A Kiwifarmer purportedly invited to da cop shop! Click for full size.

Not so long ago I saw a very odd post on Twitter about the currently down, terrorism, paedophilia and stalking site Kiwifarms. An image had been shared in a Kiwi Farms Telegram chatroom, and then re-posted to Twitter where I saw it. It was a purportedly a letter from West Yorkshire Police to a suspect inviting them to a PACE interview (a police interview under caution) about posts on Kiwi Farms. The letter appeared real. The difficulty is, how could a police force obtain the IP address of a poster? After some thought, I realised that all but one of the mechanisms I could think of involved hacking or at least joining Kiwi Farms. Under recent laws, British police can hack websites – which got me thinking about the timing of the recent hack in which the site’s data was deleted.

If the letter inset is real, police must not only know that the user visited Kiwifarms, but have specific evidence that they posted there. After considering the ways to do it, I thought of three mechanisms police could obtain this. Each of these has variations. Firstly, they could intercept traffic from a suspect’s address with a warrant. However, the site is protected by SSL so a simple network interception could only show that the user viewed Kiwifarms, not which part of the site and not what (if anything) they posted. It could not tell if they were logged on nor to which user.

To intercept the content of SSL traffic without detection would require a man-in-the-middle attack performed with a certificate generated with a root key trusted by Windows / Linux / MacOS / Android. It is well known that products exist for the security services for precisely that purpose (archive), so this is possible. With the right key, the security services could just run off their own trusted certificates on the fly. However, that would imply an ongoing warrant.

An alternative way to do it would be to sign up on Kiwifarms then DM a user suspected to be a British person a link which trapped their IP address. This might require authorisation under the Regulation of Investigatory Powers Act 2000 (RIPA).

Finally, it occurred to me that the police could simply hack Kiwifarms. Under UK law, this could be legal. Last year, the UK passed the Covert Human Intelligence Sources (Criminal Conduct) Act 2021. This amended RIPA to literally let the police and security services commit crimes, with no limitations on the type of crime whatsoever, including murder, torture and rape. Hacking is small beer – theoretically the police could blow up the data centre. However, the crimes must be authorised under s29B and must be proportionate. The Human Rights Act 1998 also still applies. Therefore, it is doubtful a murder could be authorised unless, for example, many other lives would be saved.

Hacking Kiwifarms, intercepting all their traffic, stealing all the users’ IP addresses and installing Remote Administration Tools (RATs) on their devices as well as Network Investigation Tools (NITs) then deleting all the content would be a far easier sell. Kiwifarms has organised terrorist activity with near impunity for years. Multiple hosts have banned it for hosting child pornography. Its owner is in a foreign state and the main country involved, the United States, is not helpful. Kiwifarms generates lots of crimes in the jurisdiction, including harassment and terrorism. The criminality was escalating at the time the hack began.

If I was a judge, or senior police officer, I simply cannot see much in the way of objection to granting a Criminal Conduct Authorisation to take it down. It is a stalking and terrorism site, clearly organised crime, it has negligible legitimate purposes. Hacking it and deleting all the data, combined with psyops, would create negligible collateral damage to non-perpetrators. I would see an authorisation for hacking as superior to an authorisation for a DDOS attack for that reason.

Which raises questions about the nature of the Twitter account claiming responsibility, @OpSyndicate42, as well as its mockery of the FBI – good natured ribbing from their rivals and partners from across the pond? If the NCA was sharing Kiwifarms user IP addresses with local UK police forces, it would explain their comments about the site users, “dropping like flies”. MHN has put in an inquiry to West Yorkshire Police about the issue to try to verify if the letter is genuine. This article will be updated if a reply is received.