Dark Web and The Onion Routing (TOR)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 125

Dark Web and The Onion Routing (Tor) Network

Dr. Pilli Emmanuel Shubhakar,


Associate Professor
Department of Computer Science and Engineering,
Malaviya National Institute of Technology Jaipur
Overview
Introduction
The Onion Routing Networks
Tor Browser
The Onion/ Hidden Services
Contrasting Use of Dark Web
Dark Web Investigation: Monitoring, Tools, and Approaches
Work @ MNIT
Dark Web Investigation Challenges
Future Perspectives
Conclusion
References

2/125
The Web Sea: Surface, Deep, and Dark Web

▶ The Surface Web includes publicly searchable Websites (blogs,


shopping sites, news sites, YouTube).

▶ The Deep Web consists of sites that require a login to access


(email, banking portals, subscription services).

▶ The Dark Web (Name derived from Darknet, which are


infrastructure overlays that prevent public access) is a part of
the internet that is not indexed or searchable by standard
search engines like Google, Bing, or Yahoo.

3/125
The Web Sea

4/125
Layers of Web

5/125
Comparison of Surface Web, Deep Web, and Dark Web

Parameter Surface Web Deep Web Dark Web


Accessibility Publicly accessible through Not indexed by Requires specialized
search engines search engines software and configurations
Content Majority of websites Contains unindexed content Anonymizes Communication among
are informational, commercial, such as academic journals, Government Intelligence Agencies,
or social media platforms private databases, and sensitive Hacktivists and Whistleblowers.
government records It Also host illegal marketplaces for
Drug/Human/Arms trafficking.
Level of Anonymity Low Variable High
Encryption Not mandatory Variable Strong encryption is required
IP Addresses Publicly available Not publicly available Hidden and anonymous
User Intention General browsing and Specific research or Illegal or unethical
information gathering personal use activities, including anonymous
communication and transactions
Legal status Generally legal, but may May include legal and Anonymous communication and
include illegal or illegal content depending transactions as well as
harmful content or on the website illegal activities
Size Large (around 4%) and Extremely Large, estimated to be Small compared to the
constantly growing 90% of web activities Deep Web (around 6%)
Ownership Publicly identifiable ownership Ownership can be identifiable Anonymous or pseudonymous
or anonymous ownership
Examples Google, Facebook, Amazon Private databases, Hidden Services hosted on
and so much more password-protected sites, Tor, I2P, and Freenet
academic libraries

6/125
The Dark Web

▶ The Dark Web is a subset of Deep Websites that cannot be


accessed using a regular internet browser, requiring encryption
or speciality software i.e., The Onion Router (Tor), Invisible
Internet Project (I2P), Freenet, Zeronet, and GNUnet.
▶ The Dark Web takes advantage of network routing capabilities
designed initially to protect intelligence data online. It was
developed to help anonymize government intelligence
communications.
▶ In countries with strict internet censorship and surveillance,
the dark web can serve as a sanctuary for free expression and
the exchange of information that might otherwise be
suppressed.

7/125
The Dark Web (Contd...)
▶ While the Dark Web was initially introduced for secure data
sharing, anonymous communication, and private browsing, it
is now often associated with illegal activities, such as selling
drugs, weapons, and stolen data.
▶ The Law and Enforcement Agencies (LEAs) are working hard
to get the criminals performing illegal activities on Darknet.
▶ The Dark Web has also become a huge hidden marketplace
for illicit transactions and as per researches, they generate at
least $500,000 per day.
▶ As per a study done by the University of California, that the
Deep and Dark Web holds approximately 7.5 petabytes of
data (1 petabyte is 1000 terabytes).

8/125
Anonymous Communication Networks (ACNs)
▶ Privacy and security of the Internet have become all so
essential for communication and information exchange.
▶ Lack of privacy have profound implications, particularly for
individuals who require anonymity for their safety and security,
i. e., journalists, Whistleblowers, and Human Rights Activists.
▶ The rise of ACNs has allowed information sharing and
anonymous communication while masking the identity or
location of a user. Additionally, they have played a crucial role
in protecting online activities from surveillance and censorship.
▶ There are several prevalent ACNs available, including The
Onion Router (Tor), Invisible Internet Protocol (I2P), Freenet,
Zeronet, and GNUnet.

9/125
The Onion Router (Tor)
▶ Tor is one of the most well-known and widely used networks
for accessing the Dark Web. Tor is free and open-source
software that allows users to browse the internet anonymously.
▶ Tor works by encrypting users’ internet traffic and routing it
through a series of relays, run by volunteers around the world.
Each relay only knows the IP address of the previous and next
relays in the chain, so no single relay can determine the source
or destination of the traffic.
▶ This process is known as onion routing, which is why Tor is
often referred to as the “The Onion Router.”
▶ When the user opens their Web browser, the Tor software
creates a circuit of three or more randomly selected nodes
(also known as relays) from the Tor network.

10/125
Internal Architecture of Tor

11/125
How Onion Routing Works?

12/125
Connecting to Services Using Tor

13/125
Key Participants of a Tor Network

1. Entry (Guard) Nodes:


▶ Entry nodes are the first nodes in the Tor network that a user’s
traffic encounters.
▶ They encrypt the user’s data with their public key and pass it
along to the next node.
▶ Entry nodes are critical for user anonymity because they do
not know the ultimate destination of the traffic.

2. Exit Nodes:
▶ Exit nodes are the final nodes in the Tor network before traffic
exits to the destination server on the regular internet.
▶ They decrypt the user’s data and send it to the destination
server.
▶ Exit nodes can see the unencrypted traffic’s destination, but
they don’t know the original source.

14/125
Key Participants of a Tor Network (Contd...)

3. Middle (Relay) Nodes:


▶ Relay nodes receive traffic from entry nodes and pass it on to
exit nodes.
▶ They have no knowledge of the source or destination of the
traffic they handle. Relay help in obscuring the user’s origin.
▶ Relay nodes can also function as entry nodes, but they do not
serve as exit nodes.
▶ They contribute to the overall network’s performance and
provide additional routes for traffic.

4. Bridge Nodes (or Bridges):


▶ Bridge nodes are a type of entry node, but they are not
publicly listed in the Tor directory.
▶ They are used to bypass censorship or blocking of Tor by
providing an alternative entry point for users.

15/125
Key Participants of a Tor Network (Contd...)
5. Directory Authorities:
▶ Directory authorities maintain a list of all Tor nodes and their
status.
▶ They help users find entry nodes and other network
information.
▶ Directory authorities play a crucial role in network governance
and stability.

6. HSDir Nodes (Hidden Service Directory Nodes):


▶ HSDir nodes store information about Tor hidden services,
facilitating their lookup and accessibility.

7. Introduction and Rendezvous Points:


▶ Introduction points receive incoming connections to a hidden
service, while rendezvous points facilitate connections between
clients and hidden services.

16/125
Consensus/ Path Selection Algorithm

Consensus algorithms are used to establish agreement among the


nodes in the network on various aspects of the network’s operation,
such as the topology of the network, the status of nodes, and the
routing of traffic.
▶ The main consensus algorithm used is the Tor Path Selection
(Consensus) Protocol, a distributed algorithm that allows
nodes in the network to agree on a common view of the
network’s state.
▶ This protocol is used to elect the Entry nodes, Middle relays,
and Exit nodes to make up the communication circuit used
between two nodes in the network.

17/125
Packet Request and Response in Tor

18/125
Packet Request and Response in Tor

19/125
Packet Request and Response in Tor

20/125
Packet Request and Response in Tor

21/125
Packet Request and Response in Tor

22/125
Packet Request and Response in Tor

23/125
Tor Browser

Tor Browser consists of -


▶ Modified Mozilla Firefox ESR web browser,
▶ TorButton, TorLauncher, NoScript, HTTPS Everywhere
Firefox extensions, and Tor proxy.

Users can also operate Tor Browser from removable media under
Microsoft Windows, MacOS, or Linux.

The Tor Browser automatically starts Tor background processes


and routes traffic through the Tor network.

Upon termination of a session, the browser which moves by a


Private browsing mode deletes privacy-sensitive data such as
HTTP cookies and the browsing history

24/125
The Motivation

25/125
The Browser Interface

26/125
Connecting to Tor

27/125
Creating a Tor Relay Circuit

28/125
What does Tor Browser do differently?

29/125
Connecting through HTTPS

30/125
Connecting through VPN

31/125
Connecting through Tor

32/125
Tor: The Mission to Fight Internet’s original sins

▶ The goal is to have a way to use the internet with as much


privacy as possible - Browse Privately:
▶ by routing traffic through multiple volunteer nodes,
▶ by encrypting traffic multiple times.

▶ Tor provides anonymity, which mitigates against both


surveillance and censorship - Explore Freely.
▶ Defend yourself against fingerprinting, tracking, and
surveillance - Circumvent Censorship.
To advance human rights and freedoms by creating and deploying
free and open source anonymity and privacy technologies,
supporting their unrestricted availability and use, and furthering
their scientific and popular understanding.

33/125
Digital Fingerprinting

When a remote service gathers information about a user’s


machine, and puts those pieces together to form a unique picture,
or “fingerprint”of the user’s device. The two main forms are -
▶ Browser Fingerprinting - The information is delivered by the
browser while visiting a remote sites.
▶ Device Fingerprinting - The information is delivered by an app
a user has installed on their device.

In order for fingerprinting to be effective for trackers, it has to


meet two criteria: Persistence of the Tracker and Uniqueness
of the Fingerprint.

34/125
Internet Surveillance: A Prominent Issue

35/125
Network Censorship?

▶ Governments, companies, schools, and Internet providers


sometimes use software to prevent their users from accessing
certain Websites and services that are otherwise available on
the open Web. This is called Internet filtering.
▶ Internet surveillance and censorship go hand-in-hand. Internet
censorship is a two-step process: Spot unacceptable activity
and Block unacceptable activity.

Anonymity grants protection from Network Surveillance,


Digital Fingerprinting, and Censorship. Tor prevents someone
watching the connection from knowing what websites users visit.
All anyone monitoring can see is that the user is using Tor. Hence,
providing access to sites that may have been blocked.

36/125
Positive Features of Tor Browser

▶ Block Trackers: Tor network isolates each website so that


third-party trackers and ads can’t follow. Any cookies and
browsing history automatically clear when a user is done
browsing.
▶ Multi-layered Encryption: The traffic is encrypted and
relayed at least three times as it passes over the network
comprised of thousands of system or volunteer-run servers
known as onion routing.
▶ Resist Fingerprinting: Tor Browser aims to make all users
look the same, making it difficult for a user to be fingerprinted
based on the browser and device information.

37/125
The Onion Services

Onion services, also known as hidden services, are a feature of the


Tor network that allows Websites or services to be hosted and
accessed anonymously.
▶ Accessible only through the Tor browser.
▶ Use multiple layers of encryption to maintain anonymity.
▶ Incorporates a system of encryption and relays to ensure the
anonymity of both the server and the client.
▶ Onion services have unique domain names that end with the
“.onion”extension.
▶ Hidden from the Public Internet

38/125
Workflow of Hidden Services

39/125
Workflow of Hidden Services

40/125
Workflow of Hidden Services

41/125
Workflow of Hidden Services

42/125
Workflow of Hidden Services

43/125
Workflow of Hidden Services

44/125
Workflow of Hidden Services

45/125
Workflow of Hidden Services

46/125
Workflow of Hidden Services

47/125
Popular Onion/ Hidden Services

48/125
Popular Illicit Hidden Services

▶ Silk Road ▶ Alpha Bay


▶ Black Market Reloaded ▶ Evolution
▶ DeepBay ▶ Middle Earth
▶ Agora ▶ Nucleus
▶ Pandora ▶ Abraxas
▶ Sheep ▶ Black Bank

49/125
The Dark Web: Legal and Illegal Side
Legal Side Illegal Side

– Legitimate users can – The Dark Web has become a


communicate sensitive and shelter for cybercriminals,
private information without terrorists, and malware writers,
any intervention including: who perform various illicit
(a) Anonymous Government activities such as:
Intelligence Communications (a) Human & Animal Trafficking
(b) Journalists & (b) Cyber Frauds & Hacking
Whistleblowers (c) Smuggling of Drugs &
(c) Legal Markets Firearms
(d) Social Media (d) Terrorism
(e) Repressed Minorities (e) Illegal Marketplaces.

50/125
Positive Aspects of the Dark Web

▶ Anonymity: Offers a secure space for users to communicate


anonymously, protecting their identity.
▶ Whistleblower Protection: Enables whistleblowers,
journalists, and activists to share sensitive information without
fear of reprisal.
▶ Freedom of Speech: Provides a platform for discussing
controversial topics and political dissent without censorship.
▶ Privacy Enhancement: Allows individuals to safeguard their
personal information and online activities from surveillance.

51/125
Positive Aspects of the Dark Web

▶ Resistance Against Oppression: Offers an outlet for citizens


in oppressive regimes to communicate and organize without
fear.
▶ Digital Rights Advocacy: Supports movements advocating
for online privacy, net neutrality, and digital freedoms.
▶ Legitimate Use Cases: Can be utilized by researchers, law
enforcement, and cybersecurity experts for investigative
purposes.
▶ Security Tools: Hosts resources that educate users about
encryption, cybersecurity, and protecting sensitive data.

52/125
Negative Aspects of the Dark Web

▶ Illegal Activities: The dark web is infamous for hosting a


wide range of illegal activities, including drug trafficking,
weapons trading, human trafficking, counterfeit currency, and
more. Criminal marketplaces offer a platform for buying and
selling illegal goods and services with relative anonymity.
▶ No Traceback and Attribution: The dark web’s anonymity
and encryption make it challenging to trace and attribute
cybercrimes or illegal activities back to their perpetrators.
This lack of accountability can embolden malicious actors to
engage in criminal activities without fear of immediate
consequences.

53/125
Negative Aspects of the Dark Web

▶ Extremist Content: Extremist groups, hate speech, and


terrorist organizations use the dark web to share propaganda,
recruit members, and communicate away from the public eye.
▶ Child Exploitation: The dark web is known for hosting illegal
content involving child exploitation, including explicit Images
and videos of minors.
▶ Privacy Risks: While privacy is a goal of the dark web, it can
also provide a haven for cybercriminals and malicious actors to
operate with reduced risk of being tracked or identified.

54/125
Negative Aspects of the Dark Web

▶ Fraudulent Services: Services that offer fake passports,


documents, and even fake academic degrees can be found on
the dark web.
▶ Malware and Botnets: Malware authors and distributors use
the dark web to sell or distribute malicious software, creating
botnets for launching cyberattacks and facilitating data
breaches.
▶ Health and Safety Risks: The sale of counterfeit or
dangerous drugs, unregulated medical procedures, and
harmful substances pose significant health and safety risks to
individuals.

55/125
Illegal Activities in Dark Web

56/125
Darknet Marketplaces

▶ A Darknet market is a commercial website on the Dark Web


that operates via anonymous networks such as Tor and I2P.
▶ They function primarily as black markets, selling or brokering
transactions involving drugs, cyber-arms, weapons, counterfeit
currency, stolen credit card details, forged documents,
unlicensed pharmaceuticals, steroids, and other illicit goods as
well as the sale of legal products.
▶ In December 2014, a study by Gareth Owen from the
University of Portsmouth suggested the second most popular
sites on Tor were Darknet markets.

57/125
An Overview of Illicit activities on Tor network

2006: The Silk Road, the first prominent Dark Web marketplace, is
launched by Ross Ulbricht, enabling the anonymous sale of
drugs and other illicit goods.

2006: The Tor network was used by child pornographyographers to


share Images and videos of child abuse. This led to the
creation of the Tor Child Porn Tracking Project, which was a
joint effort by law enforcement agencies to track down and
prosecute child pornographyographers.

2010: The Tor network was used by the Syrian Electronic Army to
launch a series of cyberattacks against government websites
and media outlets. The SEA was a group of hacktivists who
supported the Syrian government during the Syrian Civil War.

58/125
An Overview of Illicit activities on Tor network (Contd...)

2012: The Tor network was used by the Anonymous hacktivist group
to launch a series of cyberattacks against government
websites and corporations. Anonymous is a decentralized
group of hacktivists who are known for their online activism.

2013: The Tor network was used by the Islamic State of Iraq and
Syria (ISIS) to communicate with each other and to spread
propaganda. ISIS is a terrorist organization that has been
responsible for numerous attacks around the world.

2016: The Tor network was used by the DNC Leaks, a series of
cyberattacks that resulted in the release of emails from the
Democratic National Committee. The DNC Leaks were
believed to have been carried out by Russian hackers.

59/125
An Overview of Illicit activities on Tor network (Contd...)

2020: The Tor network was used by the COVID-19 Vaccine Hunters,
a group of hacktivists who were trying to obtain COVID-19
vaccines for people who were unable to get them through
official channels.

2020: COVID-19 pandemic accelerates the growth of illegal drug


sales on the Tor network, as users seek alternative sources for
drugs due to disruptions in the traditional supply chain.

2021: The Tor network was used by the REvil ransomware group to
launch a series of cyberattacks against businesses and
government agencies. REvil is a Russian ransomware group
that is known for its high-profile attacks.

60/125
An Overview of Illicit activities on Tor network (Contd...)

2021: The Tor network was also used by the DarkSide ransomware
group to launch a series of cyberattacks against businesses
and government agencies. DarkSide is a Russian ransomware
group that is known for its destructive attacks.

2022: The Tor network was used by the Conti ransomware group to
launch a series of cyberattacks against businesses and
government agencies. Conti is a Russian ransomware group
that is known for its sophisticated attacks.

2022: The Tor network was also used by the Lapsus$ ransomware
group to launch a series of cyberattacks against businesses and
government agencies. Lapsus$ is a British ransomware group
that is known for its targeting of high-profile organizations.

61/125
An Overview of Illicit activities on Tor network (Contd...)
2023: The Tor network was used by the BlackCat ransomware group
to launch a series of cyberattacks against businesses and
government agencies. BlackCat is a Russian ransomware
group that is known for its aggressive attacks.
2023: The Tor network was also used by the LockBit 2.0
ransomware group to launch a series of cyberattacks against
businesses and government agencies. LockBit 2.0 is a Russian
ransomware group that is known for its data extortion
campaigns.
2023: In June 2023, a cybersecurity firm called Group-IB reported
that over 100,000 login credentials for ChatGPT had been
leaked on the Dark Web. The credentials were reportedly
stolen using the Raccoon Infostealer malware, which is a type
of malware that steals login credentials from infected devices.

62/125
Counterfeit Passport Service on The Dark Web

63/125
Drugs on your Demand on the Dark Web

64/125
Alphabay: One of the Most prominent Dark Web
Marketplace

65/125
The Notorious Silk Road Marketplace

66/125
Available drug types on popular Dark Web marketplaces

67/125
Article Showcasing Ease of Drug Purchase from the Dark
Web (The Saint)

68/125
How Dark Web is usually Represented

69/125
The Reality

70/125
The Scale

71/125
Attacks on Tor Network

1. Traffic Analysis Attacks:


▶ Confirmation Attacks: Adversaries attempt to confirm whether
two parties are communicating by analyzing packet timing,
size, and patterns.
▶ End-to-End Traffic Correlation: Attackers correlate the entry
and exit nodes to de-anonymize users.
2. Sybil Attacks: An attacker controls multiple nodes in the Tor
network, potentially compromising user anonymity.
▶ Guard Node Capture: An attacker controls a significant
portion of the entry (guard) nodes to increase the likelihood of
capturing user traffic.
▶ Exit Node Eavesdropping (Sniffing): Exit nodes can monitor
unencrypted traffic, compromising user privacy when accessing
non-HTTPS websites.

72/125
Attacks on Tor Network (Contd...)

3. Timing Intersection Attacks: Timing-based attacks aim to


identify users by matching their activities on the Tor network
with external events.
4. Website Fingerprinting Attack: Adversaries analyze traffic
patterns to identify specific websites visited by Tor users.
5. Hidden Service Deanonymization Attacks: Attackers may
try to deanonymize hidden services or discover their real IP
addresses.
6. Malicious Exit Node: Exit nodes controlled by malicious
entities can intercept, manipulate, or inject content into users’
traffic.
7. Censorship and Blocking: Adversaries may attempt to block
access to Tor by identifying and blocking Tor relays.

73/125
Attacks on Tor Network (Contd...)

9. Denial-of-Service (DoS) Attacks: Attackers may launch


DoS attacks against Tor nodes to disrupt the network’s
functionality.
10. Honey-Pot Nodes: Attackers set up malicious Tor nodes to
attract and compromise users’ traffic.
11. Guard Node Rotation Attacks: Attackers try to manipulate
the selection of guard nodes to increase the chances of
capturing user traffic.
12. Operational Security (OpSec) Failures: User OpSec
Mistakes: Users may inadvertently reveal their identity or
activities through online actions, such as posting incriminating
information on social media.

74/125
Dark Web Investigation Techniques

▶ Network monitoring, Data gathering, and Analysis.


▶ Infiltration and undercover operations.
▶ Cryptocurrency tracing.
▶ Collaboration and information sharing.
▶ Monitoring Dark Web marketplaces and Surveillance on
suspected criminals.
▶ Training and education to the LEA officers on investigation
techniques

75/125
A Generalized Dark Web Monitoring Framework

76/125
Common Approaches for Dark Web Monitoring
▶ Web Crawlers and Scrapers: Automated tools navigate and
collect information from Dark Web websites, forums, and
marketplaces.
▶ Data Leakage Monitoring: Specialized tools and services
are employed to detect the presence of sensitive data or
proprietary information on the Dark Web.
▶ Open Source Intelligence (OSINT): Publicly available
information from the Dark Web is gathered using OSINT
techniques, including monitoring and social media platforms.
▶ Dark Web Marketplaces Monitoring: Tools and techniques
are used to track and analyze activities within Dark Web
marketplaces, identifying the sale of illegal goods and services.

77/125
Common Approaches for Dark Web Monitoring (Contd...)
▶ Dark Web Honeypots: Decoy systems or services are set up
to attract and monitor malicious activity, providing insights
into the tactics and tools used by malicious actors.
▶ Dark Web Intelligence: Monitoring efforts extend to the
Dark Web, employing advanced web scraping and data mining
techniques to gather information from non-indexed content.
▶ Threat Intelligence Platforms: Specialized platforms
aggregate and analyze data from various sources to provide
insights into Dark Web threats, trends, and emerging risks.
▶ Artificial Intelligence (AI) and Machine learning (ML):
To identify patterns of criminal behavior by analyzing large
amounts of data and to identify suspicious activities such as
drug trafficking and money laundering.

78/125
Tools to Track Illegal Activities

Category Tools Description


Digital Forensics Magnet AXIOM, Analyze data, recover evidence,
Cellebrite, EnCase and trace digital footprints.
Network Analysis Wireshark, Zeek, Suri- Monitor network traffic to identify
cata suspicious activities.
Blockchain Analysis Chainalysis, Elliptic Trace cryptocurrency transactions
on blockchains.
OSINT Spiderfoot, Maltego, Gather public information for pro-
Hunchly filing individuals and activities.
Dark Web Crawlers Ahmia, OnionScan Collect data from hidden services
in the dark web.
Behavioral Analysis AI-driven tools Identify anomalies and malicious
activities based on user behavior.
Ransomware Trackers Ransomware Tracker, Monitor and track ransomware
NoMoreRansom campaigns.

79/125
Tools to Track Illegal Activities (Contd...)

Category Tools Description


Threat Intelligence Recorded Future, Monitor and analyze online threats
ThreatConnect and trends.
Traffic Analysis TorGhost, TorFlow Monitor Tor network traffic for un-
usual patterns.
Collaborative Plat- IntelMQ, MISP Share threat intelligence and col-
forms laborate on tracking.
Machine Learning Advanced algorithms Analyze datasets, predict threats,
and track activities.
Legal Frameworks Legal tools, policies Enforce consequences through le-
gal and policy measures.
Data Loss Prevention Symantec DLP, McAfee Protect sensitive data from being
DLP exfiltrated.
Mobile Forensics Oxygen Forensic Detec- Investigate mobile devices for evi-
tive, MOBILedit dence.

80/125
Dark Web Investigation: Cryptocurrency Tracing

▶ Cryptocurrency tracing is a technique used in Dark Web


investigations to track and analyze the flow of digital
currencies, such as Bitcoin, on the blockchain.
▶ Cryptocurrencies offer a degree of anonymity, hence, tracing
transactions becomes essential for identifying individuals
involved in illicit activities.
▶ Cryptocurrency exchanges play a crucial role in converting
cryptocurrencies into traditional currencies.
▶ Investigators monitor exchanges to identify suspicious
transactions, account holders, and the movement of funds
between different cryptocurrencies.

81/125
How Money is Wired on Dark Web Using Bitcoin (FBI)

82/125
Steps of Cryptocurrency Tracing

1. Blockchain Analysis: Investigators track the movement of


funds on the blockchain using specialized tools, examining
transaction details, wallet addresses, and transaction histories.

2. Address Clustering: By analyzing patterns and connections


between addresses, investigators group together multiple
addresses linked to the same individual or entity, identifying
wallets involved in illicit activities.

3. Transaction Flow Analysis: Investigators trace the flow of


funds between addresses, uncovering common patterns and
detecting suspicious transactions.

83/125
Steps of Cryptocurrency Tracing

4. Data Analysis and Visualization: Investigators analyze large


volumes of transaction data, using data analysis and
visualization techniques to identify patterns, anomalies, and
connections related to illegal activities.

5. Collaboration with Exchanges and Authorities: Law


enforcement agencies collaborate with cryptocurrency
exchanges and regulatory authorities to gather information,
track suspicious transactions, and identify individuals involved
in illicit activities.

84/125
Analyzing Blockchain for Cryptocurrency Tracing

The initial phase in analyzing a dark web site involves identifying


its cryptocurrency address. While there may be various digital
currencies in use, bitcoin predominantly reigns as the leader in the
world of cryptocurrencies. Fortunately, Bitcoin operates on a
highly transparent blockchain, enabling us to glean valuable
insights from a single bitcoin address. These insights can
encompass a range of information, including:
▶ How many transactions have taken place,
▶ Where money has come from and how much,
▶ Where money has been sent and how much,
▶ A historical timeline of transactions,
▶ And other associated bitcoin addresses in that wallet.

85/125
Crypto Tracing by LEAs: Operation SpecTor

▶ Operation SpecTor: $53.4 Million Seized, 288 Vendors


Arrested in Dark Web Drug Bust.
▶ The authorities also confiscated virtual currencies, 850 kg of
drugs, and 117 firearms.
▶ Nine seized domains, 24xbtc.com, 100btc.pro, 101crypta.com,
uxbtc.com, pridechange.com, trust-exchange.org,
Bitcoin24.exchange, paybtc.pro, and owl.gold offered
anonymous cryptocurrency exchange services to website
visitors.
▶ The largest number of arrests were made in the U.S. (153),
followed by the U.K. (55), Germany (52), the Netherlands
(10), Austria (9), France (5), Switzerland (2), Poland (1),
and Brazil (1).

86/125
Operation SpecTor (Europol)

87/125
Dark Web Information Sources

Source Description Examples


Public Databases Publicly available data providing in- Government records,
and Records sights into real-world identities and corporate databases
affiliations.
Surface Web Information from websites indexed Social media profiles,
by search engines. blog posts, news articles
OSINT Tools Tools that gather data from various SpiderFoot, Maltego,
online sources. Shodan
Hidden Services Di- Lists of known .onion websites acces- OnionDir, Ahmia
rectories sible via Tor Browser.
Hacking Forums Forums for cybercriminals to ex- HackForums, Dark0de
and Communities change information and tools.
Marketplaces Platforms for illegal products and AlphaBay, Dream Mar-
services. ket
Cryptocurrency Blockchain explorers to trace trans- Bitcoin Explorer,
Transactions actions and funds. Ethereum Explorer
Whistleblower Plat- Anonymously report illegal activities. SecureDrop, Glob-
forms aLeaks

88/125
Dark Web Information Sources (Contd...)

Source Description Examples


Communication Encrypted messaging for coordina- Telegram, Wickr
Platforms tion.
Metadata and Arti- Information within files and docu- EXIF data, watermark-
facts ments. ing
Dark Web Crawlers Tools to index and search content. OnionScan, Onion-
Spider
Financial Data Tracing transactions and money Chainalysis, Elliptic
Analysis flow.
Stolen Data Dumps Data breaches exposing personal Have I Been Pwned,
info. LeakedSource
Social Engineering Manipulation to extract information. Phishing, pretexting
Undercover Opera- Infiltrating online communities. Law enforcement posing
tions as members
Custom Tools Law enforcement-developed special- Agency-specific solu-
ized tools. tions

89/125
Few More Important Information Sources
▶ Ahmia - Ahmia searches hidden services on the Tor network.
▶ Tor Links - Tor Links is a backup directory of “.onion” sites in
case other directories go offline. The best Tor sites are under
constant threat of closure, including Tor directories like the
Hidden Wiki, so backups are handy.
▶ Hidden Wiki - The Hidden Wiki is one of the oldest link
directories on the dark web. It is famous for listing all
important “.onion” links, from drug marketplaces to financial
services all the important dark web services are listed on it.
Hidden Wiki:
paavlaytlfsqyvkg3yqj7hflfg5jw2jdg2fgkza5ruf6lplwseeqtvyd.onion
Ahmia:
juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion
Tor Links:
torlinppuo5prxaoqexzrubwowwnaoxzzsl57gx6wmssm6i3jcwilnad.onion

90/125
Commercial Links

91/125
Hidden Wiki Sites and Cryptocurrency Traders

92/125
Work @ MNIT

TrackTor
▶ Developed TrackTor, which is a platform-independent tool
that provides statistical and analytical data tracked from the
Tor services exercised by the end user.
▶ GitHub Link: https://github.com/hrp-tracktor/TrackTor.

TorShield
▶ Created a Tor browser with a plugin to view Tor statistics.
▶ Removed dependency of TrackTor on predeveloped Stem API
for data extraction from Tor.

93/125
TrackTor

94/125
TrackTor

95/125
Work @ MNIT

Hidden Service
▶ We have set up a Hidden service.
▶ The address of the Hidden service is:
http://ojef6siv6amwguj4druheuvfrxtjjlcwef2vd2cgjsjdj6ij4iy2q3yd.onion/

Virtual Private Tor Network


▶ Implementation of a Private Tor Network to understand the
Relay behaviors and patterns, Consensus Algorithm, and the
working of a Directory Services using Bridge Connections.

96/125
The Hosted Hidden Service

97/125
Bridge Connections in Virtual Private Tor Network

98/125
Work @ MNIT

Crawlers
▶ We have set up crawlers – ACHE and Torcrawl to capture
traffic from the Hosted Onion site and Private Tor Emulation
environment.

OSINT tools: Hunchly


▶ Capturing Onion Links using Ahmia and Monitoring their
behavior using Hunchly.

99/125
Setting up the Virtual Private Tor Network

100/125
Private Tor Network Emulation using Chutney

101/125
Private Tor Network Emulation using Chutney

102/125
Identifying Directory Services using TorCrawl and Chutney

103/125
Capturing Relay Nodes Traffic using TCPDump after
Deploying ACHE

104/125
Capturing Exit Nodes Traffic using TCPDump after
Deploying ACHE

105/125
Case Details of Monitoring of Onion Links using Hunchly

106/125
Capturing Onion Addresses using Hunchly

107/125
Identified Keywords for Data Crawling from Captured
Onion Links using Hunchly

108/125
Capturing IP addresses from Onion Links using Hunchly

109/125
Capturing Email Addresses from Onion Links using
Hunchly

110/125
Deployment of Honeypot in Dark Web

Implementation of Honeypots as means of collecting data


concerning cybercriminal activities within the dark web by
Deploying and overseeing two distinct types of honeypots:
▶ First, the Production honeypot for strategically gathering
intelligence on cybercriminal activities by closely monitoring a
highly secure chatroom and a closed forum.
▶ Production honeypot also monitors the simulated Onion site,
focusing on the activities and communications.
▶ Second, the Investigation (Research) honeypot, focusing on
detecting attacks and identifying individuals seeking hacking
services while also discerning their intentions.

111/125
Work Currently in Progress

▶ Using bandwidth inflation to deceive Path-selection


(Consensus) Algorithm to be an active part of TOR circuit
building process and pass a custom-based honeypot script in
the TOR relay to capture and log all activities of the Network.
▶ Exploring OSINT tools for a more comprehensive
understanding of dark web data by implementing various
tools, i.e., Maltego, Hunchly, and Onionoo.
▶ Also, implementing OSINT tools for User Profiling and
Attribution, investigation of illegal dark web marketplaces,
and forensics exploration of Tor Network.

112/125
Challenges to LEAs
▶ Traceback and Attribution:
▶ Anonymous Communication Networks (ACNs) such as Tor,
I2P and Freenet provide users with a level of anonymity, but
each of them has unique features and functionality.
▶ Due to their distributed nature, it is difficult for anyone to
connect the two endpoints of a communication session,
ensuring greater privacy and anonymity for its users.
▶ By routing traffic through a series of volunteer-operated nodes,
or relays, ACNs effectively obscure the origin and destination
of Internet traffic, making it nearly impossible for third parties
to track or trace online activity.
▶ LEAs deal with this anonymity by using strategies that protect
the privacy of regular users while identifying the offender.
▶ Searching for unlawful Websites rather than illegal users is the
most efficient way to do this.

113/125
Legal and Ethical Considerations
▶ Legal and Ethical considerations are paramount in LEA
investigation to ensures that actions are conducted within the
boundaries of the law, uphold human rights, and maintain
public confidence in the judiciary.
▶ By prioritizing legal and ethical considerations, LEAs can
strike a balance between effective investigations and
protecting the rights and interests of individuals.
▶ LEA must continuously evaluate and update their practices,
policies, and training programs to address emerging legal and
ethical challenges in Dark Web investigations.
▶ This helps maintain public trust, protect individual rights, and
achieve successful outcomes in combating cyber threats while
upholding the principles of justice and fairness.

114/125
Balancing Individual Privacy and Public Safety
▶ Proportional and Necessity Principle to ensures that privacy
intrusions are justified by the seriousness of the crime and
that less invasive measures have been explored before
resorting to intrusive methods.
▶ Implement effective Judicial Oversight to ensure that privacy
is protected during investigations.
▶ Judicial warrants are necessary for intrusive measures like
wiretapping, tracking devices, or accessing private data,
ensuring judges assess the necessity and proportionality of
such actions.
▶ Foster Transparency and Accountability by making law
enforcement practices more open to public scrutiny.

115/125
Artificial Intelligence in Forensic Investigations
▶ Artificial intelligence (AI) has the potential to enhance
forensic investigations by automating processes, analyzing
large amounts of data, and identifying patterns.
▶ However, its use raises ethical concerns, such as algorithmic
bias, privacy implications, and the need for human oversight.
▶ In Forensic Investigations, AI can automate the process of
collecting and analyzing data, especially in cases involving the
Tor browser, as the sheer volume of data generated by Tor
users can make it difficult for investigators to manually
identify and filter out relevant data.
▶ This data can then be used to identify patterns of behavior,
such as the websites and the files to identify and track down
Tor users who are involved in illegal activity.

116/125
Artificial Intelligence in Forensic Investigations (Contd...)

▶ AI can also be used to make predictions, i.e., to predict which


Tor users are most likely to be involved in drug trafficking.
▶ Here are some specific examples of how AI is being used in
forensic investigations involving the sale and purchase of drugs
on the Tor browser:
▶ The FBI is using AI to identify Tor users who are visiting
websites that are known to be associated with drug trafficking.
▶ The Dutch National Police is using AI to analyze Tor traffic in
order to identify patterns of behavior that suggest that a
particular user is involved in drug trafficking.
▶ The Australian Federal Police is using AI to predict which Tor
users are most likely to be involved in drug trafficking.

117/125
Cryptocurrency Wallet Analysis Tools and Cryptocurrency
Forensics

▶ Cryptocurrency wallet analysis tools are specialized software or


utilities used in the field of cryptocurrency forensics to
examine and analyze cryptocurrency wallets.
▶ These tools provide investigators with the ability to extract
and analyze data from wallets, enabling them to trace the
flow of funds, identify transaction history, and gather
information about wallet owners.
▶ Cryptocurrency forensics is a specialized field that involves
investigating and analyzing cryptocurrency transactions to
trace illicit activities and identify individuals or entities
involved.

118/125
Quantum Computing

▶ Quantum computing’s immense computational power can


potentially break the cryptographic algorithms used to secure
communication and transactions on the Dark Web.
▶ This could lead to the de-anonymization of users, decryption
of sensitive information, and compromise of secure
communication channels.
▶ Quantum computing can simulate complex Dark Web
environments and enable researchers and investigators to gain
insights into the behavior of threat actors, explore potential
vulnerabilities, and devise effective countermeasures.

119/125
Conclusion
▶ The Dark Web can provide a level of anonymity and privacy
that is beneficial for individuals who live in countries with
restrictive governments or who need to communicate sensitive
information.
▶ Dark Web activism and whistleblowing can be a valuable tool
for individuals or groups who need to expose corruption or
wrongdoing in a safe and anonymous manner.
▶ The Dark Web has inspired new research and development in
cryptography and network security, which can be beneficial in
developing new technologies to protect users’ privacy and
security.
▶ The Dark Web offers a dual nature: positive aspects of
anonymity for privacy and free expression, but also negative
aspects like untraceable malicious activities.

120/125
Conclusion
▶ The misuse of anonymity raises ethical concerns and
necessitates vigilant tracking of activities for security and
public safety.
▶ The anonymity and unregulated nature of the Dark Web make
it a hub for illegal activities such as drug trafficking, weapons
sales, and child exploitation, which can harm individuals and
societies.
▶ The use of Dark Web marketplaces can provide access to
goods and services that may not be readily available in the
mainstream market, such as niche or illegal products.
▶ The Dark Web can provide a false sense of security and
anonymity, which can lead to users engaging in risky behaviors
or sharing sensitive information that can be used against them.

121/125
Conclusion
▶ Dark Web monitoring and governance require a multi-faceted
approach, including technical solutions, law enforcement
cooperation, international coordination, and a balance
between privacy and security concerns.
▶ Law enforcement faces challenges in combating cybercrime
due to the decentralized and encrypted nature of the Dark
Web.
▶ Evolving tools and investigation frameworks provide hope for
uncovering and prosecuting illicit activities, bridging the gap
between anonymity and accountability.
▶ Leveraging various sources of information, including
traditional OSINT methods and specialized tools, aids in
understanding this clandestine realm.

122/125
References
1 Barbosa, L. and Freire, J., 2007, May. An adaptive crawler for locating
hidden-Web entry points. In 16th international conference on World Wide
Web (pp. 441-450) .
2 P. Liakos, A. Ntoulas, A., Labrinidis, and A. Delis, 2016. Focused
crawling for the hidden Web. World Wide Web, 19, pp. 605-631.
3 J. Nurmi, 2019. Understanding the Usage of Anonymous Onion Services:
Empirical Experiments to Study Criminal Activities in the TOR Network.
4 O. Catakoglu, M. Balduzzi, and D. Balzarotti, 2017, April. Attacks
landscape in the Dark side of the Web. In Proceedings of the Symposium
on Applied Computing (pp. 1739-1746) .
5 C. Wang, Z. Ling, W. Wu, Q. Chen, M. Yang, and X. Fu, May 2022,
Large-scale Evaluation of Malicious TOR Hidden Service Directory
Discovery. In IEEE Conference on Computer Communications
(INFORCOMM) pp. 1709-1718, 2022
6 P. Biddle, P. England, M. Peinado, and B. Willman, 2003. The Darknet
and the future of content protection. In Digital Rights Management:
ACM CCS-9 Workshop, DRM 2002, Washington, DC, USA, November
18, 2002. (pp. 155-176) . Springer Berlin Heidelberg.

123/125
References
7 F. Chen, and J. Pasquale, 2010, December. Toward improving path
selection in TOR. In 2010 IEEE Global Telecommunications Conference
(GLOBECOM 2010), pp. 1-6, IEEE.
8 ElBahrawy, Abeer, Laura Alessandretti, Leonid Rusnac, Daniel Goldsmith,
Alexander Teytelboym, and Andrea Baronchelli. Collective Dynamics of
Dark Web Marketplaces. arXiv preprint arXiv:1911.09536 (2019) .
9 Persi Paoli, Giacomo, Judith Aldridge, Nathan Ryan, and Richard
Warnes. “Behind the curtain: The illicit trade of firearms, explosives and
ammunition on the Dark Web.”(2017) .
10 Monica J. Barratt, Jason A. Ferris, Adam R. Winstock, Safer scoring?
Cryptomarkets, social supply and drug market violence. International
Journal of Drug Policy, 35, (2016) : 24-31.
11 Faizan, Mohd, Raees Ahmad Khan, and Alka Agrawal. Ranking
Potentially Harmful TOR Hidden Services: Illicit Drugs Perspective.
Applied Computing and Informatics (2020) .
12 Steel, Chad MS, Emily Newman, Suzanne O’Rourke, and Ethel Quayle.
An integrative review of historical technology and countermeasure usage
trends in online child sexual exploitation material offenders. Forensic
Science International: Digital Investigation 33 (2020) .

124/125
Thank You for Your Attention.

Any Questions?????

125/125

You might also like