Matt Edman is a cybersecurity expert who worked part time at The Tor Project almost 10 years ago. Since then, he developed a potent malware used by law enforcement to unmask Tor users. It’s already been used in multiple investigations by federal law enforcement and U.S. intelligence agencies in several high profile cases.
“It has come to our attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware,” Tor confirmed in a statement after being contacted by the Daily Dot.
In 2008, Edman joined the Tor Project as a developer to work on Vidalia, a piece of software meant to make Tor easier for normal users by implementing a simple user interface. A graduate student then, pursuing a Ph.D. in computer science that he would obtain in 2011 from Rensselaer Polytechnic Institute.
The Baylor University graduate became part of the close knit pro privacy community, attending the developer meeting and contributing to Vidalia development. He wrote and contributed to research papers with the creators of Tor and helped other members in their work building privacy tools. According to Tor, “Vidalia was the only Tor software to which Edman was able to commit chages.”
Tor dropped Vidalia in 2013, replacing it with other tools designed to improve the user experience. Edman joined the project the same day as Jacob Appelbaum, the hacker and journalist famous for his work with WikiLeaks and Edward Snowden, the former NSA contractor who leaked a trove of documents to the press in 2013, as well as Tor.
In 2012, Edman was working at Mitre Corporation as a senior cybersecurity engineer assigned to the FBI’s Remote Operations Unit, the bureau’s little known internal team tapped to build or buy custom hacks and malware for spying on potential criminals. With an unparalleled pedigree established from his time at the Tor Project, Edman became an FBI contractor tasked with hacking Tor as part of Operation Torpedo, a sting against three Dark Net child pron sites that operated on Tor to hide the owners and patrons.
“This is the U.S. government thats hacking itself, at the end of the day,” ACLU technologist Chris Soghoian told the Daily Dot in a phone interview. “One arm of the U.S. government is funding this thing, the other is tasked with hacking it.”
Mitre Corporation is a private, nonprofit where Edman did some of his work for the FBI. Mitre makes around $1.5 billion annually, according to the companies annual reports, from its work on security with the U.S. Department of Defense and a host of other federal agencies.
Mitre occupies a paradoxical space in cybersecurity land. It maintains the industry standard list of Common Vulnerabilities and Exposures(CVE), meant to help share transparent security data to beat hackers across the tech world. But its also being paid by the federal government to develop and deploy hacks.
“They’re supposed to play this important and trusted role in the cybersecurity community,” Sogohain said. “On the other hand they’re developing malware which undermines their trusted role.”
While at Mitre, Edman worked closely with FBI Special Agent Steven A. Smith to customize, configure, test, and deploy malware he called “Cornhusker” to collect identifying information on Tor users. More widely, it’s been known as Torsploit. Cornhusker used a Flash application to deliver a user’s real Internet Protocol address to an FBI sever outside of Tor. Cornhusker, named because the University of Nebraska’s nickname is the Cornhuskers, was placed on three servers owned by Nebraska man Aaron McGrath, whose arrest sparked the larger anti child exploitation operation. The servers ran multiple anonymous child porn websites.
The malware targeted the Flash inside the Tor Browser. The Tor Project has long warned against using Flash as unsafe but many people, including dozens revealed in Operation Torpedo, often make security mistakes, just as they do with all types of software.
Operation Torpedo netted 19 convictions and counting. It resulted in at least 25 de-anonymized individuals.
At the trial of Kirk Cottom, a 45 year old man from Rochester, New York who plead guilty to receiving and accessing with intent to view child pornography. The defense asked to see the source code, the human readable code written by programmers that makes the software tick behind Cornhusker. The defense wanted to look at the tool that pointed the finger at Cottom. The FBI said it lost the source code. Special Agent Smith insisted he never instructed anyone to destroyed the code. The judge in the case said the loss was unfortunate, but ultimately of little consequence.
According to the court documents, Cornhusker is no longer in use. Since then, newer FBI funded malware has targeted a far wider scope of Tor users in the course of investigations. Both Cornhusker and new techniques, called bulk hacking, have been criticized for their lack of congressional or public oversight.
Along with working on Operation Torpedo, Edman also did dozens of hours of work on the federal case against Silk Road, and its conviction of Ross Ulbricht. According to testimony, it was Edman who did the lion’s share of the job tracing $13.4 million in bitcoins from Silk Road to Ulbricht’s laptop, which played a key role in Ulbricht being convicted and sentenced to two life terms in federal prison. Edman worked as a senior director at FTI Consulting at the time.
The Tor malware Edman developed in Operation Torpedo for the FBI has been used in more “high profile” investigations, according to a biography on Edman.
“He has been recognized within law enforcement and the United States Intelligence Community as a subject matter expert on cyber investigations related to anonymous communication systems, such as Tor, and virtual currencies like bitcoin. As part of his work, he assembled and led an interdisciplinary team of researchers that developed a state of the art network investigative technique that was successfully deployed and provided critical intelligence in multiple high profile law enforcement cyber investigations,” notes his company biography for Berkley Research Group.
Edman’s resume also includes a stint as a senior vulnerability engineer at Bloomberg L.P. in New York City. He did penetration testing of the firms network. According to his biography, he also offers special expertise on subjects like Tor and Bitcoin. Today at Berkeley Research Group, Edman works next to former federal prosecutor Thomas Brown as well as three former agents for the FBI, all of whom worked on the Silk Road case directly with Edman; Thomas Kiernan, Ilwan Yum, and Christopher Tarbell.