Federal law enforcement agencies in the U.S. and Europe have shut down more than 400 Web sites using .onion addresses and made arrests of those who run them, which calls into question whether the anonymizing The Onion Router (Tor) network itself is still secure.
The Web sites - which authorities say sold a range of illegal wares including drugs, firearms with the serial numbers filed off, phony credit cards, fake IDs and counterfeit money – have been taken down by seizing the servers that host them.
Seizing the servers and the arrests indicate that law enforcement agencies have found a way to trace the physical locations of devices connected to Tor and to track down the individuals responsible for them – two things Tor was designed to prevent.
Even the name of the coordinated effort - Operation Onymous – indicates that the agencies involved undermined the anonymity component of Tor, which they refer to as the Darknet. “[T]his time we have … hit services on the Darknet using Tor where, for a long time, criminals have considered themselves beyond reach. We can now show that they are neither invisible nor untouchable,” says Troels Oerting, head of the European Cybercrime Center in a press release from the agency.
Law enforcement officials didn’t say how they had found the physical locations of devices and their owners, and Oerting says it’s not going to.
“This is something we want to keep for ourselves,” he told Wired. “The way we do this, we can’t share with the whole world, because we want to do it again and again and again.”
“Today we have demonstrated that, together, we are able to efficiently remove vital criminal infrastructures that are supporting serious organized crime. And we are not 'just' removing these services from the open Internet; this time we have also hit services on the Darknet using Tor where, for a long time, criminals have considered themselves beyond reach. We can now show that they are neither invisible nor untouchable. The criminals can run but they can’t hide. And our work continues....”, says Troels Oerting, Head of EC3.
This makes it unclear whether these authorities have broken Tor to the point that it can no longer mask the location of its infrastructure or whether they found them using other intelligence.
Tor relies on volunteers who host nodes of the network. Traffic bounces around within Tor in order to disguise where it comes from, but exit nodes and entrance nodes would yield the most useful information about actual IP addresses connecting to Tor.
“Law enforcement could try to get in that first layer and see the sources and therefore try to reduce the anonymity as much as possible,” says Ben Johnson, chief evangelist at Bit9+Carbon Black. “Combine this with some older versions of the Tor software having some vulnerabilities and this could be how some of these users and sites are tracked down.
“It will be interesting to see how quickly Tor becomes a bunch of systems that are actually owned by intelligence services, much like double agents, or something along those lines.”
But because of its popularity and churn among those who set up nodes, he says he thinks the service will be reliably secure. “I believe enough people use and support Tor that new nodes (both relays and bridges) will spawn and continue to make Tor a viable anonymity service,” he says.
The U.S. Department of Justice detailed some of the sites taken down as follows:
- “Pandora” (pandora3uym4z42b.onion), “Blue Sky” (blueskyplzv4fsti.onion), “Hydra”(hydrampvvnunildl.onion), and “Cloud Nine” (xvqrvtnn4pbcnxwt.onion), all of which were dark markets similar to Silk Road 2.0, offering an extensive range of illegal goods and services for sale, including drugs, stolen credit card data, counterfeit currency, and fake identity documents.
- “Executive Outcomes” (http://iczyaan7hzkyjown.onion[external link]), which specialized in firearms trafficking, with offerings including assault rifles, automatic weapons, and sound suppressors. The site stated that it used “secure drop ship locations” throughout the world so that “anonymity [was] ensured” throughout the shipping process, and that all serial numbers from the weapons it sold were “remove[d] . . . and refill[ed] with metal.”
- “Fake Real Plastic” (http://igvmwp3544wpnd6u.onion[external link]), which offered to sell counterfeit credit cards, encoded with “stolen credit card data” and “printed to look just like real VISA and Mastercards.” The cards were “[g]uaranteed to have at least $2500 left on [the] credit card limit” and could be embossed with “any name you want on the card.”
- “Fake ID” (http://23swqgocas65z7xz.onion[external link]), which offered fake passports from a number of countries, advertised as “high quality” and having “all security features” of original documents. The site further advertised the ability to “affix almost all kind of stamps into the passports.”
- “Fast Cash!” (http://5oulvdsnka55buw6.onion[external link]) and “Super Notes Counter” (http://67yjqewxrd2ewbtp.onion[external link]), which offered to sell counterfeit Euros and U.S. dollars in exchange for Bitcoin.
“This action constitutes the largest law enforcement action to date against criminal websites operating on the “Tor” network,” according to a press release from the DoJ.