FBI used booby-trapped video to unmask suspected Tor-using sextortionist

After a sextortionist terrorized minor girls and their Indiana communities for a year and a half, the FBI tainted a video with code that revealed the real IP of 'Brian Kil' despite his use of Tor.

FBI used booby-trapped video to unmask suspected Tor-using sextortionist
Thinkstock

To catch the person suspected of terrorizing young girls and even their communities for over a year, the FBI added a bit a code to a video that was made by a victim. That Network Investigative Technique (NIT) revealed the alleged sextortionist’s real IP address, even though he was using Tor to stay anonymous, and eventually led to the arrest of Buster Hernandez, 26, of Bakersfield, California; the FBI became involved in late 2015 after “Brian Kil” used Facebook to start extorting sexually explicit material from a minor girl in Indiana.

“Terrorizing young victims through the use of social media and hiding behind the anonymity of the internet will not be tolerated by this office,” said Josh Minkler, U.S. Attorney in the Southern District of Indiana. “Those who think they can outwit law enforcement and are above being caught should think again. Mr. Hernandez’s reign of terror is over.”

Hernandez, who had allegedly been running sextortion campaigns since at least 2012, was “federally charged for his role in threatening to use explosive devices at Plainfield and Danville, Indiana High Schools, making cyber threats to female victims and producing child pornography.”

According to the affidavit filed by the FBI (pdf), Hernandez, going by Brian Kil, claimed to have “dirty pics” that a minor Indiana girl sent to her boyfriend. He then extorted sexually explicit pictures from her for 16 months until she refused to send any more images. After she refused to bow to his sextortion any more, he threatened her life as well as that of her schoolmates in Plainfield.

In a Facebook message to Victim 1, “Brian Kil” said he was coming to her school with three homemade pipe bombs, two handguns and a semi-automatic rifle. His message said, “I want to leave a trail of death and fire” in Plainfield. “I will simply walk right in undetected tomorrow.” He threatened “to slaughter your entire class and save you for last.” If the police were to try and intervene, he said, “I’ll add a dozen dead police to my tally.”

After threatening to kill her and her friends, he said he would “methodically” pick off others as they ran for their lives. “Those that I miss will be blown to hell with the pipe bombs I set around campus. I plan on leaving no survivors. … If you want the nudes of [Victim 1] now is the time to get them. I will be gone from this earth tomorrow and so will hundreds of Plainfield students.”

+ Related: Criminal defendants demand to see FBI's secret hacking tool +

That’s just one example. In a different message, he threatened there would be “a large number of causalities at Perry Crossing,” the shopping mall in Plainfield. He rambled on and on again, trying to scare everyone and taunting law enforcement.

In response to those threats, school administrators temporarily closed the Plainfield and Danville High Schools. The Shops at Perry Crossing in Plainfield also closed for one day, Dec. 19, 2015.

That same December in 2015, Facebook opened an investigation and started shutting down accounts associated with “Brian Kil.” Hernandez, too, was creating and disabling Facebook accounts so he could keep making anonymous threats. Federal agents believe he created at least 16 different Facebook accounts.

Getting the real IP address of Hernandez

In June 2017, an Indiana judge authorized a NIT so the FBI could booby-trap a video made by one of the sextortion victims. Court documents explained:

As set forth in the search warrant application presented to Judge Lynch, the FBI was authorized by the Court to add a small piece of code (NIT) to a normal video file produced by Victim 2, which did not contain any visual depictions of any minor engaged in sexually explicit activity. As authorized, the FBI then uploaded the video file containing the NIT to the Dropbox.com account known only to Kil and Victim 2. When Kil viewed the video containing the NIT on a computer, the NIT would disclose the true IP address associated with the computer used by Kil.

That gave the feds the real IP address of Hernandez. They subpoenaed Bright House for subscriber information to obtain his Bakersfield, California, address. A judge then authorized the FBI’s request for wiretapping via the use of “pen-trap devices,” which allowed the FBI to intercept his online communications. He allegedly used Tor only when his girlfriend was not at home. The FBI then installed a camera on a pole near his house to verify that a man matching Hernandez’s description came and went from the house.

Hernandez was charged with threats to use an explosive device, threats to injure and sexual exploitation of a child. If convicted on all counts, Hernandez faces a mandatory minimum sentence of 15 years and a maximum of 30 years in prison.

As you can see in this video interview with Jay Abbot, FBI special agent in charge of the Indianapolis Field Office, Hernandez will likely face more charges from other states. Anyone who believes they were a sextortion victim of Hernandez were asked to contact the Indianapolis FBI office.

New! Download the State of Cybercrime 2017 report