This week, Harvard was rocked by an unsigned bomb threat, originating from a burner email address and timed to disrupt final exams. It was a seemingly anonymous threat, but just two days later, authorities managed to trace it back to sophomore Eldo Kim, who's now awaiting trial in federal court. Kim used two separate anonymity tools to cover his tracks — the routing service Tor, which covered his web traffic, and the temporary mail service Guerrilla Mail, which offered a one-time email — but neither one was enough to throw authorities off the trail.
Tor led them to Eldo Kim, who promptly confessed
Kim's mistake, it turns out, was connecting through Harvard's wireless network. The FBI quickly traced the emails back to Guerrilla Mail, which in turn indicated that the service had been accessed through Tor. It's unclear how the agents discovered Guerrilla Mail had been accessed through Tor, but it's likely Guerrilla volunteered the information when faced with a federal counterterrorism investigation. (UPDATE: Security researcher Runa Sandvik points out that the originating IP address would have been revealed in the email header, which would have indicated Tor usage.) Suspecting a Harvard student was behind the threats, agents checked to see if anyone had accessed Tor through the local wireless networks. That led them to Kim, who promptly confessed.
It's a reminder of the limitations of Tor, which can only disguise traffic within its own servers. In this case, law enforcement was able to see that Kim had connected to Tor and that someone had used Tor to make the threats, which was all they needed. In an official statement, a Harvard spokesman said the community was "saddened by the details alleged in the criminal complaint." Kim currently faces up to five years in prison with fines of up to $250,000.