On November the 6th and 7th a global operation (dubbed Operation Onymous) was carried out against illegal (mostly black market) sites hosted on the tor network, as a result over 400 hidden service were seized. It's still debated as to exactly how authorities managed to seize so many hidden services, but judging by the lack of arrests it is unlikely to be a severe vulnerability in the Tor network. There's not a huge deal of information about the servers seized and where they were hosted; however, the Bulgarian National Security Agency announced that they had taken down 129 hidden services, As part of Operation Onymous.Coincidentally, if we go to the bitcoin wiki for ISPs that accept bitcoin, then filter out those located in the US or that don't allow Tor, this stands out.
An Eastern European VPS provider that accepts bitcoin and allows anonymous registrations? if i were hosting a hidden service this is probably on of the ISP I'd choose. So maybe the authorities simply just got in contact with local bitcoin and tor friendly ISPs and asked them to cooperate? An offshore ISP that respects privacy surely wouldn't cooperate, would they?
Well it turns out vpsbg are just another normal ISP abiding by the law, which makes it increasingly likely that almost all of those 129 hidden services were hosted here and all the authorities would have had to do is look for servers hosting tor hidden services, then match the private keys with onion addresses known to host illicit sites.
With the possibility that the authorities used other means to find hidden services, coupled with a lack of vendor/admin arrests, it's probably safe to say that trust in tor is still growing. Even with Operation Onymous' smoke and mirrors campaign designed to scare criminals away from Tor, It doesn't really come as a huge surprise that fraud and malware vendors are also finding safe haven on the deep web.
Evolution Market was arguably one of the 3 largest black markets prior to Operation Onymous, now the largest, it offers a platform for fraudsters and malware authors as well as the usual drug and arms dealers.
 |
| Despite the take downs, interest is still growing. |
 |
| Hundreds of listings for stolen credit cards. |
 |
| Listings for ATM skimmers and POS malware |
 |
| Some scriptkiddie trying to sell the open source bootkit I posted on my github |
There are a lot of reasons why cybercriminals would prefer tor market places over conventional ones. Generally a lot of native English speakers are living in countries where it's not in their best interest to be running high profile malware/carding forums, those clearnet marketplaces that do exist tend to run very strict screening policy to keep out law enforcement and security researchers; this is usually undesirable to vendors as it results in many legitimate members being banned on suspicion of being federal agents, or "Brian Krebs" in the case of darkode.
There's also the built in anonymity and DDoS protection offered by tor which makes admin's and user's jobs much easier.
There's also the built in anonymity and DDoS protection offered by tor which makes admin's and user's jobs much easier.