How Operation Onymous managed by law enforcement impacted Tor network

What is changed after the law enforcement conducted the takedown of several illegal marketplaces as part of the Operation Onymous?

The recent shutdown of several black market places in the Tor network, including the popular SilkRoad 2.0, has captured the attention of media of the extension of illegal activities in the part of the web so called Deep Web. The Operation Onymous coordinated by Europol’s European Cybercrime Centre (EC3) has dealt a major blow to organized crime, intent to exploit the anonymizing networks like Tor.

Following the euphoria of the success of the operation by the police of many countries, privacy and security experts have begun to question how the police were able to locate the servers hosting hidden services and operators who ran the illegal activities. Members of the Tor project published a blog post titled Thoughts and Concerns about Operation Onymous, in which they try to explain how low enforcement managed to locate the hidden services.

“Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used.” states the post.

they hypothesized that law enforcement has exploited one of the following scenarios:

• Lack of Operational Security of hidden services.
• Exploitation of bugs in the web application.
• Bitcoin de-anonymization.
• Attacks on the Tor network.

The anonymity of the location of a server behind a hidden service is ensured under the following conditions:

• The hidden service must be properly configured.
• The web server should be not vulnerable, this means that it must be not affected by any flaw and must be properly configured.
• The web application should have no flaws.

An attacker that is able to exploit a vulnerability in the web server or in the web application (e.g. the e-commerce system exposed by the operators to propose the illegal products) could easily hack the targeted hidden service.

For example the presence of an SQL injection flaw could give the access to many functions of the hidden service, could allow attacker to dump its database.

The list of dark markets seized by law enforcement includes Alpaca, Black Market, Blue Sky, Bungee 54, CannabisUK, Cloud Nine, Dedope, Fake Real Plastic, FakeID, Farmer1, Fast Cash!, Flugsvamp, Golden Nugget, Hydra, Pablo Escobar Drugstore, Pandora, Pay Pal Center, Real Cards, Silk Road 2.0, Smokeables, Sol’s Unified USD Counterfeit’s, Super Note Counter, Tor Bazaar, Topix, The Green Machine, The Hidden Market and Zero Squad.

Security Researcher at Kaspersky, Stefan Tanase and Sergey Lozhkin wrote an interesting blog post that analyzes the impact over the Dark Web of the operation conducted by law enforcement recently.

According to the researchers the takedown affected a limited number of Onion sites, just 5 percent, meanwhile nearly 21 percent are still alive and 74 percent of the onion addresses are offline.

“Right now there are 4 times more hidden websites online in the Tor network than those that were shutdown.” states the researchers in the post.

Security experts consider the effect as transient, unfortunately, the cybercrime is quite impossible to eradicate completely, and the researchers are conscious that new illegal services soon will replace the website that are taken down.

Experts at Kaspersky have analyzed the number of hidden services being set-up after the takedown related to the Operation Onymous, in the following graph represents the amount of new .onion addresses appearing each day and it is evident a spike just after the operation of law enforcement.

The analysis of the lifetime of the Onion-sites which were taken down in the Operation Onymous shows that the majority of the targeted website were alive for at least 200 days on average, but usually not more than 300 days.

 

The experts at Kaspersky explained that to de-anonymize Tor users, it is possible to compromise a poorly configured server or the web application it exposes, this means that there is no need to search and exploit an alleged vulnerability in Tor architecture.

The researchers state that to locate a physical location of a server is it possible to compromise it installing a backdoor, for example exploiting a vulnerability in a third-party application used by a dark marketplace.

Another possibility for law enforcement is to try to compromise the machine of the administrator, localized through ordinary investigations, of an illegal website with spyware, in this way the agents access to its machine and steal information on his activities and network of contacts.

“This could be easier than it seems: for example, if a vulnerability is found in a hidden service, it is possible to rig it’s admin page with an exploit and wait for when the drug shop administrator will access his site. Then he would be infected with malware as a result of this highly targeted waterhole attack.” states the post.

The researchers also mentioned the possibility to infiltrate the operators of the dark market or hit them with spear-phishing

Resuming … none really knows how law enforcement has localized the server behind the illegal hidden services.

Pierluigi Paganini

(Security Affairs –  Deep Web, law enforcement,  Operation Onymous)