Freedom Hosting was known for allowing child pornography websites to be hosted on its servers, but also for hosting legal services such as TorMail, which admittedly can be used for criminal purposes.
The newly revealed details about the seizure have shown that a few weeks before Freedom Hosting was taken down, the FBI accessed a TorMail server and made a copy of it.
This is what ultimately allowed them to discover the real-world identity of the main operator of an online counterfeit card webshop shut down last week. The man, one Sean Roberts from Florida, used a TorMail account (firstname.lastname@example.org) as a backup account for processing orders.
"Between July 22, 2013 and August 2, 2013, in connection with an unrelated criminal investigation, the FBI obtained a copy of a computer server located in France via a Mutual Legal Assistance Treaty request to France, which contained data and information from the Tormail email server, including the content of Tormail e-mail accounts," explained US Postal Inspector Eric Malecki in the complaint.
"On or about September 24, 2013, law enforcement obtained a search warrant to search the contents of the Platplus Tormail Account, which resided on the seized Tormail server."
What this means is that these arrests are likely just the beginning, as it can be reasonably expected the FBI will be circling back to the cloned server any time they encounter a TorMail account while investigating a crime.
"The tactic suggests the FBI is adapting to the age of big-data with an NSA-style collect-everything approach, gathering information into a virtual lock box, and leaving it there until it can obtain specific authority to tap it later," noted Wired's Kevin Poulsen, adding that there's no reason to suspect that the FBI searched the server for evidence before obtaining a warrant.
"But now that it has a copy of TorMail’s servers, the bureau can execute endless search warrants on a mail service that once boasted of being immune to spying," he concluded.