In early November, 16 law enforcement organisations including Europol, the FBI and the United States Department of Homeland Security closed a number of ‘Darknet’ marketplaces. Operation Onymous seized approximately $1 million worth of Bitcoins as well as other currencies, precious metals and drugs.
Among the 410 sites that were shuttered was the successor to the Silk Road; the unimaginatively named Silk Road 2.0 which is accused of selling illegal goods and services including over $8 million in illegal drugs every month. Seventeen arrests have been made so far, six in the UK. The most high profile suspect is a 26 year old San Francisco resident Blake Benthall who is accused of running Silk Road 2.0 under the nom-de-guerre Defcon.
Silk Road 2.0 appeared on the Darknet about a month after the closure of the original Silk Road and once again used the pseudo anonymity afforded by the Tor network to obscure the identities of buyers and sellers. We know from court records that Silk Road 2.0 was targeted even before it went live. Almost as soon as the original site was shuttered, its replacement was being discussed in online forums. American law enforcement was not only watching these discussions, but at least one active, trusted member of the group setting up Silk Road 2.0 was a government agent. In May 2014, that agent was given access to one of Silk Road 2.0’s servers and was able to copy all of the data held on that computer including chat records and user accounts identifying Silk Road 2.0’s key operators, including Blake Benthall.
Benthall was placed under surveillance by the FBI including watching his home and monitoring Internet traffic which revealed he was using the Tor network. Other agents were able to link Benthall to postings on Google and Twitter and to the sale of more than $270,000 in Bitcoins using the same software and hardware combination used by Defcon to administer the compromised server. Benthall has been transferred to New York for trial on charges of narcotics trafficking and money laundering that could result in a life sentence.
Benthall’s arrest does not explain how so many other sites and suppliers were seized; Tor’s design should make determining end-to-end links between buyers and sellers almost impossible.
We have a detailed explanation of the basic works of Tor; but to summarise, when a sender transmits information over the network, it is routed through a chain of randomly chosen computers (called nodes) before it reaches its recipient. Each of these intermediary nodes only knows the address of the computer from which it received data and the address of the next computer in the chain. Every ten minutes the chain is thrown away and a new one generated from another set of random nodes.
So how could this have happened?
- One possible attack does not rely on any weaknesses inside Tor, instead it is possible that the closed sites were attacked by law enforcement using the same software tools often used by criminals. Many of the sites were not especially secure in themselves and relied on hiding in the Darknet to protect their operations.
- A second theory is that the flow of Bitcoins across the Tor network was deanonymised, allowing buyers and sellers to be identified. This theory is based on recent research showing that Bitcoin can be tricked into forcing transactions to enter and leave the Tor network through specific nodes – which may have been under the control of law enforcement.
- Third, Tor has a potential weakness called a guard discovery attack against which there is no current fix. A guard is the only node on the Tor network which knows the actual Internet address of a Darknet service such as Silk Road 2.0. The attack allows an attacker to find the address of the guard node which they might then be able to compromise to reveal the location of the marketplace itself.
- In July 2014, certain Tor nodes were found to be running modified code that actively attempted to deanonymise traffic flowing through those nodes. The nodes had joined the network in late January and had been running for six months before the Tor network administrators identified them, rejected the nodes from the network and implemented a fix. Tor admits that other deanonymisation attacks are possible
- Finally, it is possible that the complete path of Tor traffic across the network has been traced. The only way to identify the origin and destination of Tor data is to have access to every node in a chain, something that has previously not been thought likely. But it is possible. The Tor network is very small; rather than the millions of computers making up the wider Internet there are only about 6,500 Tor nodes in the entire world.
If an organisation, or an alliance, can gain access – or even own – sufficient nodes then sooner or later chains will form that are completely under their control. At that point it is possible to work out the origin and destination of all data passing over that chain. Over time, as new chains are created, it is possible to determine patterns that can help identify senders and recipients.
This theory is supported by evidence provided by an administrator of one of the closed sites. They reported huge amounts of traffic, much of it spurious, being directed at their site – a so-called denial of service attack. This attack would have the effect of forcing Tor to route chains away from the swamped nodes and towards nodes controlled by law enforcement.
We shouldn’t regret sites that sold illegal materials, helped criminals commit fraud, or identified individuals for blackmail and revenge attacks have been removed from the Internet. The Darknet hasn’t gone away; other Tor marketplaces are still operating and doubtless new ones have sprung up like mushrooms since Silk Road 2.0’s demise. Tor is only just one of a number of technologies with names such as Freenet and Syndie that allow content to be hosted over anonymous networks. There is so much money to be made from criminal activities that the next generation of Darknet sites will be even more deviously constructed and law enforcement will have to develop new techniques for identifying their owners and users. So expect news stories to keep coming.
Questions about Tor’s security will affect its future; not as an illicit marketplace, but as a safe, reliable service for the people it was designed to help – political dissidents, NGOs and human rights activists. After all, if the likes of the FBI and Europol can identify Tor users so can the agencies belonging to repressive regimes – and they don’t normally worry about niceties such as human rights and fair trials.