Cyber Incident Victim: Freedom Hosting II

On or around February 3, 2017, Freedom Hosting II—the largest hosting provider for Dark Web sites, estimated to support 15-20% of all Tor network sites—suffered a significant breach. Attackers compromised its systems, exfiltrating approximately 75GB of files and 2.6GB of databases. Following the data theft, the hackers replaced hosted websites with a notification detailing the breach and a ransom demand of 0.1 Bitcoin (equivalent to roughly $100 at the time), promising to return the stolen data upon payment. The attackers subsequently published Freedom Hosting II’s database on a Tor site around noon Eastern Time on February 3, while the hosting service remained offline. Security researcher Sarah Jamie Lewis analyzed the leaked data, identifying plaintext emails, usernames, and hashed passwords from forums hosted by Freedom Hosting II, exposing users who had provided genuine personal information despite relying on the Tor network’s anonymity.

The breach had immediate operational and security repercussions. Chris Monteiro, another researcher investigating the incident, noted the attack likely disrupted multiple botnets due to frequent references to "botnet" activity within the stolen data. This disruption suggested a potential reduction in active botnet operations or their capabilities. The exposure of user credentials compromised the privacy of individuals who had used Freedom Hosting II-hosted forums, undermining their expectations of anonymity. The attackers’ decision to publicly release the data—despite the nominal ransom demand—indicated an intent to disseminate the information regardless of payment. The hosting service’s prolonged inaccessibility following the attack further amplified the disruption to Dark Web operations, affecting a substantial portion of its hosted sites and users.