@thread
Marques was arrested originally in late July. There is no public data confirming how that initial arrest came to be - how the FBI got on Marques initially. In this week's reports, the FBI is saying that they have "linked" Marques to U.S. bank accounts that were used to pay for servers leased at an unspecified hosting company in France. Did they get those bank records after the raid in late July - or before, and use them to trace to Marques? We don't know, yet.
Which means they had a reason to be watching the guy in the first place. Loads of people pay for servers located in foreign countries - so what? That's not enough reason for the FBI to be watching someone, so the real question is how did he manage to stick himself on their radar? I don't think the very fact that he was running Freedom Hosting was the reason, so perhaps one of the hidden site owners let on their (possibly CP) site was being hosted by Freedom Hosting.
Even if that were so, what would happen next? Was it public fact that Marques ran Freedom Hosting? Did the FBI contact him and ask him to collaborate? Did he accept or refuse? If he accepted, what then? Assuming the Hidden Services were configured correctly, could Marques (with access to all of the servers as their leaser/renter) be able to know which sites held what? On paper yes - they were very likely VPS instances, so their virtual drives could be mounted and read (and possibly written, too); I'm willing to bet they weren't encrypted (that's something I need to play with actually), but would he be interested in trawling through them?
OK, so suppose he refused. It would be trivial then for the FBI to "ask" the data centre for access to the machines. However, if the FBI were after one particular site (and assuming the hidden servers were paid for anonymously) neither Marques nor the DC would know (or should know) which sites were sitting on which IP addresses on which piece of hardware - I doubt they would be willing to go through (possibly hundreds) of VMs.
Could that explain why
all of the hidden servers were infected with Torsploit, rather than a few?
If Marques wasn't aware of the FBI's interest in him, then something else must have leaked - billing information certainly isn't enough. IP address? Somebody's (physical or electronic) mouth? Association with someone "known to us"? "unmasked with NSA-devised techniques" doesn't really tell us anything.
I'll throw something else in. The FBI is a police organisation; investigating and solving crimes, and bringing people to justice is what they do. The NSA however is a political organisation (as far as I can see). they are effectively the specialist SIGINT wing of CIA, spun out as an independent "business unit".
So the question is: why would they get involved in this? What's in it for them? What attracted them to it? Could be an axis of a) the FBI having no luck taking down a site and being embarrassed by that fact and b) the NSA having a chance to flex their muscles against Tor (and get a bigger budget)?
pitcher/catcher IP FOIA to NSA: classified