Last week's takedown of Silk Road 2.0 wasn't the end of seizures in the underground — law enforcement agencies have gone full throttle and shut down hundreds of sites in Operation Onymous.
In a joint operation by the 16-member states of Europol, the FBI, US Immigration and Customs Enforcement (ICE) and Homeland Security, more than 410 hidden services were unveiled and taken down. Operating on the Tor network, a system of anonymizing onion routers, .onion pages were closed down, and 17 administrators and service vendors were arrested.
In addition, over $1 million in Bitcoin, 180,000 euros in cash, drugs, gold and silver were seized by law enforcement over the weekend, according to Europol.
Last week, the FBI arrested 26-year-old Blake "Defcon" Benthall of San Francisco, who is allegedly the owner of online marketplace Silk Road 2.0, which was seized and closed down on November 5. Over a year ago, the original Silk Road marketplace was closed down.
Silk Road, in the same manner as a number of other darkweb services, was used to purchase illegal goods including weapons and drugs through digital currency. While the Tor network has become linked with illicit goods and criminal activity, it is also used for legitimate purposes — but there are a number of less-than-savory services if you know where to look.
EC3 chief Troels Oerting commented:
Today we have demonstrated that, together, we are able to efficiently remove vital criminal infrastructures that are supporting serious organised crime. And we are not 'just' removing these services from the open Internet; this time we have also hit services on the darknet using Tor where, for a long time, criminals have considered themselves beyond reach. We can now show that they are neither invisible nor untouchable. The criminals can run but they can't hide.
On Sunday, the Tor Project group said they were "as surprised as most of you" at the seizure, but have "very little information about how this was accomplished."
The Tor Project said it has no idea how the hidden services were located, but "is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents." However, there are a number of plausible scenarios which could explain the mass takedown.
The operators of hidden websites may have failed to use adequate operational security, or common web bugs like SQL injections or RFIs (remote file inclusions) may have been exploited by undercover agents. In addition, as Tor relays were potentially seized — according to the group — the Tor network may have been attacked in order to unveil the locations of these hidden services.
"We received some interesting information from an operator of a now-seized hidden service which may indicate this," Tor Project states. "Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks, but these defenses do not solve all known issues and there may even be attacks unknown to us."
Another possible attack vector could have been the "Guard Discovery Attack," which reveals the guard nodes of specific hidden services, as well as denial of service attacks on relays or clients in the Tor network, and potentially remote code execution exploits against Tor.
The group said:
As you can see, we still don't know what happened, and it's hard to give concrete suggestions blindly.
The task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved. In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries.