Tor darknets rise again after Operation Onymous

News by Doug Drinkwater

A month since the joint FBI/Europol crackdown on more than 400 dark markets and a new report claims that action hasn't been as successful as first thought.

In early November, the FBI and Europol announced ‘Operation Onymous' – a joined-up international law enforcement action which saw the take-down of hundreds of dark markets on anonymous networks like Tor. These websites – which included Silk Road 2.0 - were selling illegal goods including weapons, drugs and hacker tools.

15 EU member states were involved in a campaign that was – from the European side - co-ordinated at the Europol's coordination centre (the European Cybercrime Centre) in The Hague, with the newly-established J-CAT also involved.

The six-month investigation eventually saw the arrest of 17 vendors, the take-down of more than 410 hidden services and the capture of around US$ 1 million in Bitcoins (approximately £640,000), €180,000 in cash (£115,000) and the discovery of drugs, gold and silver.

However a report recently uncovered by sheds some doubt on how effective this action has been, with most darknet sellers, advertisers and buyers moving onto new – or undisturbed – market places.

In a recent investigation of Operation Onymous, UK-based internet and darknet intelligence service provider Centient found that 27 specific sites were taken down, including Silk Road 2.0, Alpaca, Black Market and Hydra, as well as a ‘large number' of .onion domains that were connected to these sites.

Most of these darknets had a limited user base however; the report notes that most on the list were either ‘some sort of scam or a small marketplace with a limited number of adverts and no growth'.

Interestingly, two of the bigger darknets – Agora and Evolution – were not taken down by the law enforcement action and investigators at Centient say that the overall marketplace is bigger than it was before Operation Onymous was carried out. Estimates have not been verified but – in the second week of November– Centient believes that there was a 20 percent rise of adverts on Evolution and 27 percent across Agora's forum and marketplace.

“Vendors migrating from the closed markets most likely caused this increase, to minimise disruption to trade,” reads the Centient report.

Elsewhere some markets briefly reappeared; Alpaca returned with a new server and Tor domain, while Cloud9 reinstated a back-up from two weeks prior to the operation.

Lead investigator Benjamin Ali told that other vendors have simply ‘filled the void' since the law enforcement crackdown.

“The FBI targets these people but not the actual vendor – so they feel quite safe really. There's been a movement to new platforms and the take-down has really been a good push to decentralise the whole thing”, he said of Tor, where most services are hosted. He added that the two biggest markets would offer thousands of credit card details, log-in credentials for hacked accounts and illegal goods.

Ali said that the majority of services remain on Tor, although some have appeared in new and emerging platforms. One marketplace – imaginatively called ‘The Marketplace' - was available on i2P before it was taken down, while OpenBazaar is open-source.

However, the Centient spokesman said that most of these are on new platforms simply for testing purposes.  “There are no real products yet – they're all in testing,” said Ali.

“It appears that these take-downs have not really achieved anything-long term; the majority of users have carried on business as usual,” reads the report summary. “The two biggest marketplaces, Evolution and Agora, absorbed most of the trade from the closures, causing minimal disruption for both buyers and sellers. Several of these websites have resurfaced, however it is unlikely they will experience the success they previously had due to the potential of law enforcement involvement.”

How they did it

There has been a lot of ambiguity over how FBI and Europol seized these websites and there have been numerous possible explanations, from a vulnerability with Tor (30 July advisory) and SQL Injection attacks against vendors' out-of-date software to a “guard” attack –  the process of targeting ‘guard nodes' for access to specific hidden services.

Another possible way in is social engineering. “This is how Silk Road 2 was uncovered; an undercover agent acting as a moderator had access to the log files on the system that were then used to locate the owner of this site.”

“The operation could have potentially uncovered a serious flaw within Tor; however this cannot be confirmed until further details are released regarding the execution of  the operation. This uncertainty could lead users to move away from Tor to alternative networks such as i2p, Freenet or even a local meshnet; where each city has its own network that could be used to sell illegal items. There is also the potential for users to move to decentralised marketplaces, such as the open source project OpenBazaar, which is currently in development.”

Dr Gareth Owen, senior lecturer for the school of computing at Portsmouth University, believes that they most likely exploited “bad op-sec.”

“That is, the operators of these sites did not follow best practice in protecting their identity and that of their server, by, for example, running poorly coded web-shops that had common exploitable bugs,” he told

We aren't sure how many web-sites were taken down but it looks like a large number were fake phishing sites which were clones of the real thing - so law enforcement largely missed their target.

The truth is though that there are many powerful attacks against Tor hidden services that cannot be fixed, and whilst it is difficult to deanonymise them it is far from impossible - if you are targeting a large list of sites then the existing attacks show that you'll deanonymise some of them.

When speaking to SC late last week, (ISC)² EMEA managing director Adrian Davis agreed that most of the websites affected were clones and said that the move showed the market's strength. “It kind of shows that darknet shoppers are resilient.”

He added that criminals would naturally look to build or use smaller networks as ‘logical separation' and suggested that criminals themselves may not be as tech-savvy as first thought, leaving them susceptible to social engineering or age-old security flaws.

“A lot of the time we think that hackers have sophisticated malware but what if they are making the same basic mistakes we do? Or missing the same security vulnerabilities? They're human beings so maybe they're as vulnerable to social engineering as an admin.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews