Many users that utilize The Onion Router, or TOR, network to hide their online activity were exposed on Sunday. The prime suspect is the FBI, which is believed to have created a malware specifically designed to identify TOR users.

The TOR malware appeared on websites hosted by Freedom Hosting, just a day after the arrest of Eric Eoin Marques in Ireland. Marques is believed to be the man behind Freedom Hosting, and is accused of using the anonymous servers to distribute child pornography. The FBI requested that Marques be extradited to the U.S. to face child pornography charges originally filed in Maryland. The FBI described him as, “the largest facilitator of child porn on the planet.”

Freedom Hosting hosted “hidden websites” that can only be accessed through the anonymous TOR network. After Marques’ arrest, nearly all of the hidden sites hosted by Freedom Hosting were down and displayed a maintenance page. This page contained a mysterious Javascript code that originated in eastern Virginia.

In short time, this code was found to be a malware that targets a vulnerability in Firefox 17 ESR, the version of the Mozilla Firefox browser used in the TOR Browser Bundle, a user-friendly package to help people connect to the TOR network. Mozilla has since fixed the bug, so newer versions of Firefox aren’t vulnerable.

What’s interesting is that the malware at the heart of the code, named “Magneto,” doesn’t seem to do anything but identify a user. It doesn’t download anything or create a backdoor for a hacker. Instead, it sends a user’s IP address, Windows hostname, and MAC address to the Virginia server, effectively exposing the person's real identity. 

Given that it is designed to attack the browser commonly used to access TOR, was found on sites that are only accessed by TOR, and appeared a day the arrest of a person with strong connections to the host server of those sites, it seems a probable conclusion that this code was designed specifically to identify TOR users. Its Virginia origin points towards it being created by a U.S.-based law enforcement agency.

While the anonymity of TOR has made it a natural breeding ground for criminal activity, it is also used for users with legitimate concern for privacy. In addition to sites hosting child pornography (the international hacker collective Anonymous once attacked Freedom Hosting, claiming the company hosted 95 percent of the child porn on the TOR network), sites used by human rights groups and journalists were also removed. Even the anonymous email service, TorMail, was victim.

The TOR Project, which develops the software to access the TOR network, said Sunday that it has nothing to do with Freedom Hosting or the malware.

“We’re investigating these bugs and will fix them if we can,” TOR Project wrote in a blog post. “We’re reading the same news and threads you are and don’t have any insider information.”

TOR users look at it as a major blow to their community and Internet anonymity. Freedom Hosting was one of the largest hosts of TOR-configured websites. Some believe the next target will be Silk Road, an online black market famous for selling illegal drugs.