critical view (hinky view) about any information that is being release at this time.

During the worst of the excesses in The War On Terror , which afaik, is still On, nearly all information that was presented quickly or soon after an event, turned out to be false. Many times 100% false.

The purpose of releasing what can be demonstrated later as false information, has benefits to LEAs and Governments. They have all the incentive to broad brush actions and paint themselves as Patriotic Law Protectors, and no incentive to admit their pronouncements are false.

Follow any of the transcripts and stories of the people trafficked into GITMO and elsewhere, and you will find ample examples of LEA Hyperbole.


htt ps://en.wikipedia.o r g/wiki/War_on_terror

htt ps://en.wikipedia.or g/wiki/Abdelhakim_Belhaj

Mark Allen, Director counter-terrorism for MI6…

  • Allen wrote: “I congratulate you on the safe arrival of [Belhaj]. This was the least we could do for you and for Libya to demonstrate the remarkable relationship we have built over recent years.”

On 10 May 2018, British Prime Minister Theresa May issued an official letter of apology for MI6’s role in tipping off the CIA of Belhadj’s location before the American-based spy agency captured him and his family and transferred them into Libyan custody.

(url fractured)

Clive Robinson January 17, 2023 8:47 PM

@ JonKnowsNothing, lurker, ALL,

Re : NSFW background pushed.

“If the thumbnails are of illegal material”

In the case of Microsoft through DuckDuckGo small mistakes can get quite a large amount of NSFW / questionable images pushed onto your PC, as I indicated a few weeks back.

What can happen –depending on your settings– is a simple mistake when looking for “Java Teaching” Materials can result in a lot of rather larger than thumbnails getting downloaded hidden from the users view (so they have no clue as to what is happening).

So if you mistakenly type in “Jav Teaching” or similar and are in the “all” or “videos” search result windows, you will get a page or so of junk before anything untoward shows up. In part because of the fact YouTube fills the video page first.

However in the images tab other “providers” get to be presented first, and it’s certainly not what you want on your work PC[1].

Worse even if the images are not auto-downloaded, Microsoft has shifted the “questionable” images to a different server domain so just the URL alone can get you into a lot of trouble.

The thing is it’s not the user “requesting and seeing in the active window” all this junk, but the combination of DDG&Bing “pushing it at you in the background” trying to make their performance look better…

But there is little you can do to demonstrate you neither requested or viewed the images…

[1] Remember each jurisdiction has not just it’s own laws but also how they are interpreted. Thus in some places pictures of actresses / models who are legally adults but are sufficiently diminutive / slight thus look several years younger are accepted, but in other places are not. Likewise with sketches and computer generated images. The reasoning is based on a point of view with regards to what was the viewer intent rather than the reality of the image. Which can give very bizar issues of family photos taken in public places being illegal but the actual activity in the public quite acceptable (think children playing on the beach and in town center water features).

anonymous January 18, 2023 9:43 AM

Assume two things about the internet.
1. someone is reading your material.
2. those Honeypots work in reverse and can plant documents in addition to harvesting hardware and software details.

JonKnowsNothing January 18, 2023 11:16 AM

@Clive, lurker, All

re: NSFW Remember each jurisdiction has not just it’s own laws but also how they are interpreted. Thus in some places pictures of …

Pictures showing “unauthorized dress standards” can lead to imprisonment, torture and death. A missing scarf while playing chess or participating in a climbing competition can be fatal. Wearing the wrong color, the wrong style, or wrong costume can be equally deadly. An image of accepted activity in one country, like driving to the market, can imprison them in another.

The image doesn’t have to be illicit in a general sense, but illegal in a direct context.

Winter January 18, 2023 12:34 PM


A missing scarf while playing chess or participating in a climbing competition can be fatal. Wearing the wrong color, the wrong style, or wrong costume can be equally deadly.

This is about women wearing the wrong/not enough dress. This is not about having pictures of foreign women wering the wrong/too little dress.

JonKnowsNothing January 18, 2023 1:00 PM

@Winter, All

re: This is about women wearing the wrong/not enough dress.

Then a small correction:

  • This is about women (or anyone) who’s picture is posted on any public or private system, with or without their knowledge, posted in countries or news papers where such images are perfectly AOK and later having those images used by LEAs in countries where such images are prohibited, to bring life threatening charges against them.

Sure we think of kompromat first, we rarely think about what else can be used against us, in a court of law, or the courts of executioners.

It doesn’t matter what the image is of, that thumbnail can be used against you, at any time, or place of a LEAs choosing.

vas pup January 18, 2023 3:04 PM

US arrests Russian crypto boss for running criminal ‘haven’

“US authorities announced on Wednesday that they had arrested the owner of Hong Kong-based cryptocurrency exchange Bitzlato for allegedly laundering hundreds of millions of dollars for criminals on the platform.

Anatoly Legkodymov is a 40-year-old Russian national living in China. He was arrested in Miami and is due to appear in court for his first hearing later on Wednesday.

“Today the Department of Justice dealt a significant blow to the cryptocrime ecosystem,” US Deputy Attorney General Lisa Monaco told a press conference, calling Bitzlato a “haven” for criminality.

“Overnight, the department worked with key partners here and abroad to disrupt Bitzlato, the China-based money laundering engine that fueled a high-tech axis of cryptocrime,” she said, adding that a joint operation with French, Cypriot, Portuguese and Spanish authorities had also allowed them to shut down Bitzlato’s website.

Bitzlato’s main client was Hydra, a major darknet marketplace shut down by US and German authorities last year. Users were able to transmit some $700 million for narcotics, stolen credit card information and fake identity papers, the US Justice Department said.

According to court documents, Legkodymov allegedly wrote in an internal Bitzlato chat in 2019 that he knew many of the platform’s users were “known to be crooks.”

Why you, idiot went to US Jurisdiction???

vas pup January 19, 2023 4:39 PM

Cyber-crime gangs’ earnings slide as victims refuse to pay

“Cryptocurrency experts at Chainalysis say ransomware groups extorted at least $457m (£370m) from victims in 2022 – $311m less than the year before.

The true figures are likely to be higher, but experts agree that fewer victims are paying.

However, while there has been a drop in criminal revenue, the number of attacks is rising.

Companies, governments, schools and even hospitals around the world are regularly falling victim to ransomware hackers, who lock staff out of their IT systems until a ransom is paid, usually in Bitcoin.

Analysts at Chainalysis track the money flowing in and out of Bitcoin wallets which are known to be owned by ransomware crews.

Researchers say the criminal proceeds will be much higher than those they can see, because the hackers are likely to use other wallets too.

Nonetheless, the company says, the trend is clear: ransomware payments are significantly down.

“Hackers are definitely finding it harder to get paid for ransomware attacks,” said Brett Callow, threat researcher at cyber-security company Emsisoft.

==>Companies have become better at protecting their back-ups, reducing their need to pay hackers for recovery, he added.

The growth in the number of attacks last year could be connected with enforcement actions, mainly by the US authorities, which caused some of the largest ransomware groups to disband.
Police conducting a raid.

In November 2021, alleged members of the REvil gang were arrested around the world in a global police operation, with more than $6m in crypto currency retrieved by US authorities in a so-called “claw back” hacking operation.

It followed a similar operation by the US in June 2021 that took the Darkside gang offline and recovered $4.1m in stolen funds.

Criminals now seem to be carrying out a greater number of smaller attacks instead of going after large Western targets – so-called “big-game hunting” – where large payments are more likely.

…ransomware is still extremely profitable and smaller-sized organizations should be even more vigilant as hackers spread their net wider in an effort to be paid.”

Clive Robinson January 19, 2023 6:09 PM

@ vas pup, ALL,

Re : Ransomware payments.

Firstly a “drop” in payments is an “effect” not a “cause” and not particularly indicative of anything.

For instance I might argue it’s actually caused by “lockdown” and could draw up ststistics that might indicate that.

It’s why honest science tries to not argue “from efect to cause” and importantly make the “tests” that verify, verifiable by all, anywhere, at any time. Which is why the forms of science that can not be tested for various reasons including ethics are regarded as “soft science” at best.

Secondarily, from the end of what you quote,

“ransomware is still extremely profitable and smaller-sized organizations should be even more vigilant as hackers spread their net wider in an effort to be paid.”

Or as the boys in green are alledged to say,

“It’s a target rich environment”

Two things to note,

1, If they can not reach your computers they can not put ransomware on them.

2, If you properly test your backups through an issolated system then any tampering becomes evident, and should be properly investigated as the clock may be running.

The first is what @lurker has chosen to call

“@Clive’s one track disc:”

Solution of issolation / segregation where the lack of any external connectivity stops “outsider attacks” but only limits some “insider attacks”. Which is why you need additional protections.

People think checking “backup tapes” is “easy” it’s not. And it requires,

1, Carefull thinking
2, Issolated systems

I’ve been through it before on this blog explaining why but consider the effect of a “rougue attacker” who makes themselves effectively an “insider” via a “supply chain” attack.

Which if you think about it is what the NSA and several other US and Five-Eye agencies have been doing since atleast the 1960’s in one way or another.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.