In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo:
The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.
For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.
The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.
Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.
As observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”
Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there.
“My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the US,” FBI Special Agent Brooke Donahue reportedly told an Irish court in 2013.
Even before the FBI testified in court about its actions, clues began to emerge that the Firefox exploit used to record the true Internet address of Freedom Hosting visitors was developed specifically for U.S. federal investigators. In an analysis posted on Aug. 4, reverse engineer Vlad Tsrklevich concluded that because the payload of the Firefox exploit didn’t download or execute any secondary backdoor or commands “it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”
According to The Irish Times, in a few days Marques is likely to be escorted from Cloverhill Prison to Dublin Airport where he will be put on a US-bound flight and handcuffed to a waiting US marshal. If convicted of all four charges, he faces life in prison (3o years for each count).
For those of you endorsing violence in prison against this invidual, just think about what you are accepting. Have you really considered that you, your kids, or your friends could also possibly end up in the same prison system where it is acceptable or condoned for prisoners to be assaulted?
Well, if they were doing this to children, then YES!
Well then why dont we just change the laws and have the courts sentence them to physical torture and rape? The price people pay for crimes committed should be the price of the sentence prescribed by the courts, not vigilante justice. If you actually think that people convicted of crimes should be tortured and beaten up as part of their punishment, then pass laws that sentence them to that. It is not the job of convicts, prison guards or police officers to dole out punishment. The punishment is for the courts to decide, and if that not good enough, then change the laws.
Absolutely correct the laws need to be changed for pedophiles and facilitators of pedophilia.
If any of my relatives do what this guy did, then my relatives would get what they deserve.
And will you not be just as bad as your relative and deserve punishment for your wrong doings Maybe s councilor could help explain why people look at porn in the first place. Some people need help not to turn your check the other way.
Yeeahhh normally I’d agree with you, but not this time.
To condone violence against others as a solution is never going to work
Violence tends to cause more violence so even if it should technically solve a problem in most of the cases it still isn’t wise to use violence. If you are categorically against violence I respect you and if society treats even a monster like a human being I am proud about that. But in case of child pornography if violence happened against someone who did it or who profited from it I wouldn’t be unhappy if society collectively turned around and allowed someone punish the ones who ruined countless lives that just had begun for them.
if anyone close to me, no matter the relation, did this, and i found out about it. they would be lucky to survive long enough to go to jail. this is the most one of the most sickening things imaginable. absolutely no sympathy for these vomit inducing scumbags.
Have you considered if the victims were your kids? Anyone who does this to children, family or not shouldn’t receive any compassion. This is absolutely unacceptable, and if a family member did this to any children, I would personally impose physical discomfort on them and assist law enforcement as needed to ensure they stay locked up behind bars. So sickening!
Aside from the obvious outrage over this sleazy individual and his "line of business", I am somewhat disturbed over Firefox having such backdoor! Did anyone else notice that "little" nuance?
As much as I like the fact that it helped FBI to catch this guy, I am also appalled that it will help assist "strongmen" in Russia, Turkey, China, Iran, Venezuela to go after political opposition and dissidents. That should not be allowed, Mozilla foundation!
It was a zero-day vulnerability that had been patched by the time the story broke (I think it was even patched in the latest Tor Browser during the investigation, but not everybody had updated) and required JavaScript to be enabled (a bad security practice that I do not know why the Tor Project engages in by default).
Technically recent copies of Tor Browser ship with noscript enabled in whitelist mode where all scripts are disabled by default and must be explicitly enabled one by one. Most modern websites are broken with javascript disabled which is why the option to enable it is included instead of a blanket enable/disable option (which would, arguably, be far worse than the finer toothed noscript option). Not sure about the timeline, noscript may have been started to be included in response to this exploit.
I’m more than a little confused on the technology here. Was this a website on a traditional server that somehow shows up as an onion website?
It existed on the Internet but the website could not be accessed via a usual Internet address (“clearnet”) but only via an overlay network called Tor; it *was* possible to administer it via its IP address (not over the Web, but over other protocols like SSH), but things like vhosts can be set to disallow Web access without using the proper hostname, and it is not possible to get an IP address from a .onion domain (hidden-service name).
I think I get it now. I am not a regular Tor user. I have tried it out for yucks. But I see the Tor website also has instructions on how to create an onion website.
One of the worst federal charges that you can get nailed with is “Child Porn” Their is absolutely no defense if the fed’s do a hard drive forensic and find illegal images ” stick a fork in you , you are done !”
I have a theory. I could be wrong, but it's a theory nonetheless.

If something happened, and suddenly in all of the pedophile brothels of the world, especially the ones where the high-up scum of our world frequent, everyone perpetrating and helping to perpetrate the rape of children were to die or perhaps be slaughtered mercilessly by some unknown force or paramilitary group, I have a strong suspicion that suddenly, almost overnight, all of the scum of our society trying to destroy freedom, trying to force failed systems, destroy our borders, destroy good people and hype fools into nonsense would begin to lose its power in a dramatic way.
So far as I can tell, the alleged crimes took place while the accused was in Ireland. Why is he being extradited to the US?
The story linked at the bottom of the piece goes into that question in detail.
Short answer: The FBI had the evidence against him. They have much more credibility in US courts. Irish prosecutors declined to charge him so the courts would send him to the US where he’s *much* more likely to be convicted.
” Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. ”
US citizenship means he is subject to all US laws, no matter where he is.
That didn’t go so well for this fellow, eh?
“Government says…”
“Investigators allege…”
What does the evidence show? What is the defense saying?
It’s all well and good to report on convictions and the legal process, but what is the public interest being served by repeating salacious allegations from government thugs or name-calling the defendant for a headline?
Btw, calling child abuse imagery “porn” diminishes its seriousness. The legitimate porn industry helped build the Internet (1). Real porn is gross, but harmless. This crap, however, is a symptom of despicable abuse, and should be called as such: recorded images of child abuse.
That said, this case is nonsense. Even if the guy did everything alleged, it wasn’t in the US and he wasn’t in the US. The search warrants will be tossed out or it’ll end in a plea. It’s obvious that the FBI utilized NSA expertise and they’ll want to keep that out of the public record. No way this gets to a jury.
(1) google it.
Apparently you missed “Marques, who holds dual Irish-US citizenship”, and you didn’t read the Irish Times article that Brian pointed to and you are not familiar with US Extraterritorial jurisdiction (ETJ).
There are certain crimes that US citizens can be held accountable and indicted, no matter where they are perpetrated.
Also, extradition treaties come into effect.
Consider El Chapo in Mexico may have never set foot in the US. So using your logic, he could never be held accountable and tried in the US. But that’s not how the system works.
The only reason Ireland is surrendering Marques is their inability to do anything useful with the illegally obtained information gathered by the FBI, while not wanting to appear lenient regarding child abuse imagery.
Unlike Guzman, Marques is not alleged to have done any crimes, or directed crimes be done, in the US. The FBI was completely out of their authority to remotely investigate this case.
Guzman’s activities directly affected Americans.
US authority doesn’t extend into other countries when crimes don’t affect Americans. A long string of Supreme Court rulings have knocked down laws seeking to punish people who do bad things overseas. (1)
The process here is an attempt to circumvent the Irish jury system and intimidate Marques to plead guilty on arrival to the US. It will probably never reach a US jury, as it offends Americans’ sense of justice to consider illegally obtained evidence.
“US authority doesn’t extend into other countries when crimes don’t affect Americans.”
Ah, so none of the abused children were Americans. Is that right? It’s not mentioned in the article. And even if that were the case, are American children worth more than non-American children?
It seems him having US citizenship is enough to grant them jurisdiction, and I’m OK with that.
Supposedly, some of the offending websites were Japanese manga and other cartoons.
“it offends Americans’ sense of justice to consider illegally obtained evidence.”
Haha, you can’t be serious. Obviously, you haven’t seen much of our justice system in action.
The US does have jurisdiction to investigate crimes involving the hosting of child pornography. See link attached. He ran the websites, so yes he should be (and could be) investigated.
Sorry, forgot the link:
Anon1 – – I appreciate the info, but it doesn’t answer the question.
The FBI was correct to investigate this and I’m glad it ended in an arrest.
But they should have handed over the case to Europol or the Irish courts, once their “contractor” (1) reported that this (alleged) monster was in Ireland.
(1) yeah, this was outsourced.
He did not run the websites. He owned the website hosting company. That’s like the difference between a person who makes threatening phone calls and the person that runs the phone company.
In what scenario is it ordinary business conduct for a “phone company” to collect images of child abuse or encourage criminals to collect more?
This guy is alleged to be far more than a hosting provider. What evidence do you have to contrast that?
This is not a good comparison and you should be ashamed of yourself for spreading that kind of rhetoric. I hope you do not have children or children in your family. The guy hosting company was exclusively designed to hide CHILD PORN. You comparing this guy to a regular phone company that is designed for public communication and is sometimes used by A$$holes to make pranks.
I won’t judge you but I hope you were just being an A$$hole yourself and you didn’t mean it like how it sound.
As much as I would like to see this individual suffer in some direct physical sense, the civilized part of me will be satisfied if he is consigned for a LONG period of time to the Supermax in Florence, Colorado. For those not familiar with that prison, it’s been described as a living death, and rightly so.
HA! HA! More than one can play at this “hacking” game! Kudos to law enforcement for using the tools at hand!
So basically, all he did was provide VPS’s on Tor? Standard nothingburger from the FBI baby-killers.
Did Eric Eoin Marques burn 17 little children alive?
Eric Eoin Marques was not running the porn sites — he ran Freedom Hosting, an internet website hosting service that had 30,000 or more sites. Of those, the FBI claims 100 sites had child abuse images. Marques ran his business by himself. His terms of service stated that his customers could not upload anything illegal onto their sites or use their sites for any illegal purpose. He also had a privacy policy that he did not look at or go onto the sites being hosted on his servers. Holding Marques responsible for the contents of his customers' websites breaks new legal ground. This is like holding Amazon Web Services responsible for the contents of all the websites on AWS or holding Twitter responsible for all the tweets, pictures, and videos tweeted by the millions of Twitter users. The FBI has called Marques the largest facilitator of child porn , which has been effective at getting the public to rush to judgement. In reality, he is a guy with Asperger's syndrome who had a tor website hosting company in his bedroom, and 100 of the more than 30,000 sites were run by customers taking advantage of the situation to run sites with child porn. No one has suggested exactly how he was supposed to ferret out those abusive sites. Amazon Web Services also does not allow illegal content, but it refuses to remove illegal content that is reported to the company, which is a complex, obscure, and difficult process, unless there is a court order stating the content must be removed. In other words, AWS handles illegal content by ignoring it, even if it is reported, unless there is a court order stating it must be removed. The FBI never tried going to Marques with a court order stating which sites were to be removed, but instead, arrested him and charged him with crimes, as being responsible for the content of all the websites on his web hosting service. This breaks new territory in US internet crime prosecutions. Is the DOJ going to hold AWS, Twitter, Facebook, and all the internet giants responsible for all the content posted by all of its users? If not, exactly why are they doing that to this one guy from Ireland? Maybe that will be explained in this court case.
Is a diagnosis of Asperger’s an affirmative defense to anything?
Seems he was very high functioning if true.
We do not know if he was checking the contents of those he was hosting or not. Likely he was observed remotely or there is other evidence he was involved in more than hosting.
One wonders if the following is true, why he would do such a thing, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”
What was so precious on that laptop?
With the Cloud Act having been passed a year ago, the feds likely have much more information available than has been publicly released to date.
A person can dive for any number reasons, including to avoid the explosive end of an agent’s firearm. It doesn’t prove ownership or intent or guilt.
As for the law you mentioned, it came years after this guy was arrested. Doesn’t apply.
I think you hit the nail on the head. I was looking for information in this article that might highlight what he was doing instead of what the DOJ wants people to read. Admittedly I didn’t read the linked articles but it does appear you are right. He ran a hosting service that simply did not shutter some sites run by other individuals. Those are the people I want to see shut down. Not a hosting provider that has sites that Governments don’t like.
I am conflicted because he likely isn’t cooperating with investigators to close down the sites that SHOULD be closed. Possibly because the US Government would want other sites closed because they harm big companies or share secrets the government would like to not be shared.
But I don’t think we should rush to judgement that he or anyone should be harmed in jail just because a DOJ PR report said they did something so horrendous we don’t want to think about it. DOJ has been wrong before, and this piece appears to be another example if he was a web site hosting company and not actually involved with or visited or even received complaints about the offending sites.
Thanks for thinking logically. As exlained in many news stories, when the rented server used by Marques was taken down by the FBI, all the sites on it were taken offline.
And the story gets better still. Supposedly some of these alleged child abuse image sites are actually Japanese manga or other cartoons. That’s why it’s so important to see what the evidence actually is.
Can you cite to this research, so we may also read it?
In regards to the CP sites actually “only hosting Japanese Manga or other cartoons”.
He would have known about the childporn sites in 2011, when Anonymous started Operation DarkNet and was DOS’ing his hosted sites.
You have it all wrong. In some of the other research and articles about Freedom Hosting, Marques clearly knew what servers and sites his clients were hosting (CP) and still continued to let them operate on his hosting and in some cases even helped them to avoid takedowns or LE operations.
He is not some innocent random guy who ran a website hosting company as you claim. He knowingly helped to host CP and disgusting sites and keep them online.
Can you cite to this research, so we may also read it?
Sure thing. He was fully aware of the content he was hosting and actively marketed it as such.
“Prosecutors say that Marques was born in the United States of America, but that he’s an Irishman who fled the United States of America to set out upon a profitable venture on the internet with the intention of targeting child pornographic distribution networks in order to make his fortune, and that’s what the FBI says he did.”
“The Federal Bureau of Investigation participated with coordination of the low-key raid on Marques, where for years he’d bragged to the pedophiles using his services that he was untouchable.”
“The argument from the FBI is that Marques was fully aware of what he was doing; knowing that child pornography was being hosted on his services and that he was profiting from this.”
Thank you.
Unimaginable that people treat the worse child abuse so lightly.
You should consider getting your information from more reliable sources . He “fled” the United States at the age of 4 because his parents moved back to Ireland and imagine this – they took their 4 year old with them. He is only a US citizen by birthright; neither of his parents is a US citizen and he lived only a few years in the US, as a young child.
IF that is the case, then it will set and change precedent and you’d see Facebook, Twitter et al flip their lids over it. I seriously doubt that is the case.
I’m confused. How can the FBI have jurisdiction here?
Unless the pedo-websites were actually hosted in the US or the operator resided in the US, the FBI should not be involved as it is a national bureau of investigation with jurisdiction in the US alone. Eric Eoin Marques lived and operated the site from Ireland.
To echo the comments of ‘Thinking Further’ above.. There was a lot of collateral damage when Freedom Hosting was shut down. I don’t think many people realized how many (non-porn) Tor sites were running on Freedom Hosting until it disappeared.
If Marques was knowingly hosting child porn sites, that’s a problem that needs to be dealt with. I’m not sure that we can jump to that conclusion.
It’s not clear whether, or to what extent, he knew what was being hosted. An ethical hosting provider does not go sifting through the contents of their customers’ data. If they receive an abuse complaint, they are aware at that point and have a duty to respond. It’s doubtful that the child porn sites identified their hosting provider, and due to the nature of Tor there was no other way of identifying and contacting the provider. It’s highly unlikely that Freedom Hosting was notified of the content.
This is likely a case of the Marques taking the money and looking the other way, but pursuing criminal penalties for child porn/abuse appears to be inappropriate.
He had to have known he was hosting childporn by 2013. Anonymous started DDOS’ing those sites in 2011 as part of Operation Darknet. To say a hosting provider wouldn’t be aware of the systems issues and the publicity surrounding it is just not credible.
The article you linked does not back up your claims. It is not likely their efforts, which were crimes in themselves, knocked anything off tor, let alone any specific offensive sites. Just because someone called calling themselves Anonymous claims to be doing something does not mean it is actually happening.
“The sites could only be accessed using the Tor Browser Bundle”
This isn’t strictly true, you do need to use Tor, but you can use that with any browser if you have the service running on your computer. The Tor Browser is just a tool that make Tor easier to use.
Not so, Charlie. Most children who become the subjects of child porn images and videos have this done to them by their parents, guardians, or other people in their lives who are in a position of trust. That’s why going after the creators of child porn, or those that run websites trading in child porn, makes sense.
Putting criminal responsibility onto the man who ran a website hosting service, the terms of service of which clearly stated that no illegal contents were allowed onto the sites, makes little to no sense. If you want website hosting services to be responsible for the contents of all the websites on the host services, then no one will be able to be a website host.
This is quite like holding the phone company responsible for everything everyone says on all phone calls. It makes no sense. Should the presidents of Iphone and Sprint be put in prison because teenagers are sexting and old men are sending dick pics?
And what about dissidents and people who are trying to fight government oppression who might be facing torture and death because of backdoors. Study the history of oppressive regimes and they often start with violations of civil liberties that are emotionally justified but then lead to abuses that include genocide.
I would also add that in the US a person is innocent until found guilty by a jury. If you think vigilante justice works read "The Oxbow Incident"
I wonder if this was leveraging the WebRTC exploit because all the info i read points to it.
A lot of common VPN providers were also effected by this browser issue!
So glad you reported on this development. At a time when the FBI seems to be under attack for political reasons, it is good to push a story like this to the forefront. Child porn, and those profiting from it need to be tracked down and held accountable.
Thanks Krebs for keeping us informed. You do a great job.
It’s unbelievable the comments you read on a site like this. Away with law and justice, back to the middle ages and inquisition times. Let’s forget innocent until proven guilty.
BTW, how do all these people know these children were tortured? Were they visitors to those sites? Maybe it were just nude pictures, also illegal. Instead of ramblin around here, they’d better spend their time taking care of children around them to make them happy, self confident grown ups who actually read articles (the majority of commenters clearly didn’t) and don’t feel the need to publish such rubbish in comment sections.