Experts: How law enforcement shone a light on darknets

Law enforcement agencies across the world are lauding their recent raids on the fortress-like Tor network as a breakthrough in tackling so-called ‘darknets.’ With the hidden web still cloaked in secrecy, however, there are multiple theories about how the authorities broke into the super-secure Tor network.

Last week a top Europol official said that 17 people had been arrested in an international crackdown on underground Tor-based websites selling illegal drugs. Raids were coordinated in more than a dozen countries, including the U.S., where the FBI announced the arrest of a man accused of running the Silk Road 2.0 online drug bazaar.

Darknets run on the Tor network, which anonymizes traffic by sending it through a series of encrypted connections, or relays, around the world. Tor, which stands for ‘The onion router,’ started out as a military project, but now functions largely as a highly clandestine civilian network.

Theories abound as to how the authorities cracked the darknets.

“There’s a lot of speculation - nobody really knows the answer,” Matthew Green, assistant research professor in the department of computer science at Johns Hopkins University, told

Green, however, noted that a number of the sites targeted were hosted in a Bulgarian data center. “One possibility is that, for those sites, the FBI or Europol got warrants and went through the servers at that [physical] site,” he said. “Another possibility is that investigators may have hacked into computers or, at the far end of the spectrum, they had some sort of sophisticated attack against Tor.”

Europol said that more than 410 “hidden services” on the Tor network were shut down as a result of its ‘Operation Onymous.’ In addition, Bitcoins worth approximately $1 million were seized as part of the operation, as well as almost $225,000 in cash, drugs, gold, and silver.

In a blog post on Sunday, the Tor project acknowledged that it was caught off guard by the sting. “We were as surprised as most of you,” it said, adding that the project has little information on how law enforcement took control of the hidden services.

“Over the last few days, we received and read reports saying that several Tor relays were seized by government officials,” said the Tor project. “We do not know why the systems were seized, nor do we know anything about the methods of investigation that were used.”

Pierluigi Paganini, author of the book “The Deep Dark Web” and founder of the Security Affairs blog, thinks that law enforcement adopted a two-pronged approach to tackle the darknets.

“It’s my opinion that the Operation Onymous was supported by an intense activity of intelligence and also a hacking campaign that targeted the hidden services used by the criminal gangs for the illicit activities,” he told, in an email, noting that investigators have coordinated their efforts for a long time.

While the FBI declined to discuss specifics of its probe when contacted by, some details of its Silk Road 2.0 investigation have emerged. In a statement released last week, the agency said that a Homeland Security investigator infiltrated the support staff involved in the administration of Silk Road 2.0, gaining access to private, restricted parts of the site.

"Although we do not comment on investigative techniques, the FBI continues to aggressively investigate, disrupt, and dismantle criminal elements that pose a threat in cyberspace," said an FBI spokesman, in a statement emailed to

As for the broader attempts to crack the Tor network, Paganini thinks that investigators probed for any weaknesses they could find.

“I think that it is possible that the police also exploited security flaws within the Tor network and in any application used to browse the anonymizing networks,” he said. “Tor network, exactly like any other software, is affected by bugs that could be exploited by law enforcement and intelligence agencies to de-anonymize users.”

The expert also deems it plausible that a zero-day attack was used to track Tor users and identify their locations, with the support of local Internet Service Providers. A zero day attack exploits a previously unknown vulnerability in a system.

In its blog post, the Tor project cited a number of ways that services may have been compromised. These include inadequate operational security, which could have opened the door to undercover agents, and ‘bitcoin denanonymization,’ which may have linked transactions in the virtual currency to specific places.

Other possible scenarios include exploitation of common web bugs and denial of service attacks on Tor network relays.

Darknets are just one part of what is known as the deep web - a vast network which is not indexed by search engines such as Google and Bing. While most of the deep web is not mired in criminality - resources such as academic databases and libraries are said to make up much of its content - darknets typically run on the Tor network.

The Tor Metrics web site says that the network has just over 2.25 million users.

Europol declined to comment on this story when contacted by

Follow James Rogers on Twitter @jamesjrogers