Operation DisrupTor Does Not Disrupt Tor

On September 22nd, the United States Department of Justice announced the results of an international anti-opioid operation targeting deep web buyers and sellers. The operation was named Operation DisrupTor. Here is a graphic released by the DOJ which gives the results of the operation as well as the countries that participated.

Now, I’m not saying this operation wasn’t successful, but for all the international manpower involved, the results were not all that impressive. This is probably why the DOJ is promoting it more as a show event. The idea was to show deep web participants that they could, indeed, be tracked down despite what efforts they may have made to hide their identity.

Photos released by the FBI of more than 100 pounds of methamphetamine, thousands of pills, $22,000 in cash, and addressed packages ready to be mailed.

The report states that “criminals attempt to further hide their activities within the dark web through virtual private networks and tails.” What the DOJ is really saying here is that criminals can be found whether they use Tor, VPNs, or tails. Tails is an independent operating system that can be stored on a USB.

How can all of these privacy tools be compromised? Let’s begin with Tor because anyone who wants to buy or sell items in deep web markets can only do so by using the Tor browser. This browser is used to mask the location of the user. Here is a simple diagram that shows how this works.

So how could they have disrupted this encrypted network to locate the criminals? Notice that all exit nodes are known. A list of all exit nodes exists. Anyone not wanting to accept inquiries through the onion network can block them by checking with the list and refusing service to those from URLs on that list. Anyone controlling an exit node can view the traffic coming through it, even if they don’t know the location of the original source. In this way, they can perform a sort of man-in-the-middle attack on the requested server.

However, in order to take down a criminal buyer, law enforcement (LE) would need to control a significant number of exit nodes. Exit nodes can be created that are run by LE. Of course, LE could also be posing as a deep web seller (vendor) and operate their own servers. However, this does not help them determine who is sending the request. In order to find the original sender of a message they would need to get the help of an ISP company, since they would know who was requesting use of the Tor network. With their help, LE could uncover all the people using the Tor network. And make no mistake about it, ISP companies are more than willing to comply with government requests. So, with these factors in place, LE can use algorithms to determine which users are most likely connecting to servers run by criminal sellers. In other words, by working a man-in-the-middle attack on a controlled exit node, they are able to identify both criminal servers and the buyers who are using them to get drugs. But they cannot be 100% sure that a particular request is coming from a particular person. They would need to develop an algorithm that detected a pattern of use over time. This plus other information they may have on particular suspects could give them enough evidence to bring a case against both buyers and sellers. The FBI report more or less admits this by stating that it targeted “prolific buyers”, in other words, those buyers who established an algorithmically identifiable association with sellers. As Edvardas Šileris, the Head of Europol’s European Cybercrime Centre (EC3) noted, “The hidden internet is no longer hidden, and your anonymous activity is not anonymous.” Keep in mind that your VPN provider knows which IP address a request is coming from. Under pressure from LE, they can give up your location. Some VPNs are better than others but all can be compromised under various circumstances.

‘Tails’ is an operating system on a USB. It is used to access Tor. Tails adds another level of security. Unfortunately, it is not a complete solution to privacy as Tails can be compromised. The Tails site elaborates on ways compromises to privacy can occur.

So the message to future drug buyers and sellers is clear. You can be traced down and caught no matter what evasive measures you take. And, with that said, you would expect that the deep web community would be thrown into its usual paranoia. However, I have found no evidence of this. Despite the media announcing the “Dark Web’s End is Near!”, deep web markets seem to be operating as normal. Here is a recent view of the Elite Marketplace

In fact, new marketplaces have started up, although most deep web participants doubt their legitimacy, but that’s normal on the deep web until they prove their validity.

Most users of deep web marketplaces worry more about exit scams than government intervention. Exit scams occur when the owners of these markets suddenly leave and make off with all the money in their users’ accounts. In fact, not long after I visited the Elite Market, shown above, its owners appear to have staged an exit scam. It has disappeared from the deep web.

 Deep web users are well aware of the fact that LE is on every market site posing as both buyers and sellers. They also know that LE is looking for the big players. Sure, from time to time they may arrest a small time buyer for show, but that’s not common. It does not pay to prosecute a person who is likely to get only a light sentence.

In other words, deep web markets will not close down soon. Addicts need drugs and they don’t care how they get them. In fact, they have no choice but to take risks. Vendors find deep web markets preferable to selling on the streets. First of all, it’s far safer not having to deal with customers face to face. For buyers, drug quality is more dependable since the sale of low quality drugs would be reported and the seller’s reputation would be destroyed. One mistake on the deep web is one mistake too many.

In the end, Operation DisrupTor may have succeeded in making deep market users more aware of security. Now, in this unending back-and-forth battle, these markets will have to find additional ways to ensure the safety of their participants and, no doubt, they will. The death of deep web markets has been prematurely declared on numerous occasions. Mark this as just another empty declaration.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s