Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Operation Against Tor Dark Markets Raises Security Concerns

Law Enforcement Notice

Law Enforcement Notice

The Tor Project and security experts are concerned about the implications of the recent global law enforcement operation in which hundreds of hidden services running on the Tor anonymity network have been shut down. 

Last week, law enforcement authorities in the United States and Europe announced the arrests of 17 individuals suspected of being vendors and administrators on illegal online marketplaces that rely on the Tor network to keep the identity of their users and operators hidden. One of the arrested people is Blake Benthall, believed to be the operator of Silk Road 2.0, a black market bazaar for money laundering and drugs.

According to Europol, 410 Tor hidden services were taken down. In addition, $1 million in Bitcoins, and €180,000 ($224,000) in cash, dugs, silver and gold were seized as part of the campaign dubbed Operation Onymous.

Tor Project LogoBenthall was tracked down by authorities after agents infiltrated Silk Road 2.0 staff, but there are numerous unanswered questions regarding the methods used by law enforcement to locate the other targeted hidden services.

The operator of Doxbin, a site hosting personally identifiable information that was shut down as part of the Onymous campaign, reached out to the Tor Project in hopes that they can help him figure out what happened. Doxbin had been using German company Hetzner for hosting, but 129 of the seized hidden services had been hosted by a Bulgarian company, according to a statement from the Bulgarian State Agency for National Security.

Locating Tor hidden services

 In a blog post published on Sunday, the Tor Project said it had not been contacted either directly or indirectly by Europol or the other law enforcement agency involved in the operation.

“Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targeting hidden services. Were these two events related?,” the Tor Project said.

Advertisement. Scroll to continue reading.

For the time being, Tor says it doesn’t know how the hidden services were located by investigators, but hopes to get an answer when the 17 arrested suspects are prosecuted. One plausible scenario, according to representatives of the anonymity network, is that the operators of the hidden services shut down by authorities “failed to use adequate operational security.”

Another explanation could be that the targeted websites were plagued by vulnerabilities, such as SQL Injection. The Tor Project says this is a plausible scenario because many of the sites are “quickly-coded e-shops with a big attack surface.”

Researchers have demonstrated recently that it’s possible to deanonymize Bitcoin clients even if they use Tor. It’s possible that the seized services used Bitcoin clients and were located through such deanonymization attacks.  

There is always the possibility that law enforcement attacked Tor itself. Researchers at Carnegie Mellon University’s CERT recently conducted some test attacks to demonstrate that they could deanonymize Tor users. While the flaw they uncovered was quickly fixed, the Tor Project believes researchers could have deanonymized some hidden services during their experiments.

“Another possible Tor attack vector could be the Guard Discovery attack. This attack doesn’t reveal the identity of the hidden service, but allows an attacker to discover the guard node of a specific hidden service,” the Tor Project explained. “The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service.”

Denial-of-service (DoS) attacks and the exploitation of remote code execution vulnerabilities in the Tor software are also a possibility.

The Tor Project has provided some advice to hidden service operators who are concerned, but the organization says it cannot make concrete recommendations without knowing exactly what happened.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.