Tor's moderators aren't entirely sure how up to 50 illicit websites were discovered and shut down this past week.
Tor's moderators aren't entirely sure how up to 50 illicit websites were discovered and shut down this past week.

Almost a week has passed since global authorities shut down Silk Road 2.0 and about 50 other illicit websites, yet Tor network moderators aren't entirely sure how global government authorities might have penetrated the hidden services, though they do have some theories.

The anonymity software's moderators noted in a recent post that they don't know how Europol and other government entities located the hidden services, but they did posit that authorities could have relied on a number of methods, including SQL injections, Bitcoin deanonymization and distributed denial-of-service (DDoS) attacks.

The “most obvious” explanation, the post said, would be that the hidden service operators failed to adopt proper operational security. As one example, the complaint against Blake Benthall, the operator of Silk Road 2.0, mentioned his failures to protect his identity. Benthall used his personal email account, for instance, which immediately gave away his real name.

Alternatively, some already-known, publicly disclosed attacks on the network could be to blame. The post cited one instance in which suspected CERT researchers launched non-targeted deanonymization attacks on the live Tor network. Although the bug they were exploiting was promptly fixed, it's possible the researchers were able to deanonymize some hidden services.

A different attack could have discovered the guard node of a hidden service, which would have disclosed the hidden service's legitimate IP address. Tor's moderators have yet to figure out a patch for this vulnerability.

Although the post's authors aren't sure what happened to expose the hidden services, they do recommend that service operators read about security vulnerabilities and keep a tight threat model.

“If your hidden service lacks sufficient processor, memory, or network resources the DoS based de-anonymization attacks may be easy to leverage against your service,” the post said.

Tor will eventually know what flaws led to the hidden services' exposure when prosecution of the 17 people who've been arrested begins. Police will have to, “explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services,” the post said.