As the acting cybersecurity chief of a federal agency, Timothy DeFoggi should have been well versed in the digital footprints users leave behind online when they visit web sites and download images.
But DeFoggi—convicted today in Maryland on three child porn charges including conspiracy to solicit and distribute child porn—must have believed his use of the Tor anonymizing network shielded him from federal investigators.
He’s the sixth suspect to make this mistake in Operation Torpedo, an FBI operation that targeted three Tor-based child porn sites and that used controversial methods to unmask anonymized users.
But DeFoggi’s conviction is perhaps more surprising than others owing to the fact that he worked at one time as the acting cybersecurity director of the U.S. Department of Health and Human Services. DeFoggi worked for the department from 2008 until January this year. A department official told Business Insider that DeFoggi worked in the office of the assistant secretary for administration as lead IT specialist but a government budget document for the department from this year (.pdf) identifies a Tim DeFoggi as head of OS IT security operations, reporting to the department’s chief information security officer.
The porn sites he’s accused of using—including one called PedoBook—were hosted on servers in Nebraska and run by Aaron McGrath, who has already been convicted for his role in the sites. The sites operated as Tor hidden services—sites that have special .onion URLs and that cannot normally be traced to the physical location where they are hosted.
Although anyone could use the sites, registered users like DeFoggi—who was known online under the user names “fuckchrist” and “PTasseater”—could set up profile pages with an avatar, often child porn images, and personal information and upload files. The site archived more than 100 videos and more than 17,000 child porn and child erotica images, many of them depicting infants and toddlers being sexually abused by adults.
The FBI seized the sites in late 2012, after McGrath failed to secure his administrative account with a password. Agents were able to log in and uncover the IP address of the Nebraska server where he was hosting two of them. McGrath worked at the server farm, and hosted the third site from his home. The FBI monitored him for a year and after arresting him in November 2012 continued to operate his child porn sites secretly from a federal facility in Omaha for several weeks before shutting them down. During this time, they monitored the private communications of DeFoggi and others and engaged in “various investigative techniques…to defeat the anonymous browsing technology afford by the Tor network” and identify the real IP addresses of users.
These techniques “successfully revealed the true IP addresses of approximately 25 domestic users who accessed the sites (a small handful of domestic suspects were identified through other means, and numerous foreign-based suspect IPs were also identified),” prosecutors wrote in a court document. In March 2013, twenty suspects were indicted in Nebraska; followed by two others who were indicted the following August.
One of these techniques involved the used drive-by downloads to infect the computers of anyone who visited McGrath’s web sites. The FBI has been using malicious downloads in this way since 2002, but focused on targeting users of Tor-based sites only in the last two years.
Tor is free software that lets users surf the web anonymously. Using the Tor browser, the traffic of users is encrypted and bounced through a network of computers hosted by volunteers around the world before it arrives at its destination, thus masking the IP address from which the visitor originates.
The malware that investigators installed remotely on the machines of visitors to PedoBook and McGrath’s other sites was designed to identify the computer’s IP address as well as its MAC address and other identifiers. The results were coordinated raids in April 2013 that swept up more than a dozen suspects.
DeFoggi became part of that sting after becoming a registered member of PedoBook in March 2012 where he remained active until December that year. During this time DeFoggi, who described himself as “having many perversions,” solicited child porn images from other members, viewed images and exchanged private messages with other members expressing interest in raping, beating and murdering infants and toddlers.
Among those with whom he corresponded was an FBI undercover employee. During chats DeFoggi described using Tor to access PedoBook early in the morning hours and between 4 and 6 pm. Among the evidence seized against him was pen register/trap trace data obtained from Verizon showing someone at his Maryland residence using Tor during these hours as well as the IP addresses used by an AOL account under the username “ptasseater,” which pointed to DeFoggi’s home.
When agents arrived at his home early one morning to execute a search warrant, they had to pry him from his laptop, which was in the process of downloading a child porn video from a Tor web site called OPVA, or Onion Pedo Video Archive. In addition to child porn images stored on his computer, authorities also found evidence of his Tor browser history, showing some of his activity at PedoBook and OPVA.
DeFoggi received many commendations during his government career, according to an exhibit list created by the government for his trial. The list includes several certificates of award from the U.S. Treasury, a certificate of appreciation from the State Department for his work on a Hurricane Katrina task force, several documents related to computer courses he attended and certifications he received.
DeFoggi is scheduled to be sentenced in November.