Dark Web and The Onion Routing (TOR)
Dark Web and The Onion Routing (TOR)
Dark Web and The Onion Routing (TOR)
2/125
The Web Sea: Surface, Deep, and Dark Web
3/125
The Web Sea
4/125
Layers of Web
5/125
Comparison of Surface Web, Deep Web, and Dark Web
6/125
The Dark Web
7/125
The Dark Web (Contd...)
▶ While the Dark Web was initially introduced for secure data
sharing, anonymous communication, and private browsing, it
is now often associated with illegal activities, such as selling
drugs, weapons, and stolen data.
▶ The Law and Enforcement Agencies (LEAs) are working hard
to get the criminals performing illegal activities on Darknet.
▶ The Dark Web has also become a huge hidden marketplace
for illicit transactions and as per researches, they generate at
least $500,000 per day.
▶ As per a study done by the University of California, that the
Deep and Dark Web holds approximately 7.5 petabytes of
data (1 petabyte is 1000 terabytes).
8/125
Anonymous Communication Networks (ACNs)
▶ Privacy and security of the Internet have become all so
essential for communication and information exchange.
▶ Lack of privacy have profound implications, particularly for
individuals who require anonymity for their safety and security,
i. e., journalists, Whistleblowers, and Human Rights Activists.
▶ The rise of ACNs has allowed information sharing and
anonymous communication while masking the identity or
location of a user. Additionally, they have played a crucial role
in protecting online activities from surveillance and censorship.
▶ There are several prevalent ACNs available, including The
Onion Router (Tor), Invisible Internet Protocol (I2P), Freenet,
Zeronet, and GNUnet.
9/125
The Onion Router (Tor)
▶ Tor is one of the most well-known and widely used networks
for accessing the Dark Web. Tor is free and open-source
software that allows users to browse the internet anonymously.
▶ Tor works by encrypting users’ internet traffic and routing it
through a series of relays, run by volunteers around the world.
Each relay only knows the IP address of the previous and next
relays in the chain, so no single relay can determine the source
or destination of the traffic.
▶ This process is known as onion routing, which is why Tor is
often referred to as the “The Onion Router.”
▶ When the user opens their Web browser, the Tor software
creates a circuit of three or more randomly selected nodes
(also known as relays) from the Tor network.
10/125
Internal Architecture of Tor
11/125
How Onion Routing Works?
12/125
Connecting to Services Using Tor
13/125
Key Participants of a Tor Network
2. Exit Nodes:
▶ Exit nodes are the final nodes in the Tor network before traffic
exits to the destination server on the regular internet.
▶ They decrypt the user’s data and send it to the destination
server.
▶ Exit nodes can see the unencrypted traffic’s destination, but
they don’t know the original source.
14/125
Key Participants of a Tor Network (Contd...)
15/125
Key Participants of a Tor Network (Contd...)
5. Directory Authorities:
▶ Directory authorities maintain a list of all Tor nodes and their
status.
▶ They help users find entry nodes and other network
information.
▶ Directory authorities play a crucial role in network governance
and stability.
16/125
Consensus/ Path Selection Algorithm
17/125
Packet Request and Response in Tor
18/125
Packet Request and Response in Tor
19/125
Packet Request and Response in Tor
20/125
Packet Request and Response in Tor
21/125
Packet Request and Response in Tor
22/125
Packet Request and Response in Tor
23/125
Tor Browser
Users can also operate Tor Browser from removable media under
Microsoft Windows, MacOS, or Linux.
24/125
The Motivation
25/125
The Browser Interface
26/125
Connecting to Tor
27/125
Creating a Tor Relay Circuit
28/125
What does Tor Browser do differently?
29/125
Connecting through HTTPS
30/125
Connecting through VPN
31/125
Connecting through Tor
32/125
Tor: The Mission to Fight Internet’s original sins
33/125
Digital Fingerprinting
34/125
Internet Surveillance: A Prominent Issue
35/125
Network Censorship?
36/125
Positive Features of Tor Browser
37/125
The Onion Services
38/125
Workflow of Hidden Services
39/125
Workflow of Hidden Services
40/125
Workflow of Hidden Services
41/125
Workflow of Hidden Services
42/125
Workflow of Hidden Services
43/125
Workflow of Hidden Services
44/125
Workflow of Hidden Services
45/125
Workflow of Hidden Services
46/125
Workflow of Hidden Services
47/125
Popular Onion/ Hidden Services
48/125
Popular Illicit Hidden Services
49/125
The Dark Web: Legal and Illegal Side
Legal Side Illegal Side
50/125
Positive Aspects of the Dark Web
51/125
Positive Aspects of the Dark Web
52/125
Negative Aspects of the Dark Web
53/125
Negative Aspects of the Dark Web
54/125
Negative Aspects of the Dark Web
55/125
Illegal Activities in Dark Web
56/125
Darknet Marketplaces
57/125
An Overview of Illicit activities on Tor network
2006: The Silk Road, the first prominent Dark Web marketplace, is
launched by Ross Ulbricht, enabling the anonymous sale of
drugs and other illicit goods.
2010: The Tor network was used by the Syrian Electronic Army to
launch a series of cyberattacks against government websites
and media outlets. The SEA was a group of hacktivists who
supported the Syrian government during the Syrian Civil War.
58/125
An Overview of Illicit activities on Tor network (Contd...)
2012: The Tor network was used by the Anonymous hacktivist group
to launch a series of cyberattacks against government
websites and corporations. Anonymous is a decentralized
group of hacktivists who are known for their online activism.
2013: The Tor network was used by the Islamic State of Iraq and
Syria (ISIS) to communicate with each other and to spread
propaganda. ISIS is a terrorist organization that has been
responsible for numerous attacks around the world.
2016: The Tor network was used by the DNC Leaks, a series of
cyberattacks that resulted in the release of emails from the
Democratic National Committee. The DNC Leaks were
believed to have been carried out by Russian hackers.
59/125
An Overview of Illicit activities on Tor network (Contd...)
2020: The Tor network was used by the COVID-19 Vaccine Hunters,
a group of hacktivists who were trying to obtain COVID-19
vaccines for people who were unable to get them through
official channels.
2021: The Tor network was used by the REvil ransomware group to
launch a series of cyberattacks against businesses and
government agencies. REvil is a Russian ransomware group
that is known for its high-profile attacks.
60/125
An Overview of Illicit activities on Tor network (Contd...)
2021: The Tor network was also used by the DarkSide ransomware
group to launch a series of cyberattacks against businesses
and government agencies. DarkSide is a Russian ransomware
group that is known for its destructive attacks.
2022: The Tor network was used by the Conti ransomware group to
launch a series of cyberattacks against businesses and
government agencies. Conti is a Russian ransomware group
that is known for its sophisticated attacks.
2022: The Tor network was also used by the Lapsus$ ransomware
group to launch a series of cyberattacks against businesses and
government agencies. Lapsus$ is a British ransomware group
that is known for its targeting of high-profile organizations.
61/125
An Overview of Illicit activities on Tor network (Contd...)
2023: The Tor network was used by the BlackCat ransomware group
to launch a series of cyberattacks against businesses and
government agencies. BlackCat is a Russian ransomware
group that is known for its aggressive attacks.
2023: The Tor network was also used by the LockBit 2.0
ransomware group to launch a series of cyberattacks against
businesses and government agencies. LockBit 2.0 is a Russian
ransomware group that is known for its data extortion
campaigns.
2023: In June 2023, a cybersecurity firm called Group-IB reported
that over 100,000 login credentials for ChatGPT had been
leaked on the Dark Web. The credentials were reportedly
stolen using the Raccoon Infostealer malware, which is a type
of malware that steals login credentials from infected devices.
62/125
Counterfeit Passport Service on The Dark Web
63/125
Drugs on your Demand on the Dark Web
64/125
Alphabay: One of the Most prominent Dark Web
Marketplace
65/125
The Notorious Silk Road Marketplace
66/125
Available drug types on popular Dark Web marketplaces
67/125
Article Showcasing Ease of Drug Purchase from the Dark
Web (The Saint)
68/125
How Dark Web is usually Represented
69/125
The Reality
70/125
The Scale
71/125
Attacks on Tor Network
72/125
Attacks on Tor Network (Contd...)
73/125
Attacks on Tor Network (Contd...)
74/125
Dark Web Investigation Techniques
75/125
A Generalized Dark Web Monitoring Framework
76/125
Common Approaches for Dark Web Monitoring
▶ Web Crawlers and Scrapers: Automated tools navigate and
collect information from Dark Web websites, forums, and
marketplaces.
▶ Data Leakage Monitoring: Specialized tools and services
are employed to detect the presence of sensitive data or
proprietary information on the Dark Web.
▶ Open Source Intelligence (OSINT): Publicly available
information from the Dark Web is gathered using OSINT
techniques, including monitoring and social media platforms.
▶ Dark Web Marketplaces Monitoring: Tools and techniques
are used to track and analyze activities within Dark Web
marketplaces, identifying the sale of illegal goods and services.
77/125
Common Approaches for Dark Web Monitoring (Contd...)
▶ Dark Web Honeypots: Decoy systems or services are set up
to attract and monitor malicious activity, providing insights
into the tactics and tools used by malicious actors.
▶ Dark Web Intelligence: Monitoring efforts extend to the
Dark Web, employing advanced web scraping and data mining
techniques to gather information from non-indexed content.
▶ Threat Intelligence Platforms: Specialized platforms
aggregate and analyze data from various sources to provide
insights into Dark Web threats, trends, and emerging risks.
▶ Artificial Intelligence (AI) and Machine learning (ML):
To identify patterns of criminal behavior by analyzing large
amounts of data and to identify suspicious activities such as
drug trafficking and money laundering.
78/125
Tools to Track Illegal Activities
79/125
Tools to Track Illegal Activities (Contd...)
80/125
Dark Web Investigation: Cryptocurrency Tracing
81/125
How Money is Wired on Dark Web Using Bitcoin (FBI)
82/125
Steps of Cryptocurrency Tracing
83/125
Steps of Cryptocurrency Tracing
84/125
Analyzing Blockchain for Cryptocurrency Tracing
85/125
Crypto Tracing by LEAs: Operation SpecTor
86/125
Operation SpecTor (Europol)
87/125
Dark Web Information Sources
88/125
Dark Web Information Sources (Contd...)
89/125
Few More Important Information Sources
▶ Ahmia - Ahmia searches hidden services on the Tor network.
▶ Tor Links - Tor Links is a backup directory of “.onion” sites in
case other directories go offline. The best Tor sites are under
constant threat of closure, including Tor directories like the
Hidden Wiki, so backups are handy.
▶ Hidden Wiki - The Hidden Wiki is one of the oldest link
directories on the dark web. It is famous for listing all
important “.onion” links, from drug marketplaces to financial
services all the important dark web services are listed on it.
Hidden Wiki:
paavlaytlfsqyvkg3yqj7hflfg5jw2jdg2fgkza5ruf6lplwseeqtvyd.onion
Ahmia:
juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion
Tor Links:
torlinppuo5prxaoqexzrubwowwnaoxzzsl57gx6wmssm6i3jcwilnad.onion
90/125
Commercial Links
91/125
Hidden Wiki Sites and Cryptocurrency Traders
92/125
Work @ MNIT
TrackTor
▶ Developed TrackTor, which is a platform-independent tool
that provides statistical and analytical data tracked from the
Tor services exercised by the end user.
▶ GitHub Link: https://github.com/hrp-tracktor/TrackTor.
TorShield
▶ Created a Tor browser with a plugin to view Tor statistics.
▶ Removed dependency of TrackTor on predeveloped Stem API
for data extraction from Tor.
93/125
TrackTor
94/125
TrackTor
95/125
Work @ MNIT
Hidden Service
▶ We have set up a Hidden service.
▶ The address of the Hidden service is:
http://ojef6siv6amwguj4druheuvfrxtjjlcwef2vd2cgjsjdj6ij4iy2q3yd.onion/
96/125
The Hosted Hidden Service
97/125
Bridge Connections in Virtual Private Tor Network
98/125
Work @ MNIT
Crawlers
▶ We have set up crawlers – ACHE and Torcrawl to capture
traffic from the Hosted Onion site and Private Tor Emulation
environment.
99/125
Setting up the Virtual Private Tor Network
100/125
Private Tor Network Emulation using Chutney
101/125
Private Tor Network Emulation using Chutney
102/125
Identifying Directory Services using TorCrawl and Chutney
103/125
Capturing Relay Nodes Traffic using TCPDump after
Deploying ACHE
104/125
Capturing Exit Nodes Traffic using TCPDump after
Deploying ACHE
105/125
Case Details of Monitoring of Onion Links using Hunchly
106/125
Capturing Onion Addresses using Hunchly
107/125
Identified Keywords for Data Crawling from Captured
Onion Links using Hunchly
108/125
Capturing IP addresses from Onion Links using Hunchly
109/125
Capturing Email Addresses from Onion Links using
Hunchly
110/125
Deployment of Honeypot in Dark Web
111/125
Work Currently in Progress
112/125
Challenges to LEAs
▶ Traceback and Attribution:
▶ Anonymous Communication Networks (ACNs) such as Tor,
I2P and Freenet provide users with a level of anonymity, but
each of them has unique features and functionality.
▶ Due to their distributed nature, it is difficult for anyone to
connect the two endpoints of a communication session,
ensuring greater privacy and anonymity for its users.
▶ By routing traffic through a series of volunteer-operated nodes,
or relays, ACNs effectively obscure the origin and destination
of Internet traffic, making it nearly impossible for third parties
to track or trace online activity.
▶ LEAs deal with this anonymity by using strategies that protect
the privacy of regular users while identifying the offender.
▶ Searching for unlawful Websites rather than illegal users is the
most efficient way to do this.
113/125
Legal and Ethical Considerations
▶ Legal and Ethical considerations are paramount in LEA
investigation to ensures that actions are conducted within the
boundaries of the law, uphold human rights, and maintain
public confidence in the judiciary.
▶ By prioritizing legal and ethical considerations, LEAs can
strike a balance between effective investigations and
protecting the rights and interests of individuals.
▶ LEA must continuously evaluate and update their practices,
policies, and training programs to address emerging legal and
ethical challenges in Dark Web investigations.
▶ This helps maintain public trust, protect individual rights, and
achieve successful outcomes in combating cyber threats while
upholding the principles of justice and fairness.
114/125
Balancing Individual Privacy and Public Safety
▶ Proportional and Necessity Principle to ensures that privacy
intrusions are justified by the seriousness of the crime and
that less invasive measures have been explored before
resorting to intrusive methods.
▶ Implement effective Judicial Oversight to ensure that privacy
is protected during investigations.
▶ Judicial warrants are necessary for intrusive measures like
wiretapping, tracking devices, or accessing private data,
ensuring judges assess the necessity and proportionality of
such actions.
▶ Foster Transparency and Accountability by making law
enforcement practices more open to public scrutiny.
115/125
Artificial Intelligence in Forensic Investigations
▶ Artificial intelligence (AI) has the potential to enhance
forensic investigations by automating processes, analyzing
large amounts of data, and identifying patterns.
▶ However, its use raises ethical concerns, such as algorithmic
bias, privacy implications, and the need for human oversight.
▶ In Forensic Investigations, AI can automate the process of
collecting and analyzing data, especially in cases involving the
Tor browser, as the sheer volume of data generated by Tor
users can make it difficult for investigators to manually
identify and filter out relevant data.
▶ This data can then be used to identify patterns of behavior,
such as the websites and the files to identify and track down
Tor users who are involved in illegal activity.
116/125
Artificial Intelligence in Forensic Investigations (Contd...)
117/125
Cryptocurrency Wallet Analysis Tools and Cryptocurrency
Forensics
118/125
Quantum Computing
119/125
Conclusion
▶ The Dark Web can provide a level of anonymity and privacy
that is beneficial for individuals who live in countries with
restrictive governments or who need to communicate sensitive
information.
▶ Dark Web activism and whistleblowing can be a valuable tool
for individuals or groups who need to expose corruption or
wrongdoing in a safe and anonymous manner.
▶ The Dark Web has inspired new research and development in
cryptography and network security, which can be beneficial in
developing new technologies to protect users’ privacy and
security.
▶ The Dark Web offers a dual nature: positive aspects of
anonymity for privacy and free expression, but also negative
aspects like untraceable malicious activities.
120/125
Conclusion
▶ The misuse of anonymity raises ethical concerns and
necessitates vigilant tracking of activities for security and
public safety.
▶ The anonymity and unregulated nature of the Dark Web make
it a hub for illegal activities such as drug trafficking, weapons
sales, and child exploitation, which can harm individuals and
societies.
▶ The use of Dark Web marketplaces can provide access to
goods and services that may not be readily available in the
mainstream market, such as niche or illegal products.
▶ The Dark Web can provide a false sense of security and
anonymity, which can lead to users engaging in risky behaviors
or sharing sensitive information that can be used against them.
121/125
Conclusion
▶ Dark Web monitoring and governance require a multi-faceted
approach, including technical solutions, law enforcement
cooperation, international coordination, and a balance
between privacy and security concerns.
▶ Law enforcement faces challenges in combating cybercrime
due to the decentralized and encrypted nature of the Dark
Web.
▶ Evolving tools and investigation frameworks provide hope for
uncovering and prosecuting illicit activities, bridging the gap
between anonymity and accountability.
▶ Leveraging various sources of information, including
traditional OSINT methods and specialized tools, aids in
understanding this clandestine realm.
122/125
References
1 Barbosa, L. and Freire, J., 2007, May. An adaptive crawler for locating
hidden-Web entry points. In 16th international conference on World Wide
Web (pp. 441-450) .
2 P. Liakos, A. Ntoulas, A., Labrinidis, and A. Delis, 2016. Focused
crawling for the hidden Web. World Wide Web, 19, pp. 605-631.
3 J. Nurmi, 2019. Understanding the Usage of Anonymous Onion Services:
Empirical Experiments to Study Criminal Activities in the TOR Network.
4 O. Catakoglu, M. Balduzzi, and D. Balzarotti, 2017, April. Attacks
landscape in the Dark side of the Web. In Proceedings of the Symposium
on Applied Computing (pp. 1739-1746) .
5 C. Wang, Z. Ling, W. Wu, Q. Chen, M. Yang, and X. Fu, May 2022,
Large-scale Evaluation of Malicious TOR Hidden Service Directory
Discovery. In IEEE Conference on Computer Communications
(INFORCOMM) pp. 1709-1718, 2022
6 P. Biddle, P. England, M. Peinado, and B. Willman, 2003. The Darknet
and the future of content protection. In Digital Rights Management:
ACM CCS-9 Workshop, DRM 2002, Washington, DC, USA, November
18, 2002. (pp. 155-176) . Springer Berlin Heidelberg.
123/125
References
7 F. Chen, and J. Pasquale, 2010, December. Toward improving path
selection in TOR. In 2010 IEEE Global Telecommunications Conference
(GLOBECOM 2010), pp. 1-6, IEEE.
8 ElBahrawy, Abeer, Laura Alessandretti, Leonid Rusnac, Daniel Goldsmith,
Alexander Teytelboym, and Andrea Baronchelli. Collective Dynamics of
Dark Web Marketplaces. arXiv preprint arXiv:1911.09536 (2019) .
9 Persi Paoli, Giacomo, Judith Aldridge, Nathan Ryan, and Richard
Warnes. “Behind the curtain: The illicit trade of firearms, explosives and
ammunition on the Dark Web.”(2017) .
10 Monica J. Barratt, Jason A. Ferris, Adam R. Winstock, Safer scoring?
Cryptomarkets, social supply and drug market violence. International
Journal of Drug Policy, 35, (2016) : 24-31.
11 Faizan, Mohd, Raees Ahmad Khan, and Alka Agrawal. Ranking
Potentially Harmful TOR Hidden Services: Illicit Drugs Perspective.
Applied Computing and Informatics (2020) .
12 Steel, Chad MS, Emily Newman, Suzanne O’Rourke, and Ethel Quayle.
An integrative review of historical technology and countermeasure usage
trends in online child sexual exploitation material offenders. Forensic
Science International: Digital Investigation 33 (2020) .
124/125
Thank You for Your Attention.
Any Questions?????
125/125