Analysis casts doubt on FBI claims over Tor website seizures

Just how many hidden Tor services seized by law enforcement were genuine websites, and how many were clones and copies?
Written by Charlie Osborne, Contributing Writer
Screen Shot 2014-11-18 at 12.32.48

The majority of Tor-based hidden services closed down by law enforcement agencies last week were clones or fakes, according to a new analysis of the operation.

In what the 16-member states of Europol, the FBI, US Immigration and Customs Enforcement (ICE) and Homeland Security called Operation Onymous, more than 410 hidden services hosted on .onion pages through the Tor network were closed down this month, according to the agencies.

Over $1 million in Bitcoin, 180,000 euros in cash, drugs, gold and silver were also seized during the sting.

The Tor Project group said at the time they were surprised at the closures, and had "very little information about how this was accomplished," — appealing to the general public for theories and potential answers in the process.

"[We are] most interested in understanding how these services were located and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents," the group said.

However, a new analysis published Monday reveals interesting findings that place the law enforcement agencies' claims in doubt. Blogger Nik Cubrilovic and others conducted a web crawl on the Tor network, and according to the Australia-based blogger, while Europol and the FBI claimed to have seized 410 services, a crawl of over 9,000 onion sites found that only 276 services were taken down.

153 of these addresses belonged to clone, scam or phishing sites, and out of these 153 sites, 133 were clones and 20 were malicious.

Cubrilovic says that in a number of cases, the FBI was only able to take the clone or scam version, but left the real site operational.

"In May of 2014 a bot known as the 'Onion Cloner' was discovered and became known to Tor hidden service operators," Cubrilovic writes. "This bot would find Tor hidden sites and clone them on its own address in an effort to steal passwords or intercept Bitcoin transactions. Of the 133 clone sites that the FBI seized, a large number of them were clone sites produced by the Onion Cloner that were mistaken for the real copy."

The blogger also claims that out of 32 onion addresses mentioned in the DOJ seizure notice, three are scam sites and nine are clones. Interestingly, while Cubrilovic says every single Onion Cloner clone site on the network was seized, a number of sites were also seized but have not been mentioned in any official notice.

Among these websites is "Pink Meth," a revenge porn website, and an additional 200 sites that have not been disclosed.

Cubrilovic says:

That the FBI seized so many clone and fake websites suggests a broad, untargeted sweep of hidden services rather than a targeted campaign.

The slapshot nature of how sites were seized suggests that rather than starting with an onion address and then discovering the host server to seize, this campaign simply vacuumed up a large number of onion websites by targeting specific hosting companies.

If this research is corroborated, it would be good news for privacy advocates who feared the existence of a major security flaw that left the network exposed, as the Tor Group had no idea how the take-downs occurred. While the Tor network is used for some illegal means, the onion system does boost private security — which can be essential in some countries for political dissidents and campaigners who need to keep their identities hidden.

In related news, the Tor Group released the latest version of their software, 4.5 alpha 1, on Monday. As part of Tor's planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only.

Read on: In the world of security

Editorial standards