Anti-Tor malware reported back to the NSA


It’s like these folks said, “Stalin had some good ideas.”


So what part of the NSA’s charter deals with pedophile rings?

1 Like

“But don’t worry, we only are concerned with terrorism.”

Combined with today’s Reuters revelations that the DEA is also spying on Americans as a means of secretly initiating investigations using a “Special Operations Division” that includes the NSA, I think we can safely assume that this line about terrorism is just so much bullshit.

Here’s the Reuters piece:


“One researcher contacted us and said, ‘Here’s the Robotex info.
Forget that you heard it from me,’”

I wonder how “one researcher” contacted them. There’s only a slim chance of Uncle forgetting the conversation.

Oh, SAIC and the NSA… I used to be certain that my ‘This is all a secret project by the Department of Health and Human services to eliminate paranoia disorders by validating all possible conspiracy theories’ theory was merely hyperbolic…

The ultimate beltway bandit writing spyware for the most notorious (at the moment) branch of the feds, and not even bothering to cover their tracks… Either this is a show of power/distraction mechanism, or somebody is going to be ‘pursuing exciting opportunities elsewhere’ in the near future.

1 Like

Could be a false-flag or, more likely in my opinion a double-false-flag.

Think about it, the NSA has a rep on par with NAMBLA in a lot of circles and that IP block is a known asset or a confirmable one, at least, so they send out some shit that leads back to them but it looks way too pat so instead people think it’s someone outside the NSA acting as an agent-provocateur.

1 Like

Further analysis using a DNS record tool from Robotex found that the address was actually part of several blocks of IP addresses permanently assigned to the NSA. This immediately spooked the researchers.

So to speak.


And now we know why Obama’s pants are asbestos-lined.

1 Like


If this had been a normal civilian they would been charged, tried, and convicted and placed in prison for upwards of 10+ years for violating the Computer Fraud and Abuse Act of 1986


It’s so simple! All I have to do is divine from what I know of the NSA: is it the sort of organization that would put kiddie porn onto its own IP block or its enemy’s? Now, a clever organization would put the kiddie porn onto its own IP block, because it would know that only a great fool would download what he was given…


and now this whole thing starts to scream with the same narrative as most conspiricey theories, or E list spy thrillers, except this one is real :frowning:

i know it was a foregone conclusion but to have confirmation that they are attacking the last free platform we have evokes in me a significant sad.

Hail the tyrant, long live the oligarch. :’(

This is not true and people are misreading the data. Other IPs nearby host websites for wholesale envelope sales, pharma companies, random office PBXs, a climate change charity, a defense contractor, a money transfer company, video conferencing hardware, a printer, various random low-end office routers etc. There’s plenty to suggest this net block is just general business stuff assigned by Verizon and there’s plenty of stuff that could have beem compromised. There’s very little pointing directly at the NSA or even SAIC so far. It’s no so suspicious for the NSA website to be on a Verizon business account is it?


The NSA doesn’t have to put kiddie porn anywhere (neither does the FBI). It is well known that certain folks trade it via Tor. This has been known for years (I’ve seen evidence of it personally there). It doesn’t have to be a frame-up.



Researchers are idiots and don’t know how to read a robtex (there’s only one ‘O’) search.

Here is what it actually says: (and that is their public-facing domain, do you really think they would do ops from it? It most likely isn’t even hosted by the NSA!) has 6 different IP address records. Two of them (the A records, probably the same as are carried by Verizon over (AS701) and 4 of them (MX and nameservers) are from Qwest over (AS209)

So the NSA has multiple IPs and dual backbone connections for their public presence. Good for them. If I had to guess from the WHOIS info I’d say their IP ranges on those routes are - and -, because those are the extents of the allocations the IPs fall within.

That does not include All we can actually infer is that the IP is also on AS701, which belongs to Verzion. If you dig on robtex you will find thousands of things hosted over AS701 that clearly have nothing to do with the government! is a part of the block that is not reassigned to another range, meaning it is free for Verizon to hand out to business DSL, etc…

Also, domaintools tends to be out of date. SAIC might have had that IP at one time, but the current owner is just Verizon Business.

There is more evidence the sample in question (and therefore the IP address) is the FBI’s CIPAV malware (google it).

I’m surprised more people aren’t remarking on the incredibly silly decision by the Tor group to re-enable Javascript in their specialized browser. What a stupid move; it was disabled in previous versions for a reason! My circle of friends predicted some kind of Javascript attack on the Tor browser months ago, for this very reason, as soon as Javascript was enabled o.o’ …

I agree with you, but I expect it was demanded by folks like dissidents who want to use Facebook with privacy. Can you even use Facebook any more with JavaScript disabled?

1 Like