ANNOUNCEMENT: Since the Silk Road 2.0 bust by the feds a few other Darknet Markets have fallen. Silk Road 3 is up and running with a big selection of goods.
Just a reminder, Operation Onymous brought down as many as 27 dark web markets at the time, including Silk Road 2.0. Silk Road 2.0 was launched just a month after the original, Ross Ulbricht’s Silk Road marketplace was seized by the FBI in 2013.
What this new information brings into question is, first of all, the nature of the role academic institutions have in fighting crime on the dark web; and secondly, the fairness of the trials that followed after the operation, since allegedly the crucial evidence in discovery hasn’t been disclosed.
It began with the arrest of certain Brian Richard Farrell from Seattle, who quickly admitted that he was behind the nickname “DoctorClu” a member of Silk Road 2.0 staff.
The search warrant presented to Farrell by Special Agent Michael Larson says that the FBI received “reliable IP addresses for TOR and hidden services, such as SR2” from a “Source of Information (SOI).” The obtained information included the main marketplace, its forum, support interface and section typically accessed by staff and dealers only.
With the help of this information, the FBI was able to obtain the location of the Silk Road 2.0 servers, and ultimately to discovering another 20+ dark web marketplaces, fake and scam websites.
But, the mysterious Source of Information also provided some 78 additional IP addresses – users’ IPs – known to access the vendor .onion address.
Farrell was arrested and is currently on trial for conspiracy to distribute heroin, methamphetamine and cocaine.
But, that’s all good news, right?
In October this year, the government notified Mr. Farrell’s defense counsel in a letter stating that his “involvement with Silk Road 2.0 was identified based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”
Symptomatically, the events mentioned above line up perfectly with the attack that happened in 2014 on the Tor network:
Sometime in July, 2014, Tor wrote in a blog post about certain indications that a group of relays were working to compromise the anonymity of users. Apparently, they were on to those who “operate or access Tor hidden services.” Eventually, Tor removed those relays, but the time this happened matches the time the FBI obtained the IP addresses of the dark web markets and their users from its trusted source.
Another symptomatic event was the Black Hat hacking conference where Alexander Volynkin and Michael McCord, both academics from Carnegie Mellon University. They were scheduled to present “how a $3000 kit can unmask the IP addresses of Tor hidden services” and their users. Surprisingly, the much anticipated talk was … canceled.
However, the description of the talk remarkably resembled the attack on the Tor network. Plus, the distinguished pair of academics also revealed that they “had tested attacks in the wild.”
A number of people familiar with Farrell’s case have come to believe that the mysterious source of information and the perpetrator behind the attack was in fact the CMU. However, whether these allegations are true or not has not yet been confirmed.
Is there a moral of the story?
Of course, always!
To start, let’s consider again how Tor network works. It operates through a network of trusted relays, nodes as they are called. The connection is encrypted and goes through a circle of relays to its destination.
BUT, it’s been revealed by Tor Project that it is possible to deanonymize the user. Apparently, if the entry node is aware of the IP address of the user and the last node knows his destination – the connection can be intercepted and the IP address compromised. It was this vulnerability of Tor referred to in the description for the Black Hat talk by the two academics.
So, Is there anything users CAN do to reduce the risk of being deanonymized?
Again, of course!
The risk is significantly less if using Tor in combination with a decent VPN (Virtual Private Network). When using a VPN, you don’t connect automatically to the webpage you want. You first connect to VPN server which then forwards you to your desired webpage.
So, in the very first instance of this connection your IP address is different from your real IP; so, when you connect to Tor network – there is absolutely no way for the entry node to identify your IP address or your location.
Better still, there are VPNs that don’t keep any logs of users’ activity online, so even if asked by the authorities to deliver these logs – they can’t!
Moral? Despite a widespread discussion on the internet regarding this case – it’s the government’s job to catch the criminals, so it’s hardly their fault these guys fell. The fault also doesn’t rest with the CMU or any other academic institution for that matter. Had these guys used even the worst VPN in combination with Tor, they wouldn’t have been busted!