83 Percent of Tor hidden service traffic flowed to Pedo websites. Study finds.

Pierluigi Paganini January 02, 2015

A recent study conducted by researchers at the University of Portsmouth revealed that over 80 Percent of Tor network visits is related to pedo sites.

In the last couple of years a growing number of security experts are focusing their research on Darknet, a portion of the Deep Web often used by the criminal underground to arrange its illegal activities.

Cyber criminals crowd this part of the web mainly hide their identities and operate undisturbed, one group of researchers has recently shared the results of its analysis. The experts sustain that the majority of the traffic they have analyzed is driven by activities related to the sexual abuse of children.

Gareth Owen and his team at the University of Portsmouth computer science presented the results of a six-month study (From March until September 2014) that catalogued a significant number of Tor hidden services at the Chaos Computer Congress in Hamburg, Germany.

The experts have discovered that the Tor’s most visited  websites host child abuse images and offer illegal drugs.

According to the study, more nearly 80 percent of visits to Tor hidden services site analyzed by the experts were searching for pedophilia materials. According to Owen the number of pedo child pornography websites is over five times as many as any of the other categories of content. According the study gambling websites, propaganda sites, bitcoin-related sites or anonymous whistle-blowing occupy a small part of the darknets investigated.

“Before we did this study, it was certainly my view that the dark net is a good thing,” states Owen. “But it’s hampering the rights of children and creating a place where pedophiles can act with impunity.”

The results of the study have created much controversy, especially among supporters of the popular Tor network, the operators of the Tor Project provided a series of alternative factors that could have skewed the data obtained by the researchers.
Tor Onion_Routing
According to the experts that run the Tor Project the data may have been influenced by the operations run by law enforcement that crowded the Darknets or by numerous denial of service attacks run by hackers to hit the infamous websites. The Tor executive director Roger Dingledine explained that Tor hidden services represent only 2 percent of total traffic over Tor network.
“Unstable sites that frequently go offline might generate more visit counts. And sites visited through the tool Tor2Web, which is designed to make Tor hidden services more accessible to non-anonymous users, would be underrepresented. All those factors might artificially inflate the number of visits to child abuse sites measured by the University of Portsmouth researchers.” reports the Wired portal.

Owen has used caution in exposing the results of their analysis, but merely set out the findings illustrated.

“We do not know the cause of the high hit count [to child abuse sites] and cannot say with any certainty that it corresponds with humans,” Owen resoinded to the Tor Project members.

Dingledine highlighted the importance of Tor hidden services’ privacy features also referring the recent presentation of the onion version of Facebook.

“There are important uses for hidden services, such as when human rights activists use them to access Facebook or to blog anonymously,” Dingledine said. “These uses for hidden services are new and have great potential.”

The team ran nearly 40 relay servers that allowed them to collect a huge amount of data on Tor hidden services. The researchers counted nearly 45,000 hidden service and analyzed the amount or traffic flowed to them, the experts have also created a web-crawler to explore to websites and classify their content.

The researchers observed that a majority of Tor hidden service traffic, traffic flowed to  the 40 most visited sites, was related to the activity of botnets (e.g. Skynet botnet).

Once scrubbed the traffic from botnet data flaws, the experts observed that nearly 83 percent of the remaining websites were offering child abuse content. Most of the sites were so explicit as to include the prefix “

Several websites were explicitly referring their content, including the prefix “pedo” in their name, the researchers avoid disclosing their names, but confirmed that their content was shocking.

“It came as a huge shock to us,” Owen says of his findings. “I don’t think anyone imagined it was on this scale.”

The study found child abuse websites interested nearly the 83 percent of the overall traffic despite they represent only about 2 percent of Tor hidden services. Black markets selling Drugs and other illegal products (i.e. Silk Road 2, Agora or Evolution) represented about 24 percent of analyzed websites, but the traffic they attacted accounted for only about 5 percent of site requests on the Tor network. Whistleblower websites like SecureDrop and Globaleaks, accounted for 5 percent of Tor hidden service measured accounted for less than a tenth of a percent of site visits.

The Study highlights that the portion of Tor users who search for child abuse materials is greater that the one that use it to buy drugs or leak sensitive documents to a journalist.

Another interesting data emerged in the study is that the vast majority of Tor hidden services persist online for only a matter of days or weeks. This phenomenon is quite common in the criminal ecosystem, a technique that allow cyber criminals to stay under the radar, but that gives to the operators less visibility. In August I have published an interesting post on the technique, citing results on “One Day Wonders” conducted by security firm Blue Coat.

According to the researchers, less than one in six of the hidden services remained online for the entire duration of the study.

“[The study] could either show a lot of people visiting abuse-related hidden services, or it could simply show that abuse-related hidden services are more long-lived than others,” commented  Tor director Roger Dingledin. “We can’t tell from the data.”

Pierluigi Paganini

(Security Affairs –  Tor network, cybercrime, pedo)



you might also like

leave a comment