The Tor darknet takedown – what happened?

As we are sure many of our readers are already aware, last Thursday an international coalition of law enforcement agencies performed a massive strike targeted at darknet websites sites such as the ‘Silk Road 2.0’ which act as market places for illicit goods and services. The known facts about ‘Operation Onymous’ are that:

  • 414 ‘.onion’ Tor hidden web domains were seized
  • It later turned out, however, that this only amounts to 27 actual darknets (with the 414 .onion addresses pointing to a limited number of same sites)
  • These included contraband marketplaces such the Silk Road 2.0, Cloud 9 and Hydra
  • They also included money laundering services such as Cash Machine, Cash Flow, Golden Nugget and Fast Cash
  • Four Tor exit nodes in Amsterdam, and six in a Miami datacenter were taken offline
  • 17 arrests were made, including the alleged owner and operator of Silk Road 2.0, 26-year-old San Francisco entrepreneur Blake Benthall, aka ‘Defcon’
  • $1 million in Bitcoin, $250,000 in cash, and a range of gold and silver valuables, weapons, computers and drugs have been taken from suspects
  • Operation Onymous was a joint operation between 16 member nations of Europol, the FBI, and US Immigration and Customs Enforcement
  • Some darknet marketplaces are still operational however

So is Tor still secure?

The Tor hidden network has undoubtedly come under a massive and highly effective attack (and the relevant authorities are certainly not letting on how this was achieved), so the question almost all security professionals and privacy activists are scrambling to understand is what happened, and what this means for the security of the Tor network. As a blog post on the Tor website notes,

So we are left asking “How did they locate the hidden services?”. We don’t know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services. We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as “parallel construction.”

This last part refers to the ongoing trial of alleged Silk Road owner Ross Ulbricht. The post then goes on to list a number of possible ways the Tor network might have been attacked, although all of them at this time remain speculative.

Andrew Lewman, executive director of the Tor Project, however, was keen to downplay the significance of the bust,

The police have way overblown what they have done. This sure made a huge press splash. The simplest explanation is that they probably followed the money trail – following Bitcoin transactions, they managed to find these individuals.

On the initial furore over claims that over 400 websites had been taken down, Lewman noted that,

They overemphasised what they did, wouldn’t expect the police to be the ones… you need to trust the police. When they say they’ve busted 400-something, you expect 400-something to have actually been busted. And it doesn’t seem that’s the case. What they’ve said was, “Oh no, we’ve broken apart 400”. And no, now it’s 50. Now it’s 27. And… maybe it’s actually less than that.

Europol have denied that they claimed to taken down 400+ websites

None of which answers the question of whether Tor has be broken, although early reports that a massive Denial of Service attack might have used to de-anonymise users have been largely discredited.

However, the fact a number of high profile illegal websites remain online suggests that the Tor network remains fundamentally secure. As Dr Steven Murdoch, security expert from University College London, told the BBC,

Some major hidden markets are still available, including some of the biggest. If they had a successful way of compromising hidden services they would have done it to everyone.

What is certain is that the authorities are not going to let on how they performed the operation. Troels Oerting, head of the European Cybercrime Center, said,

This is something we want to keep for ourselves. The way we do this, we can’t share with the whole world, because we want to do it again and again and again… This is just the beginning of our work. We will hunt these sites down all the time now. We’ve proven we can work together now, and we’re a well-oiled machine. It won’t be risk-free to run services like this anymore.

The affected websites

A full list of the 27 websites taken down (so far), by category, is as follows (websites allegedly involved in more than one illegal category may be listed multiple times):

Drug related

  • Alpaca
  • Black Market
  • Blue Sky
  • Bungee 54
  • Cabbabis UK
  • Cloud Nine
  • Dedope
  •  Farmer1
  • Hydra
  • Pablo Escobar Drugstore
  • Pandora
  • Silk Road 2.0
  • Smokeables
  • Tor Bazaar

Stolen and counterfeit credit card related

  • Cloud Nine
  • Fake Real Plastic
  • Hydra
  • Pandora
  • Pay Pal Center
  • Real Cards Team
  • The Green Machine
  • Zero Squad.

Dealing with counterfeit money

  • Alpaca, Blue Sky
  • Cloud Nine
  • Fast Cash!
  • Hydra
  • Pablo Escobar Drugstore
  • Sol’s Unified USD Counterfeit’s
  • Super Note Counter
  • The Hidden Market
  • Zero Squad

Selling fake identities

  • Alpaca
  • Black Market
  • Fake ID
  • Pablo Escobar Drugstore
  • Pandora, Silk Road 2.0
  • The Hidden Market


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

Leave a Reply

Your email address will not be published. Required fields are marked *