Security Experts:

Keeping it on the Down Low on the Dark Web

Sites on the Dark Web Have Several Motivations to Unmask Their Visitors

So, there you are, finally on the private sections of a dark market. You have established reputation and credibility with your targets. Suddenly, you get exposed as a “rat” and banned for life. They grab your escrowed cryptocurrency, and you are back at square one with a foe who is even more alert than before... How did this happen?

The dark web is an active area for online investigations and research. Because you need to use the Tor anonymity service to access dark web sites, also known as Tor hidden services, many people assume that makes them robustly anonymous. Unfortunately, there are still many ways you can be exposed and have your activities compromised if you don’t take the right precautions.

Sites on the dark web have several motivations to unmask their visitors. Obviously, they want to spot any members of law enforcement who might be visiting. Additionally, they might want to gain some sort of leverage over their visitors, who may be using the site for a number of questionable activities. 

Dark WebThere are several known attacks against the Tor network and other similar low-latency anonymity networks. One class of attacks, called traffic confirmation attacks, is based on having control of a significant fraction of the most popular Tor nodes. If the attacker controls the first hop in a chain (the guard node) as well as the last (the exit node), then creates a pattern in the data at one end of the chain, it can be recognized coming out at the other. Fortunately, it is not easy for an attacker to get control of enough nodes to carry out this type of attack, likely because there are thousands of active nodes a given user could choose.

The situation is different with a dark web site. If the site wants to identify a visitor, the site owner only needs to have you use a guard node they control. Because they control the web servers, they always have the ability to inject patterns of activity. Requiring only a single controlled Tor node makes the odds of this attack working much higher.

Bitcoin provides another method of identity exposure. Contrary to popular belief, Bitcoin is not anonymous at all. Every single Bitcoin transaction is recorded in the public blockchain and can be seen and analyzed by anyone. Bitcoin is a dominant payment mechanism on dark web marketplaces. When you buy or sell something on these sites it creates an opportunity for tracking and identification. All coins that were mined by the same server or purchased into the same wallet can be followed. This can easily tie investigations together and reveal odd patterns of activity. With access to information in the bitcoin exchanges, it can even lead to real names or IP addresses.

Dark web sites are also a likely source of malware that can unmask you. Unless your entire operating environment is isolated from your real desktop, the malware may leak your real IP address and other identifies. Of course, it can also directly steal data off your computer and do all the other things malware normally does.

Non-technical errors can trip you up as well. While not specific to exposure on the dark web, things like your writing style and choice of account names can reveal your true identity. Site operators can also pass you beacons and canary traps. Beacons are active content that try to phone home with identification when they are opened. Viewing these documents and files on a normal desktop will immediately expose you. Canary traps are more subtle. A website can provide slightly different versions of certain content to each visitor. Any time that content shows up somewhere else, the site knows who shared it.

The rate at which dark web markets are being compromised, in one way or another, has gotten high enough that much of the online criminal activity has moved to new platforms. Rather than communicating in forums on dark web sites, there has been a shift toward one-to-one communication applications that provide end-to-end encryption. This may make investigations more difficult, because there is no central location for discussions. Establishing trust and communication will be much more difficult. 

Hiding your true identity is always important whenever you are conducting investigations online. The fact that you are visiting a Tor hidden service / dark web site does not mean you are safe or hidden. It is critical to take additional steps to protect yourself when conducting these operations.

view counter
Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He holds an M.S. in physics from the University of California, San Diego and a B.S. in physics from the University of California, Santa Cruz. In his spare time Lance grows high-end pinot noir grapes in the Russian River Valley AVA.