On Friday, a warning of a possible effort to hijack significant portions of the anonymizing Tor network was leaked to the Tor Project. And over the weekend, a cluster of servers in a Netherlands' data center that were used as Tor “exit nodes” and as mirrors for two Tor Project services were taken offline. However, it’s not clear who took the servers down or if law enforcement was involved.

Thomas White, an operator of a large cluster of servers providing an exit point for Tor traffic in the Netherlands, reported to a Tor news list that there was suspicious activity overnight on the servers. The servers, according to DNS data, were hosted in a data center in Rotterdam.

“I have now lost control of all servers under the ISP and my account has been suspended,” White wrote late on Sunday, December 21, in his first message on the takedown. “Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.”

White warned people against using the mirrors, which hosted copies of the Tor Project’s Globe and Atlas—sites that provide information on Tor network relays and bridges. “Until I have had the time and information available to review the situation, I am strongly recommending my mirrors are not used under any circumstances," White wrote. "If they come back online without a PGP signed message from myself to further explain the situation, exercise extreme caution and treat even any items delivered over TLS to be potentially hostile."

By the morning of December 22, White was less sure that law enforcement was involved in the takedown and sought to reassure Tor users about the safety of the network. “The likelihood of this being the work of law enforcement seems to be lower than originally anticipated,” he wrote. "This is good in many ways but asks more questions than it solves right now. I am not going to completely exclude the possibility of law enforcement involvement though as there simply isn't enough information. The servers have been blacklisted and pose no danger to the Tor network or the users of it. I will refrain from putting these servers back online until a proper vetting and analysis of events has happened.”

White said that his ISP (identified by Ars through IP address and DNS data as SnelServer.com) couldn’t tell him whether a warrant had been served for his servers, but a support representative did confirm that “there has been unauthorized access to my account,” he said. “This could be due to the fact I access the control panel often via Tor (yes, using TLS before anybody asks), however it does raise the prospect of a non-LE person(s) being behind this but does not explain why a chassis intrusion was detected for example or anything else to do with on-board sensors.”

The proximity of the takedown to the warning provided by the Tor Project, and the nature of the warning itself, suggest that someone—possibly law enforcement—is trying to collect as much data as possible on the infrastructure of the Tor network. The warning, posted by Roger Dingledine, one of the founding developers of Tor, indicated that someone was potentially seeking to “incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities.”

Further Reading 400 Tor-anonymized domains tracked down and seized in global crackdown

Directory authorities help connect Tor users to trusted relays; if a sufficient number of them were seized, they could be used to steer users to specific relay servers—relay servers that may have been compromised or configured by the attacker to capture Tor network traffic. But Dingledine said that Tor was “taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked.”

It's possible that the USB device detected in White's logs was a connection to a keyboard-video-mouse (KVM) switch; White received conflicting information from his direct ISP and the company that hosts the data center. But the servers have now been restored to him, so they have apparently not been seized. Still, White said he has moved hidden services he hosted for others on another server in the data center to a new location. In an e-mail exchange with Ars, he said, "Right now the whole issue has been

blown out of proportion by people rumouring and pointing fingers which hasn't helped unfortunately." The events have pushed back a number of projects White hoped to release today, he said.

The concerns come after the seizure of at least 27 “hidden service” sites within the Tor network last month as part of Operation Onymous—a joint effort by US and European law enforcement agencies to strike at “darknet” sites trading in drugs and other illegal services. The operation coincided with the bust of alleged Silk Road 2.0 operator Blake Benthall. But US and European law enforcement aren’t the only ones who’ve been trying to de-anonymize users of Tor; the Russian government offered a $110,000 prize earlier this year to any Russian researcher who could break the anonymity of the network.