Law enforcement from all over the world raided TOR (The Darkweb) this week. Initially the FBI took down Silk Road 2.0 and arrested a man allegedly in charge and the main operator in San-Francisco.
Then it was Europe’s turn as they shut-down 400 plus hidden sites, which where operating on the black market and additionally made the arrests of 19 people who are believed to be involved in the Silk Road operations.
The biggest question out of all this is how did they de-anonymize the traffic and locate so many hidden sites. The FBI won’t explain the details claiming that information is sensitive but did mention the use of undercover officers to help infiltrate operators.
Over on TOR’s blog they mention that a method called a ‘Traffic Confirmation Attack’ was used. An attacker would have control of relays on both ends of a TOR link and if the first relay (known as an entry guard) knows the source IP and the last relay knows the destination IP, you can learn the identity and de-anonymize that link. More specifically the Traffick confirmation attack used was an active attack.
Here’s an excerpt from the TOR Blog: Source – https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
“These active attacks are where the relay on one end injects a signal into the Tor protocol headers, and then the relay on the other end reads the signal. These attacking relays were stable enough to get the HSDir (“suitable for hidden service directory”) and Guard (“suitable for being an entry guard”) consensus flags. Then they injected the signal whenever they were used as a hidden service directory, and looked for an injected signal whenever they were used as an entry guard.”
Don’t worry too much apparently Silk Road 3.0 is up and running already and it’s been patched.