When the administrator of Silk Road 2.0 was busted last week, the agent who penned his indictment was tight-lipped about how, exactly, the FBI got its hands on the supposedly hidden server the dark net market was using, saying that the Bureau simply “identified the server located in a foreign country,” and that law enforcement managed to image it sometime around 30 May 2014.
In or about May 2014, the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time (the “Silk Road 2.0 Server”). On or about May 30, 2014, law enforcement personnel from that country imaged the Silk Road 2.0 Server and conducted a forensic analysis of it. Based on posts made to the SR2 Forum, complaining of service outages at the time the imaging was conducted, I know that once the Silk Road 2.0 server was taken offline for imaging, the Silk Road 2.0 website went offline as well, thus confirming that the server was used to host the Silk Road 2.0 website.
That’s it. That’s all that law enforcement was willing to share about how it managed to slice through the layers of the Tor network, which is designed to mask users’ identity by means of software that routes encrypted browsing traffic through a network of worldwide servers.
Now, the keepers of Tor – the nonprofit group The Tor Project – are trying to puzzle out how identities were laid bare in the farflung, multi-nation bust, dubbed Operation Onymous, that snared 410+ supposedly hidden services running 27 markets, including Silk Road 2.0.
The Tor user base doesn’t just include bad guys – the drug lords, drug buyers, illicit arms traffickers, money launderers and child-abuse image swappers.
It also includes activists and others for whom it’s crucial to protect privacy so as to ensure safety from persecution, be it from oppressive regimes or dangerous stalkers.
The Tor Project doesn’t know how the anonymizing service was foiled, but it has possibly relevant information it shared on Sunday.
As Tor project executive director Andrew Lewman wrote, in the previous few days, The Tor Project had received reports that several Tor relays had been seized by government officials (The Tor Project doesn’t know how or why) – specifically, three Torservers.net systems (used to run Tor exit nodes) that blinked out of existence.
The “How” of the onion-router slicing has a few possible avenues of inquiry.
One of those paths involves blaming the unmasked victims themselves for using inadequate operational security.
This is “the first and most obvious explanation”, writes Tor project executive director Andrew Lewman:
The project has received reports about websites being infiltrated by undercover agents, while [Benthall's indictment] states various operational security errors.
Other possibilities Lewman suggested:
- SQL injection. Lewman notes that many of the sites discovered in Operation Onymous were likely “quickly-coded e-shops with a big attack surface” that could well have been vulnerable to SQL injection.
- Bitcoin de-anonymization. Recent research from Cornell University describes a way to de-anonymize Bitcoin users that allows for the linkage of user pseudonyms to the IP addresses from which the transactions are generated, even when used on Tor.
- Attacks on the Tor network. Given the number of takedowns and the seizure of Tor relays, the Tor network was possibly attacked to reveal the location of the hidden services. Lewman lists a number of attacks that have been discovered on the Tor network over the past few years – attacks with the potential aftermath of de-anonymizing previously hidden services.
In fact, two Carnegie Mellon researchers canceled a Black Hat 2014 talk about how easy they found it to break Tor.
The researchers claimed that it was possible to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months,” and promised to discuss examples of their own work identifying “suspected child pornographers and drug dealers.”
From the original description, before Carnegie-Mellon’s lawyers had the talk yanked from the lineup:
There is nothing to prevent you from using your resources to de-anonymize the network's users ... by exploiting fundamental flaws in Tor design and implementation. And you don't need the NSA budget to do so.
Looking for the IP address of a Tor user? No problem. Trying to uncover the location of a hidden service? Done. We know because we tested it, in the wild...
At the time, The Tor Project confirmed that yes, somebody or somebodies were picking it apart, and the assaults may have unmasked those who run or visit Tor-hidden sites.
In the meantime, Lewman asks relay operators to get in touch if their server was recently compromised or they lost control of it.