This section looks at the criminal use of anonymising peer-to-peer networks such as Tor, I2P and Freenet. These networks are often referred to as ‘Darknets’. While these tools are designed and intended to protect users from traffic analysis, which “threatens personal freedom and privacy, confidential business activities and relationships, and state security”150, they are also used by criminals operating online to protect their own freedom - by frustrating law enforcement attempts to identify and arrest them. In addition to concealing the identity of criminals themselves, such tools can be used to hide the hosting location of criminal websites, forums and online markets, commonly referred to as “hidden services”.
2015 has been a tumultuous year for Darknet markets, with the underground economy plagued by major exit scams and market closures. We previously reported that in March 2015, the Evolution marketplace shut down, with its administrators allegedly stealing EUR 11 million of their customers’ Bitcoins151. At that time, Evolution’s departure left only a few large popular markets (along with many smaller ones), including the Agora and Nucleus markets. However, in August 2015, the administrators of Agora voluntarily took the marketplace down to allegedly address vulnerabilities in Tor which may have allowed their servers to be de-anonymised152. The Nucleus market closed its forums in September 2015 and sometime in early 2016 the market also appears to have shut down. Whether this is also an exit scam is not clear as customers’ funds still sit in the market’s wallet.
Three major Darknet markets all went offline within a 12 month period without any apparent law enforcement action, highlighting the inherent volatility of the Darknet market economy. While users of these sites can take any number of operational security measures to protect themselves from law enforcement investigation, there is nothing they can do to prevent these markets folding from within, which is an inherent risk in using these sites.
Disruption is a core tactic for law enforcement, therefore the self-disrupting effect of the market volatility is something of a boon to law enforcement. The impact of Operation Onymous153 in 2014 was significant at the time but the remaining markets rallied back and new ones formed. Today, message board chat relating to these services is often seeded with paranoia, not that law enforcement has taken further action, but that a market has performed an exit scam with their funds or simply closed down. This is particularly so when these services are unavailable, often as a result of DDoS attacks (presumably from rivals), which is not uncommon.
Some research indicates that almost 30% of hidden services on Tor relate to some form of illicit activity154. The majority of law enforcement investigations on the Darknet focus on markets selling illicit drugs – or at least the vendors and buyers thereon. Those selling weapons, compromised data or other illicit products such as pharmaceuticals and chemicals are also key targets for law enforcement. One of the main challenges for law enforcement in this area - aside from the additional attribution issues – is the ability to operate lawfully in these environments, with one quarter of respondents clearly restricted by their national legislation.
It is true that there is some measure of cybercrime activity on hidden services on the Darknet, the majority of illicit activity on hidden services relates primarily to drugs and to a lesser extent other illicit commodities and is firmly cyber-facilitated. This highlights the increasing dependence of other crime areas on online services, and the subsequent need for all law enforcement to have the capability to investigate online.
However, law enforcement presence in an area that has no effective national boundaries causes issues with deconfliction. To effectively progress such investigations requires at least EU-level cooperation.