Seven years ago, on the last Friday of January 2017, an unusually large-scale cyberattack was carried out by an unknown cyber vigilante of unknown origin.
More than 10,000 dark web sites hosted by Freedom Hosting II (FHII) were taken offline. Thus, the entire hosting service was unceremoniously unplugged, and its services were never restored. It was an effective annihilation.
What’s strange about this data breach is that virtually all amateur hackers don’t start their journey with web application hacking, let alone taking out an entire dark web hosting service. Amateurs prefer the simplicity of automation scripts that do all the heavy lifting for them. Apparently, there’s always the exception.
Her only aim was to take down a single website hosted by the platform, a child sexual abuse material (CSAM) marketplace. She wasn’t interested in breaking into the site through the user’s control panel but rather, into the server itself, ensuring it would never reappear again.
But instead, she ended up discovering something far more than she anticipated, as news of the cyberattack rolled like waves, making global headlines.
And you know what? This was her very first hack.
The attack involved sophisticated web application hacking, connecting to the target via SSH, a data dump, defacement, and crippling sabotage – with all the evidence emailed to the National Security Agency (NSA). She gave an exclusive interview with VICE News, maintaining her anonymity and offering very little aside from a vague step-by-step instruction for how the deed was done, careful not to divulge too much.
For seven years, she kept most of her cards close. She’s revealing them now.
This is the story of an unknown champion of OpChildSafety.
Her name is Vanerak.
Recap: the dark history of Freedom Hosting II
Vanerak’s only intent was simply to sift through FHII’s database, looking for her initial target and removing it. Instead, she discovered that more than half of the websites hosted by FSII contained CSAM and scam sites, despite the company’s claim of having a zero-tolerance policy. That’s when things took a turn.
Regardless of the company’s so-called “policy,” FHII was found to invariably be a duplicate of the original Freedom Hosting, which experienced downtime back in 2011 after LulzSec exposed the platform for hosting child pornography during “Operation Darknet.”
Two years later, in 2013, Freedom Hosting’s admin, Eric Eoin Marques, was arrested for hosting what was described as one of the largest facilitators of Child Sexual Abuse Material (CSAM) in the world.
Four years after that, the new reboot of the dark web hosting provider found itself in the crosshairs of a young female hacker with an axe to grind, who weaponized the media to cast the hosting provider under scrutiny for the same relevant conduct as its predecessor. However, there are some twists and turns because the story attracted copycats, who decided to take credit for the data breach, giving interviews to reporters and altering certain aspects of the original narrative.
However, Vanerak contacted me nearly a year ago. I found her story intriguing, but highly unlikely. Over time, she convinced me through insider knowledge that she was, in fact, the original hacker who unceremoniously took down 20% of the dark web.
The way she put it, the whole server had to go, regardless of any legitimate purpose lawful subscribers may have had. Based on Freedom Hosting's history, there was no reasonable guarantee it would sanitize its services from hosting CSAM. Therefore, she seized the server – not entirely too different from when the FBI seized a domain. Such is hacktivism.
Vanerak: the origins
“There's no way I could give you a 100% guarantee that I am the person that did that, without risking my identity,” Vanerak said over Telegram.
“That being, said, I can tell you things that I never told the vice journalist.”
Meaning, there was still more to this story. And thus, her origin story begins here.
“Being a very young female in the cybersecurity world, no one takes you seriously,” she said.
“At the time, I was so desperate to be a part of the Anonymous collective and to prove myself to Blackforums. After all, they are what we call one of the Five Families... and at the time, I was still the baby-faced noob, often referred to as a skid.”
During my own hacking journey, I have been well acquainted with the longing for social validation and camaraderie within hacker circles. This is very common, as it allows room for competitiveness, appreciation for one’s contribution to the cause, and support for the hacktivist ideology.
She was known by multiple aliases within the Blackforums community and decided to share a funny memory of how she came up with the name Vanerak, which happened to be the very name contained in the email account ([email protected]) from where she leaked the FHII database and email addresses to VICE, which was never publicly disclosed until now.
“I was at my desk gaming at the time, whilst thinking up new random names, I looked out my window and saw a van with racking on it, I thought to myself, 'That's a big van rack,'” she said. “Then van rack had stuck in my head because it sounded funny. Then I decided on 'Vanerak' to give it a more Dutch feel to it. After that, it just worked. I then became Anonymous. Vanerak. A short while after that, my forum basically gave me its own nickname that stuck because of my so-called quirky antics, and I never changed it after that. It felt like I had finally earned my spot in the collective.”
Data dump, emails, and copycats
Vanerak never took credit publicly for any of the public exposure of the data breaches but attributed the work to Anonymous. During her initial interview with VICE, there was no mention of any leaked databases other than system files, which she leaked to simply troll the hosting service.
What isn’t in the media reports is that she shared the email portion of the data dump on Blackforums under the guise that she merely stumbled upon it. The email dumps leaked beyond Blackforums and consequently found their way into the public domain. They ended up on HaveIBeenPwned, which claimed to have received a 2GB MySQL database, including 381,000 email addresses.
To validate the explicit nature of the websites Vanerak uncovered, Troy Hunt, who owns HaveIBeenPwned, described it as a “pretty serious incident,” remarking that a lot of the data is very explicit.
Clout-chasers from Anonymous were now taking credit for the intrusion and subsequent database leaks, which she was not responsible for. “I was relieved that others were claiming that they did it, it took the load off my shoulders, that's for sure. I was so afraid that I was going to get into so much trouble.”
That is until a list of all 10,613 .onion sites hosted by FHII was now searchable from the defacement page and the subsequent media coverage.
“There are claims that I leaked the database and apparently a list of .onion websites containing child pornography and female extermination,” she explained. “I would never have done that, that would be extremely careless and contradictory to my goal. My goal was to get those sick people caught and their victims saved or at least justice served, just something!”
Furthermore, the copycats revised her defacement message, removing the joke about a ransom, and published a torrent download of the files from the data breach for public viewing on the defacement page, including a full list of all 10,613 compromised onion sites, many of which contained child pornography – which was reproduced by BleepingComputer in a Pastebin made by the author.
Among the download links on her defacement page, the link to the torrent containing the so-called data dump itself was supposed to be a joke to troll the hosting company, which contained no user data that she collected from monitoring the server’s GET requests.
However, the link to download the system files was authentic. Likewise, in jest, she valued the data breach at 0.1 bitcoin, or $100, if FHII wanted to buy the dump back. This was removed in an updated version of the defacement page, as shown below.
BleepingComputer reported that Anonymous hackers uploaded a revised version of the initial defacement page. Vanerak expressed outrage over this, because even after the attack, many of these onion sites may have redirected to mirrors off-site, essentially turning her defacement and all the media platforms covering the story into advertisements for online predators.
“I didn't leak the emails or the database, I had sent it to the authorities in the hopes that they would have done something about it. I want to clarify this so that readers understand that this is not okay.”
When hacktivists chase fame
Vanerak had plenty to say about the experience and showed me original screenshots from the initial data breach over a different, more secure channel so as not to inadvertently link them back to her.
Culminating everything she experienced from hacking FSII, she said that the dark web hosting service was one of the most horrific hosting services she had ever seen to date. Because of the explicit CSAM content, which included mutilation, she never publicly leaked the database or the emails but rather, delivered them to authorities.
All too often, misguided hacktivists engaged in OpChildSafety ignorantly share explicit links in public chatrooms, as though shocked to have run across CSAM, and needing someone to validate what they saw. I personally don’t understand this. But online predators understand where to find CSAM – in careless pedo-hunting communities.
“At the time, I preferred to just leave everyone to assume,” she said. “I didn't, and still do not want credit or a "well done" pat on the back for trying to do what I felt was the right thing.”
Vanerak’s advice to hacktivists pursuing fame and recognition was sobering.
“Is it worth risking a heavy [prison] sentence? Is having your name out there, really worth a possible unjustifiable long sentence, when the very criminals that you have worked so hard to take down will get a fraction of the sentence that you will get? I can not express enough, how terrified I was, that my actions could have resulted in me losing a chunk of my freedom, all because I was trying to do what I believe, was the right thing.”
A warning to OpChildSafety hunters
Vanerak offered very direct advice for upcoming and present OpChildSafety hunters, explaining that some may say it’s a great thing what hunters are doing; some will even encourage it. But she is not here to do that.
“I will give you the reality of what you face: trauma and lots of it. Especially if you have been a victim of sexual assault, being a "hunter" will be a constant refresher of what you went through... And, if you are lucky enough not to be a victim of sexual assault, you will be – through the victims you might come across.”
She says hunters get involved in the OpChildsafety initiative because they are searching for purpose, and want to do something that matters.
“There will be days that you will be questioning if it's even worth it and if all your efforts are in vain. Stop that! Because of you, you are showing that someone cares. Someone sees what is happening. Someone is trying to do something!!! That is better than turning a blind eye and doing nothing.”
As the famous quote by William Burke goes: “The only thing necessary for the triumph of evil is for good men to do nothing.”
Your email address will not be published. Required fields are markedmarked