On August 3, 2017, the FBI broke into Buster Hernández’s home on a remote street in Bakersfield, California. The first thing Hernández did was to disconnect a USB from his laptop. This prevented the authorities from obtaining evidence of his recent activity. But it was already late. Despite Hernández’s technological sophistication, the FBI already had material against him.

From that laptop and that room, for at least five years, Hernández had used Facebook and other social networks for a refined and extensive campaign of harassment: he extorted in exchange for sexual videos (what is known as extortion), threatened to blow up a school and killing dozens of people, and trafficked child pornography. Hernández (California, 1990) chose his minor victims and wrote them a similar message, according to court documents: “Hello [nombre]I have to ask you something more or less important. How many boys have you sent dirty photos to because I have a few of yours? ” Hernandez obviously had nothing, but it was a way of confusing his potential targets.

On the Internet Hernández was Brian Kil, his main pseudonym but not unique. This Tuesday the Motherboard website has revealed a “unique” action in the history of Facebook: the social network paid more than $ 100,000 for a cybersecurity company to create a zero-day attack to access the IP address of the cybercriminal. A zero-day attack is the most valuable because it detects a vulnerability in the software that the developer company does not know about. Anyone who knows it can sneak into someone else’s system. It is unclear, according to Motherboard, whether the FBI knew the details of Facebook’s action.

Hernández used Tails, an operating system that uses the Tor network to navigate and encrypts all traffic. Through successive connections, Tor misleads anyone trying to obtain the IP address from which someone accesses the Internet. Hernández had hundreds of e-mails and social media accounts to pursue his victims. But his trail was nowhere to be found.

Two former Facebook employees have admitted to Motherboard that Hernández was famous at the company’s headquarters and considered him the worst criminal the social network had ever used. Facebook dedicated an engineer for two years to track him down and ended up developing new automated software that detected users who created accounts and tried to approach minors (Facebook allows users to have an account from the age of 13). That program apparently allowed to find several pseudonyms of the cybercriminal.

The desperation of those responsible for the company caused Facebook to dedicate unique and extraordinary resources to hunt down this criminal. “It was a unique case because he used such sophisticated methods to conceal his identity that we took the extraordinary step of working with security experts to help the FBI bring him to justice,” says a company spokesperson on the case.

Reading the FBI court report offers a repertoire filled with disgusting actions. But despite the evident evil and terror caused by Hernández, the problem with Facebook’s action is the weakness of the criteria. When will there be a new “unique” case? When will the company believe again that a criminal is smart enough to devote hundreds of thousands of euros to their capture?

The advantage of the method chosen by Facebook is that it does not open a permanent window for the FBI to observe suspicious users. It is a unique single-use program. Either way, it highlights the immense power of a company that chooses to hack one of its users.

Tails developers found out about the story when the Motherboard reporter called them. Zero-day attacks, as long as the company does not patch the security hole, can be used as many times as attackers want. Tails is a common program among activists and journalists: it is almost impossible to trace. Or it was, until the company hired by Facebook found a way to enter. Facebook says it did not notify Tails after the cybercriminal’s IP was discovered because in a later update the vulnerable code was removed. That zero-day attack, therefore, no longer worked.

The FBI posted the code lines of the attack on a video that an agent posing as one of the victims sent via Dropbox to Hernández. When the criminal reproduced it on his computer, the vulnerability allowed authorities to discover his IP. The service provider company gave them the physical address on a street on the outskirts of Bakersfield, near the entrance to the famous Joshua Tree National Park, and thousands of kilometers from where their victims lived, scattered throughout the country. There Hernández resided with his girlfriend. The FBI stared at the suspect for weeks to see if the connections matched his schedule and conducted other tests.

“I want to be the worst cyber-terrorist in history,” Hernández wrote to one of his victims. The stalker was aware of his technical ability and ability. His obsession with one of his victims, who lived in the State of Indiana, led him to threaten a massacre at the school where he was going. The school closed one day as a precaution and the community’s concern led them to organize a session with the police to explain details of the case. Hernández managed to sneak in another meeting of his victims, to explain what was said in it. “I need you to go 1,000%,” he threatened.

Then he published the details on the Internet to make believe that he himself had been one of the attendees. The fat blonde lady with the glasses over her head and the patterned shirt under a white jacket, who asked how we know she is not here. I was, and I learned a lot, ”he wrote. “What will happen if you are not caught,” charity would not stop shaking its head when you asked that charity [sic]. If they don’t catch me, I will make more threats and kill your children, ”he added.

Threats to minors who sent them a photo or video grew over time: “I know where you live. I will go at night. I will go to all my slaves at night sometime. Have I ever made you cry? ” He gave explicit details of how the sexual scenes should be. He sent examples from other videos where girls cried doing those same acts.

The trial has been held this year in Indiana and is slated for sentencing, which should be made public in September. Hernández has pleaded guilty to most charges. In prison, “B. K. ”, the initials of Brian Kil.

