“This is something we want to keep to ourselves.” That was the response Troels Oerting, head of the European Cybercrime Center, gave when asked about how they managed to take down Silk Road 2 and other contraband marketplaces during operation Onymous back in 2014. Typically vague, like most things involving the Dark Web. Not much has changed since.
Anonymity is the real currency of the digital dark side and not just for the criminals. Organizations such as the U.S. Federal Bureau of Investigation’s (FBI) J-CODE, Europol’s EC3, the German Federal Criminal Police, La Police Nationale Française, and many others invest significant amounts of time and cash into technologies and methodologies used to break up large crime rings. Understandably, such organizations would prefer to have as much impact as possible whenever making a move. Not just for efficiency’s sake but also because, like in chess, every move reveals a bit more of an attacker’s overall strategy and allows their opponents to be more prepared for the next one.
Despite efforts to remain cagy, law enforcement is at a distinct disadvantage next to hackers as far as anonymity goes. They are burdened by the minor inconvenience of having to follow the law, which often forces them to disclose methodologies in court documents or government-sponsored reports. These afford some fascinating insight into how authorities have been busting criminals on the Dark Web. We’ve boiled down the technical highlights below.
Purely technological attacks exploiting Dark Web infrastructure or design flaws are rare but have their precedent. The most notorious example being a Traffic Confirmation attack back in 2014, when Carnegie Melon researchers, at the behest of the U.S. Department of Defense, were able to exploit Tor networking design by injecting sequences of ‘relay’ and ‘relay-early’ commands that served as code to track IP paths from entry to target in both directions, essentially allowing researches to determine the true IPs of users accessing sites on the Dark Web. The technique was one of the methodologies the FBI and Europol used to convict sellers from Silk Road 2.0, but it wasn’t the only weapon they employed.
A Sybil attack attempts to have multiple proxies infiltrate and comprise enough of a system or network to serve as an influential block to be used in any number of ways.
Carnegie used their Sybil generated, virtual mini network of proxy nodes to allow targeted monitoring of entry and exit traffic, effectively breaking Tor’s anonymity architecture. Updates to Tor by administrators were made that mitigate against both Traffic Confirmation and Sybil attacks, but the principle is still sound and can be pulled off again should an appropriate configuration or some other factor is adjusted enough to avoid detection.
If not, don’t count on authorities to throw their hands up in despair. Often when unable to compromise a key node or relay they simply show up at the host’s house with a team of armed men in obscure, acronym adorned windbreakers and a search warrant. Something about the business end of a gun seems to work magic when technical chops just won’t cut it. But the use of such persuasive tactics requires authorities to know which doors to knock on, and that requires some creative technical solutions of its own.
Network Investigative Techniques (NITs) have been used as an indirect attack vector to locate Dark Web criminals by going after the browsers used to access the network. A 2015 raid against a child exploitation site made use of an unknown Mozilla Firefox vulnerability (Tor is based on the Mozilla browser) that allowed FBI agents to generate unique IDs for site visitors. Those IDs allowed the FBI to infect visitor computers with a payload that recorded activity as well as identifying information (including the users’ true IPs), before sending the payload back to investigators unencrypted.
Another particularly scary technological workaround to locate Dark Web users is the use of Ultrasound Cross-Device Tracking (uXDT), as demonstrated by Mavroudis Vasilios at Black Hat EU and the 33rd Chaos Communication Congress. Originally developed as an advertising tool–the kind that serves up ads for BBQ wings on a user’s phone after mentioning offhandedly to their spouse that they’re in the mood for chicken that night–uXDT can also be employed to deanonymize Dark Web criminals. It works when a user visits a site featuring uXDT type ads, which are programmed to emit a sub-audible encoded signal designed to be picked up by other devices within range. Smartphones and other IoT devices actively listening for commands register the code, which then directs the devices to send back their details to a central server. Once under a unified Control and Command system, multiple devices can be networked for use in collective intelligence gathering on individual users.
As ingenious as some of these deanonymizing techniques are, more often than not, it is amateurish mistakes on the part of criminals that grant authorities the access they need. A common one involves failing to change vulnerable default configurations on host machines. For example, Apache servers come with Mod_Status enabled by default, which allows for /server-status searches that reveal a treasure trove of information including resource usage, connected virtual machines and possibly even search histories (depending on the use of the machine compromised). This default configuration was designed to only work on local hosting machines as a security precaution, but due to the nature of the Tor network, the onion daemon that forwards service requests happens to run on local hosts. In other words, remember to reconfigure the hardware or get used to prison Wi-Fi.
However, the most common downfall of hackers has got to be their own ego. Several high-profile arrests were the result of overconfident hackers making sloppy mistakes, like using an alias in conjunction with their primary email or other identifiable information on open platforms.
Case in point: Paige Thompson, the former Amazon employee implicated in the recent Capital One breach (one of the largest involving a major bank exposing PII and credit card data from 100 million users), was caught despite her use of Tor to cover her tracks. It was actually through a tipster email address set up by Capital One Financial Corp. for just this sort of scenario that initially informed the bank they had a problem. Thompson’s mistake: first, she bragged about her misadventures on Twitter using her Dark Web alias ‘erratic.’ Not the smartest move, but not half as careless as using her actual name on the GitHub address storing the stolen Capital One data.
There seems to be something about the criminal mind that lends itself prone to reckless, braggadocious, self-destructive behavior. Or as one Twitter user put it with regard to Ms. Thompson:
The alleged hacker is known as “Erratic,” a.k.a. netcrave, a.k.a. @0xa3a97b6c,
Oh wait. That last one was a bit of a dead giveaway.
This seems to be what the FBI thought, too.
— @Richi Jennings (@RiCHi) August 1, 2019
Avraham Chaim Schneider is coordinator of Israel-based law firm Herzog Fox & Neeman’s cyber and innovation media project.