West Yorkshire Police refuse to comment on named individuals. Click for full size.

Two days ago I posted an article about suspicions that Kiwi Farms, the despicable paedophilia, terrorism and hate site run by Joshua Conner Moon, has been hacked by law enforcement. Moon (who has legally changed his name to James Gabriel Potter), was forced to take the site down and notify users of the hack. Subsequently, at least one user complained of being invited to interview by British police. So, I asked the police force concerned. I expected if it is a hoax they would say so. On the other hand, if there is an investigation and they do have the data they would give a vague answer citing privacy and data protection laws. So, MHN received a response and it is door number 2.

The police response bears some parsing. I sent them a letter found on Twitter, with the West Yorkshire Police force logo purportedly inviting a Kiwifarms poster to a formal interview, but which had the suspect’s name blanked out. I asked the following questions –

“(1) Is there any form of investigation into posts on Kiwifarms ongoing, by or in conjunction with, West Yorkshire Police?

(2) What would police say in general to persons proposing to join and / or post on illegal websites?

(3) Is the letter genuine (copy attached)?

(4) Have UK law enforcement come into possession of the user and IP data from the recent hack of Kiwifarms?

(5) Did the National Crime Agency hack Kiwifarms?”

A Kiwifarmer purportedly invited to da cop shop! The police response means it is likely real. Click for full size.

I received in response, “We are unable to comment on named individuals”. However, fairly obviously no individual is named in the letter I sent them. Also, none of my questions refer to a named individual. If the letter was forged, data protection and privacy laws would not be engaged. The police would have no reason not to just say it was a forgery. However, these officers in West Yorkshire are not acting like a police force that has been forged, nor a police force that is triumphantly announcing a win. This comes across as a force that is working with partner agencies on a list of offenders and is likely to be concerned about undermining an ongoing, wider investigation. It is similar to how police act when they have obtained the members list from a drugs market darknet site, for example.

What does it mean for Kiwifarmers? Well, it basically means they are in trouble. Joshua Conner Moon / James Gabriel Potter advises users to user TOR or a no-log VPN when accessing his site (whilst simultaneously insisting it is totally legal). The problem is, that is not enough when dealing with the FBI or worse, the British equivalent being the National Crime Agency (NCA). They have tools that can breach TOR Browser, even TAILS (archive) or similar protections and obtain a perpetrator’s IP address. In his public statement (archive only), Moon admitted that he does not know what was in the payload the hackers downloaded to Kiwifarms user devices, “I do not know what was in the payload. The webhook site allows for you to redirect to other scripts and to delete request history, which was done. There’s no information tied to that page”. Worse for the despicable Kiwis, unlike the Americans the British police can give themselves a license to commit crime. Any crime.

Unlike similar American legislation, a British Criminal Conduct Authorisation under s29B Regulation of Investigatory Powers Act 2000 (as amended) has no legal prohibition on police licensing murder, rape, torture nor entrapment, as the Institute for Advanced Legal Studies points out (archive). They can literally sell a suspect child pornography, then when the suspect downloads the pornography (which counts as ‘making’ it in UK law) they can arrest said suspect for manufacturing the child porn they just sold them. They can help plan a bombing, provide detailed bomb-making instructions and then arrest their accomplices in the act for terrorism or shoot them dead. They can help plan a school shooting then arrest the perpetrator the day before it is planned to happen for conspiracy to mass child murder. They can outsource and license non-police to commit crimes. Any crimes.

As a software developer and the owner of an IT company with a significant security practice, I am aware that there are protections that will even offer protection against the FBI or NCA Network Investigation Tools (NIT). However, I have never seen Joshua Moon or his little playmates mention them or even demonstrate an awareness of their existence. Therefore, I would anticipate police would have near 100% success at harvesting Kiwifarmer residential or work IP addresses. Meanwhile a few Kiwifarmers in their Telegram chat have been wisely growing uneasy about the security of their data, or even whether the other posters are true and honest Kiwis. Too late.

Anyone who has posted on Kiwifarms in the last year or so should fear a letter, a knock at the door, or worse – simply a crash as it is smashed open.

A recent post by a genuine poster on Kiwifarms. Members are confident they have not been infiltrated by law enforcement.