Freedom Hosting is well known for allowing pages containing child pornography to be hosted on its servers, and has been the target of attacks by Anonymous in 2011, but among the sites it hosted were also "good" services such as TorMail.
Marques was arrested in Dublin on August 4, and on the same day all the sites hosted by Freedom Hosting started serving a “Down for Maintenance” message. While users speculated online what was happening, they initially failed to detected that spyware was being served to some of them.
Researchers analyzing the code injected in the pages have confirmed that it was created to exploit a vulnerability in Firefox.
"Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17," Daniel Veditz, Security Lead at Mozilla, opined at the time.
The served malware has one single goal - look up the victim’s MAC address and Windows hostname, and send that information to a server in Virginia operated by the FBI. The researchers believe that it's FBI's infamous CIPAV (Computer and Internet Protocol Address Verifier) spyware, which was used in previous child porn sting operations.
While testifying before the Irish court, FBI Supervisory Special Agent Brooke Donahue has not said how the Bureau has managed to take over Freedom Hosting servers (rented from a commercial French hosting provider) but has shared that Marques has managed to briefly boot them out and change the passwords before finally and definitely being locked out of them himself.
The agent told the court that Marques has been looking into getting a Russian citizenship so that he could get beyond the reach of US law enforcement, that he is still in possession of his own passport and has demonstrated a willingness to use a false one buy website hosting space from a Russian company, and that he had a lot of money at his disposal - all things that would make it easier for him to escape from the country if he were to be granted bail.
The judge obviously found these arguments compelling, and decided that Marques will have to remain in custody until his extradition hearing.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.