Internet privacy and security course
Aa font
AA font size
About translation

Chapter 91

How the FBI obtains authentic IP addresses of criminals using Tor, VPN or proxy

Life in cyberspace goes on as usual, criminals commit crimes and FBI agents try to catch them. But before a cybercriminal is caught, it is necessary to establish their identity or location. And that is the point when a problem arises, because cybercriminals do not want to share the real IP address where they can be found and use various tools for hiding like VPN, Tor and proxy.

FBI agents are constantly looking for new, effective methods to deanonymize users hiding their IP addresses. Identification does not guarantee arrest for sure, for example, the identity of Slavik, the developer of the ZeuS Trojan, the FBI has established long ago, but now they still cannot arrest him, because Anapa is not Alaska and the US laws do not work in Russia .

Usually after successful deanonymization of a cybercriminal from Russia or Ukraine, the FBI waits for their visit on holiday in one of the countries with which cooperation has been established, and the cybercriminal goes on to court in the United States.

So it was this way with Roman Seleznev, who flew with his family to rest on the Maldives, and from there he went not home to Russia, but accompanied by FBI agents to the United States. There federal judge Richard Jones sentenced him, according to which he would spend next 27 years in prison.

Some cybercriminals are arrested, while others take their place. One of the most popular ways of cybercrime is sending fraudful emails. It does not require any special technical skills, the main thing is to be able to write literate letters and try again and again.

Usually, frauds send letters to companies with nonexistent fines, issue invoices from partners or on behalf of a bank they ask to transfer funds to a new account. Out of 1000 companies there may be one, which will make a mistake, but sometimes such mistakes cost a lot of money.

Once the famous Italian football club Lazio decided to purchase Holland defender Stefan de Vrij from Feyenoord. The amount of the transaction was estimated at 7 million euros and was divided into several tranches.

And here the official email address of the Football Club Lazio received a bill for 2 million euros from Feyenoord and it was for sure paid in a timely manner. As you can guess, this account was sent by frauds.

For those sending fraudulent letters the FBI hunts and not only the FBI, they are hunted by all and everybody: from private companies engaged in investigating cybercrime, to law enforcement services in different countries.

One of the FBI's campaigns aimed at hunting for such cybercriminals included the creation of a fake FedEx site, which frauds were trapped to. It worked in the following way: the attackers send a fraudulent letter to the company's mail, and it’s not the accountant who responds to it, but Agent John, and, of course, the answer will contain a link to FedEx from the FBI.

The FBI’s FedEx site feature was that when trying to access the site using a proxy, VPN or Tor, it responded with an error “Access Denied, This website doesn’t allow proxy connections”, or the same text in Russian.

There are many ways to determine the use of a proxy, Tor or VPN, I suppose that they just checked the IP address for the hosting provider ownership, which is a clear sign of the use of VPN, proxy or Tor.

The FBI’s “tricky” plan was to force the criminal to abandon the means of hiding the IP address, but the work of the FBI in this case seems to be primitive. I will tell you about a more effective way to encourage users to abandon VPN, Tor and proxy and blink with their original IP address. This method was used in one Russian hacker forum, created with the support of law enforcement services.

You all know what captcha is: the choice of traffic lights, pedestrian crossings and bicycles is a little fun now, but a couple of years ago it was even worse. You may remember these illegible words that you had to type.

And this captcha was placed on a forum controlled by the authorities in order to provoke users to abandon the use of VPN, proxy and Tor. The fact is that those who used the means of hiding the IP address met the captcha at each entry to the forum. And they had to enter it several times, which can make mad even a person with exemplary strong nerves.

The site management explained this as protection against spam and attacks, such a legend looked quite trustworthy, since the captcha really served as a good defense. For their convenience forum participants were encouraged to use Russian IP addresses.

It is obvious that no one offered to refuse a VPN or a proxy, but it was recommended to use a VPN and a