Use of Tor pointed FBI to Harvard University bomb hoax suspect

Harvard University Logo

Harvard University LogoA 20-year-old US man and Harvard University student was arrested on Tuesday and charged with allegedly sending bomb threats to get out of a final exam.

An affidavit filed by the FBI on Tuesday alleges that Eldo Kim, of Cambridge, Massachusetts, on Monday morning emailed multiple bomb threats to Harvard University offices, including to the university’s police department, two Harvard officials, and the office of the president of the Harvard Crimson, which is Harvard’s daily student newspaper.

The subject line of the identical messages read “bombs placed around campus.”

The body of the email message:

shrapnel bombs placed in:

science center
sever hall
emerson hall

2/4. Guess correctly.

be quick for they will go off soon

The buildings referenced in the email are on the university’s main campus in Cambridge, Massachusetts.

Harvard police called in the FBI, and the four buildings were immediately evacuated.

Bomb technicians and hazmat officers combed through the buildings for several hours but concluded that the threats must have been a hoax.

When it investigated the email messages, the FBI found that they’d come from Guerrilla Mail: a free email service that creates temporary, anonymous email addresses.

They also discovered that whoever had sent the emails had accessed Guerrilla Mail through the Tor anonymizing service, the affidavit says.

Tor is an anonymizing service that directs traffic through a worldwide, volunteer network that makes it difficult for law enforcement to trace a user.

Tor has, at least in the past, thrown up road blocks to law enforcement, as was made clear with the “Tor stinks” presentation from the National Security Agency (NSA) that The Guardian published in October.

TorLaw enforcement leapt over the road block pretty easily in this case, however: investigators figured out that in the several hours leading up to the receipt of the email, Eldo Kim had allegedly accessed Tor using the university’s wireless network.

As security analyst Bruce Schneier pointed out in a blog post on Wednesday, this case underscores how using Tor can raise a red flag when somebody’s actually trying to pass undetected:

This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn't have to break Tor; they just used conventional police mechanisms to get Kim to confess.

The affidavit says that Kim told investigators that he had picked the email recipients at random from a university web page and did it to get out of an exam scheduled for Monday morning.

The FBI also says that Kim stated that he had chosen the word “shrapnel” because “it sounded more dangerous.” He also told investigators that he wrote “2/4. guess correctly” so it would take more time for police to clear the area.

Kim was in Emerson Hall, where his exam was scheduled to take place, at 9 a.m. on Monday.

The affidavit says that when Kim heard an alarm go off, “he knew that his plan had worked.”

He could face a maximum five years in prison, three years of supervised release, and a $250,000 fine if charged under the bomb hoax statute, according to a press release from the Boston US District Attorney’s office.

Image of stock exchange courtesy of Shutterstock.