IOCATA 2016
Home Europol Twitter Europol facebook Europol LinkedIn

This section looks at the criminal use of anonymising peer-to-peer networks such as Tor, I2P and Freenet. These networks are often referred to as ‘Darknets’. While these tools are designed and intended to protect users from traffic analysis, which “threatens personal freedom and privacy, confidential business activities and relationships, and state security”150, they are also used by criminals operating online to protect their own freedom - by frustrating law enforcement attempts to identify and arrest them. In addition to concealing the identity of criminals themselves, such tools can be used to hide the hosting location of criminal websites, forums and online markets, commonly referred to as “hidden services”.

Future threats and developments img

Future threats and developments

In other areas of cybercrime, there is a continuous arms race between cybercriminals looking for vulnerabilities to exploit and security professionals looking to defend against them. Conversely, the opposite is largely true with regards to the use of Darknets and hidden services. Criminals shelter themselves behind imperfect anonymisation solutions while law enforcement and researchers seek to find ways to penetrate their shields of anonymity, while keeping protection intact for legitimate users. Of course, other developers are also looking for ways to plug the security holes to make the system safer for legitimate users.

We previously reported the possibility of a wholesale movement from Tor to other networks such as I2P, however this has not happened. There is still a clear preference for Tor, perhaps due to the simplicity of its use, or conversely the technical challenges of moving to I2P. We can however still expect to see the improvement of existing and the development of new networks as researchers and developers seek to overcome the flaws and limitations of existing networks whilst building on their strengths; networks such as Riffle which is under development by MIT155. Riffle incorporates Tor’s onion encryption and ‘shuffles’ traffic to minimise the possibilities of traffic analysis. The project was created with anonymous file sharing in mind156, and to prevent snooping by “authoritarian” governments157. While initiatives such as this no doubt represent a fascinating area of academic study, one must question who the principal benefactors of this new technology will likely be, with so many obvious advantages to those operating against the good of society such as violent extremists and child sex offenders.

Hidden services may remain protected behind different anonymisation solutions but Operation Onymous highlighted that these networks are not impervious. While their locations may be hidden, they are still hosted somewhere which often represents a single point of potential failure – not taking into account criminal business continuity plans. New projects such as OpenBazaar may overcome this weakness though. OpenBazaar is a decentralised marketplace accessed through a client. Customers can search for goods and purchase directly from a merchant using bitcoins. The system is entirely peer-to-peer with no centralised servers and uses multisignature (multisig) bitcoin addresses for security158. What the repercussions of the migration of existing Darknet drug and illicit commodities markets to this type of system would be for law enforcement investigations is not yet clear, however the first drugs listings appeared only hours after OpenBazaar’s official launch159.

  1. Massachusetts Institute of Technology footnote 155
  2. MIT News, How to Stay Anonymous Online, http://news.mit.edu/2016/stay-anonymous-online-0711, 2016 footnote 156
  3. Kwon et al., Riffle: An Efficient Communication System With Strong Anonymity, https://people.csail.mit.edu/devadas/pubs/riffle.pdf, 2016 footnote 157
  4. OpenBazaar Blog, What is OpenBazaar?, https://blog.openbazaar.org/what-is-openbazaar/, 2016 footnote 158
  5. CoinDesk, Hours After Launch, OpenBazaar Sees First Drug Listings, http://www.coindesk.com/drugs-contraband-openbazaar/, 2016 footnote 159
Recommendations img

Recommendations

  • Given the significant challenges investigations on the Darknet present to law enforcement, this represents an area where effective deconfliction, collaboration and the sharing of intelligence sharing is essential. This will serve to prevent duplication of effort, facilitate the sharing of tactics and tools and improve our understanding of the scope of the threat.
  • Darknets are an environment where cyber-facilitated crime is becoming firmly established. It is not feasible or practical that all such crime is dealt with by cybercrime units when the predicate crime is related to drugs, firearms or some other illicit commodity. It is essential therefore that appropriate training and tool support is extended to those working in these areas to provide them with the required knowledge and expertise.
  • The difficulties faced by law enforcement operating lawfully in these environments are clear with many jurisdictions restricted by their national legislation. A harmonised approach to undercover investigations with clear directions and boundaries is required across the EU. Part of this effort must focus on locating hidden services, to give ownership of an investigation to a specific Member State.
  • Law enforcement would benefit from a strategic/tactical assessment of the scope of the criminal abuse of alternative Darknets (such as I2P and Freenet).

2015 has been a tumultuous year for Darknet markets, with the underground economy plagued by major exit scams and market closures. We previously reported that in March 2015, the Evolution marketplace shut down, with its administrators allegedly stealing EUR 11 million of their customers’ Bitcoins151. At that time, Evolution’s departure left only a few large popular markets (along with many smaller ones), including the Agora and Nucleus markets. However, in August 2015, the administrators of Agora voluntarily took the marketplace down to allegedly address vulnerabilities in Tor which may have allowed their servers to be de-anonymised152. The Nucleus market closed its forums in September 2015 and sometime in early 2016 the market also appears to have shut down. Whether this is also an exit scam is not clear as customers’ funds still sit in the market’s wallet.

Three major Darknet markets all went offline within a 12 month period without any apparent law enforcement action, highlighting the inherent volatility of the Darknet market economy. While users of these sites can take any number of operational security measures to protect themselves from law enforcement investigation, there is nothing they can do to prevent these markets folding from within, which is an inherent risk in using these sites.

Disruption is a core tactic for law enforcement, therefore the self-disrupting effect of the market volatility is something of a boon to law enforcement. The impact of Operation Onymous153 in 2014 was significant at the time but the remaining markets rallied back and new ones formed. Today, message board chat relating to these services is often seeded with paranoia, not that law enforcement has taken further action, but that a market has performed an exit scam with their funds or simply closed down. This is particularly so when these services are unavailable, often as a result of DDoS attacks (presumably from rivals), which is not uncommon.

Some research indicates that almost 30% of hidden services on Tor relate to some form of illicit activity154. The majority of law enforcement investigations on the Darknet focus on markets selling illicit drugs – or at least the vendors and buyers thereon. Those selling weapons, compromised data or other illicit products such as pharmaceuticals and chemicals are also key targets for law enforcement. One of the main challenges for law enforcement in this area - aside from the additional attribution issues – is the ability to operate lawfully in these environments, with one quarter of respondents clearly restricted by their national legislation.

It is true that there is some measure of cybercrime activity on hidden services on the Darknet, the majority of illicit activity on hidden services relates primarily to drugs and to a lesser extent other illicit commodities and is firmly cyber-facilitated. This highlights the increasing dependence of other crime areas on online services, and the subsequent need for all law enforcement to have the capability to investigate online.

However, law enforcement presence in an area that has no effective national boundaries causes issues with deconfliction. To effectively progress such investigations requires at least EU-level cooperation.

  1. Tor, https://torproject.org/ footnote 150
  2. DeepDotWeb, Evolution Marketplace Exit Scam: Biggest Exit Scam Ever?, https://www.deepdotweb.com/2015/03/18/evolution-marketplace-exit-scam-biggest-exist-scam-ever/, 2015 footnote 151
  3. DeepDotWeb, Agora Admin Explains: Why Is Agora Down?, https://www.deepdotweb.com/2014/09/01/agora-admin-explains-why-is-agora-always-down/, 2014 footnote 152
  4. DeepDotWeb, Global Action Against Dark Markets on Tor Network, https://www.europol.europa.eu/content/global-action-against-dark-markets-tor-network, 2014 footnote 153
  5. Daniel Moore, Thomas Rid, Cryptopolitik and the Darknet, 2016 footnote 154