Agora, said to be the Dark Web’s largest dark market since Silk Road was shuttered, has been spooked by what it called “suspicious activity” and recent research into vulnerabilities in Tor that it fears could help to unmask its server locations.
The anonymous Agora admins posted a message on the market site, to Pastebin, and to the “darknetmarkets” Subreddit saying that the market was temporarily shutting down while they overhaul the software stack to mitigate the problems.
They don’t know how long it will take.
In the meantime, they’re not waiting for the law to knock on their door a la Silk Road and have moved their servers to prevent discovery:
We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again. However, this is only a temporary solution.
The message didn’t specify which Tor vulnerability research has Agora concerned, but it did say this:
Most of the new and previously known methods do require substantial resources to be executed, but the new research shows that the amount of resources could be much lower than expected, and in our case we do believe we have interested parties who possess such resources.
It’s possible they’re referencing the vulnerability published recently by MIT (Massachusetts Institute of Technology), which described how malicious Tor entry guards could strip away the Dark Web’s anonymity features, exposing users and the hidden websites they visit.
As noted by Roger Dingledine, Tor’s project leader and one of the project’s original developers, attackers would need a whole lot of luck to actually exploit the vulnerability – they’d need to “get lucky and end up operating the entry guard for the Tor user they’re trying to target”, he said.
The Agora admins said that they’ve recently been discovering suspicious activity around the market’s servers that have led them to believe that:
...some of the attacks described in the research could be going on ...
They’re not wrong: there very well could be investigations going on using the MIT technique, or other de-anonymising tricks we don’t know about yet.
As Naked Security’s Mark Stockley noted when writing up the MIT research, it would be a surprise if governments and law enforcement didn’t have a keen interest in cracking Tor, given the serious crimes that Tor masks, together with the intelligence value of entry guards.
💡 Have your say: How much anonymity is too much? ►
As far back as eight years ago, researcher Dan Egerstad demonstrated how useful having your own Tor exit nodes can be if you want to spy on people – he set up five of his own and used them to harvest thousands of emails and messages from embassies in Australia, Japan, Iran, India and Russia, as well as the Iranian Foreign Ministry and the Indian Ministry of Defence.
He came away convinced that he couldn’t possibly be the only one to have figured this out, and that governments would surely be running or spying on Tor relays too:
I am absolutely positive that I am not the only one to figure this out ... I'm pretty sure there are governments doing the exact same thing. There's probably a reason why people are volunteering to set up a node.
And don’t forget that unmasking the client end of Tor communications – identifying who you really are – can be done without any trickery in the network itself.
An attacker who can implant zombie malware or a Remote Access Trojan (RAT) on your computer can pretty much keep track of everything you do, before your browser gets round to encrypting it, and before the Tor network sends it over an unpredicatably mysterious route to a secret destination.
💡 Learn more: Understanding zombie malware ►
Remember that the Spy-versus-Spy ecosystem works both ways: cybercriminals want to strip away the anonymity and privacy of law-abiding users just as much as law enforcement wants to find out who those crooks really are.
Do your very own Spy-vs-Spy check
with the free Sophos Virus Removal Tool
Worried about spyware, RATs, zombies, spambots, password stealing malware, data scrambling ransomware, and more?
This is a simple and straightforward tool for Windows users. You don’t have to uninstall your existing anti-virus first.
Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.