Tor Uncovered: Tor is an overlay network designed to provide a fully anonymous way to browse the web and exchange messages or data over the internet. The “darknet” is supposed to be free from eavesdropping and surveillance, but resourceful agencies can still breach its many onion-like layers to go and get a suspect’s true identity.
German news outlet Tagesschau reports that local law enforcement agencies have successfully targeted, tracked, and arrested four suspects in a single investigation. The outlaws used Tor to hide their identities and activities in managing a ransomware operation and hosting child sex abuse material (CSAM) on their servers.
Investigators identified the suspects using a “timing analysis” attack. The officers directly monitored many Tor nodes over time, looking for a specific connection between the servers hidden within the darknet and local internet connections. The story confirms that law enforcement agencies are actively monitoring web servers hidden in Tor.
Authorities tracked four people in their investigation, eventually taking over the Tor address belonging to a ransomware group. Police redirected its traffic to a new page to prevent users from sharing previously stolen encrypted files. Then, the investigators used timing analysis techniques to uncover the identity of “Andres G,” an individual operating a .onion service known as “Boystown” that hosted CSAM.
Successfully uncovering who’s behind a darknet service is no easy feat, and authorities haven’t revealed significant details about their timing analysis attack. Developers from the Tor Project claim a suspect tracked by German authorities was using an old version of the Tor-based, decentralized instant messaging application Ricochet.
The Tor team said the Ricochet user was “fully de-anonymized” through a guard discovery attack. The outdated Ricochet release didn’t protect against timing analysis. Developers addressed this shortcoming in a new application fork (Ricochet-Refresh). This version is fully maintained and offers better privacy for freely chatting (and exchanging files) within the darknet.
The developers claim that users can only access Onion services from within the Tor network, so any discussion about monitoring exit nodes is irrelevant. The network is healthier than ever, with over 2,000 new exit nodes coming online over the past few years. An “exit node” is the last hidden Tor node a user connects to before going on the clearnet, acting as the originator of the communication from an ISP’s point of view.
“Like many of you, we are still left with more questions than answers,” the Tor programmer said. “But one thing is clear: Tor users can continue to use Tor Browser to access the web securely and anonymously.”