How much does it pay to expose anonymous users online? $1 million, according to Tor director Roger Dingledine.

I guess Vladimir Putin's offer of $100,000 just wasn't enough.

Dingledine said in a recent blog post that the FBI paid security researchers at Carnegie Mellon $1 million to unmask anonymous users of its Tor network. He claimed “researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes.”

The post adds, “There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board.”

Singularity University's Brad Templeton: "They've turned [the internet] into the world's greatest surveillance apparatus, a surveillance apparatus that even George Orwell probably wouldn't have dreamed of."

These are heavy accusations, which Ed Desautels, a PR rep for Carnegie Mellon’s Software Engineering Institute, did not deny outright in an interview with Wired. Instead, he pointed to a lack of evidence: “I’d like to see the substantiation for their claim. I’m not aware of any payment.”

However, Dingledine apparently told Wired that Tor was able to trace the origins of the servers responsible for the attack. It led them to Carnegie Mellon.

If Carnegie Mellon's research department is indeed responsible for last year's attack on the Tor network, it puts the institution's academic ethics into question.

“Such action is a violation of our trust and basic guidelines for ethical research,” wrote Dingledine. “We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.”

If Carnegie Mellon's research department is indeed responsible for last year's attack on the Tor network, it puts the institution's academic ethics into question.

The evidence pointing toward the university has been laid out in a great piece by Motherboard. Reporters for the site found legal documents for a case against alleged Silk Road 2.0 drug dealer Brian Richard Farrell. How the FBI was able to identify Farrell was “based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”

What's more, a presentation at the Black Hat event was abruptly canceled. The talk bore a startling resemblance to the attack:

“Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know because we tested it, in the wild...”

Alexander Volynkin and Michael McCord, academics from Carnegie Mellon University (CMU), were planning to explain how their team was able to “de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months.” The feat only cost them $3,000 to do this “with a handful of powerful servers and a couple gigabit links.”

“Whatever academic security research should be in the 21st century,” Dingledine concluded, “it certainly does not include ‘experiments’ for pay that indiscriminately endanger strangers without their knowledge or consent.”


Natalie has been writing professionally for about 6 years. After graduating from Ithaca College with a degree in Feature Writing, she snagged a job at where she had the opportunity to review all the latest consumer gadgets. Since then she has become a writer for hire, freelancing for various websites. In her spare time, you may find her riding her motorcycle, reading YA novels, hiking, or playing video games. Follow her on Twitter: @nat_schumaker

Photo Credit: e_rasmus / Getty