Officials at the Tor Project are continuing to look for answers following the takedown late last week of hundreds of Tor hidden services, including the popular black market website Silk Road 2.0.
In a blog entry yesterday Tor made it clear that it wasn’t entirely sure how or why the services that ran on its platform were seized, adding that it was “as surprised as most” but that it was still trying to learn more in the wake of the digital sting.
A Tor Project volunteer going under the name Phobos offered several theories Sunday on how the services could have been located and while the service insists they amount to nothing more than speculation, almost all of them include the possibility that there were either security weaknesses in the sites using Tor, or Tor itself.
Acknowledging that “exploitable bugs in web applications are a common problem,” Tor is curious whether sites using their service failed to use what it calls “adequate operational security.” This would explain them falling victim to generic vulnerabilities like SQL injections or remote file inclusions.
While this is a possibility, Tor went on to admit that there are a handful of other exploits that could have been used against the service itself.
“Over the past few years, researchers have discovered various attacks on the Tor network,” Phobos wrote, “We’ve implemented some defenses against these attacks, but these defenses do not solve all known issues and there may even be attacks unknown to us.”
Denial of service attacks, remote code execution attacks, and non-targeted deanonymization attacks are all possible vectors according to Tor.
“Denial of service attacks on relays or clients in the Tor network can often be leveraged into full de-anonymization attacks,” Phobos points out.
There’s also the off chance that Bitcoin clients being used by the services that were brought down were targeted as well, Phobos said, noting research that’s linked transactions to deanonymized clients in the past. That research stems from a recent paper that demonstrates how it’s possible to reveal IP addresses of Tor Hidden Service operators, deanonymize clients and to some extent, reveal the IP addresses of Bitcoin wallet owners.
On Friday it was reported that a coalition of agencies carried out a sweeping order that took down 410 hidden Tor pages on 27 websites and made 17 arrests in a campaign Europol has dubbed ‘Operation Onymous.”
Perhaps the most famous Dark Web domain, Silk Road 2.0, was shuttered and Blake Benthall, a 26-year-old coder and the site’s alleged manager, was apprehended the day before, on Thursday in San Francisco. In addition, dozens of other .onion sites, including those peddling everything from weapons to murder-for-hire, were taken offline as part of the sting.
Officials from five different firms – Europol’s European Cybercrime Centre, the FBI, the U.S. Immigration and Customs Enforcement’s (ICE), Homeland Security Investigations (HIS) and Eurojust – carried out the takedown.
According to Europol the seizure, the largest takedown of its kind, yielded $1 million in Bitcoin, along with €180,000 in cash, drugs gold and silver.
Officials also purportedly seized three Tor relays according to a post on Thursday from torservers.org, something that has raised the ire of Tor and suggests that the service itself may have been implicated.
“Even though our machines were only used as exit nodes, we believe that our machines were also seized by law enforcement officials,” Jens Kubieziel of Torservers wrote yesterday.
Operation Onymous comes just over a year after the FBI took down the first iteration of Silk Road, a site that had generated $1.2 billion from trafficking drugs, hacking, and money laundering in almost three years, according to court papers published at the time.