The Tor project, which oversees the development of the anonymous browser, has expressed concern over an intergovernmental operation that took down 27 hosts offering “hidden services”, or websites only accessible through the Tor network.

The operation, a collaboration between US and EU authorities, went by the codename “Onymous” and resulted in the seizure of more than 400 hidden services.However, the authorities have not revealed how they discovered the location of the hidden services. Tor’s design should prevent these locations from being revealed.

The Tor project says in a blogpost: “In liberal democracies, we should expect that when the time comes to prosecute some of the 17 people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects. As a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services.

“Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents.”

Among the sites closed in the dark-web takedown was Silk Road 2.0, a successor to the original online black marketplace, where an array of vendors sold both legal and illegal using the cryptocurrency bitcoin. A total of 17 suspects were arrested in the operation, with Californian Blake Benthall accused of running Silk Road 2.0.

The authorities suggest that they discovered Benthall through a rookie error, alleging that the developer registered the server for the site using a personal email address. However, Tor warns that “the US DEA [Drug Enforcement Administration] and others have constructed a system of organised and sanctioned perjury which they refer to as ‘parallel construction’” that entails reporting not how they did locate a particular person, but merely how they could have done so.

Tor suggests that such “operational security” errors may have led to some operators being uncovered, but also addresses other potential holes. An SQL injection attack, or other exploitation of a “common web bug”, could have been one way in, as could an attack through the bitcoin network.

The Tor developers are most concerned about the possibility that the hidden services were discovered through a weakness in the protocol itself: “The number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. We received some interesting information from an operator of a now-seized hidden service which may indicate this, as well.”