Federal law enforcement agencies in the U.S. and Europe have shut down more than 400 Web sites using .onion addresses and made arrests of those who run them, which calls into question whether the anonymizing The Onion Router (Tor) network itself is still secure.
The Web sites - which authorities say sold a range of illegal wares including drugs, firearms with the serial numbers filed off, phony credit cards, fake IDs and counterfeit money have been taken down by seizing the servers that host them.
Seizing the servers and the arrests indicate that law enforcement agencies have found a way to trace the physical locations of devices connected to Tor and to track down the individuals responsible for them two things Tor was designed to prevent.
Even the name of the coordinated effort - Operation Onymous indicates that the agencies involved undermined the anonymity component of Tor, which they refer to as the Darknet. "[T]his time we have ... hit services on the Darknet using Tor where, for a long time, criminals have considered themselves beyond reach. We can now show that they are neither invisible nor untouchable," says Troels Oerting, head of the European Cybercrime Center in a press release from the agency.
Law enforcement officials didn't say how they had found the physical locations of devices and their owners, and Oerting says it's not going to.
"This is something we want to keep for ourselves," he told Wired. "The way we do this, we can't share with the whole world, because we want to do it again and again and again."
"Today we have demonstrated that, together, we are able to efficiently remove vital criminal infrastructures that are supporting serious organized crime. And we are not 'just' removing these services from the open Internet; this time we have also hit services on the Darknet using Tor where, for a long time, criminals have considered themselves beyond reach. We can now show that they are neither invisible nor untouchable. The criminals can run but they can't hide. And our work continues....", says Troels Oerting, Head of EC3.
This makes it unclear whether these authorities have broken Tor to the point that it can no longer mask the location of its infrastructure or whether they found them using other intelligence.
Tor relies on volunteers who host nodes of the network. Traffic bounces around within Tor in order to disguise where it comes from, but exit nodes and entrance nodes would yield the most useful information about actual IP addresses connecting to Tor.
"Law enforcement could try to get in that first layer and see the sources and therefore try to reduce the anonymity as much as possible," says Ben Johnson, chief evangelist at Bit9+Carbon Black. "Combine this with some older versions of the Tor software having some vulnerabilities and this could be how some of these users and sites are tracked down.
Sign up for CIO Asia eNewsletters.