Tor is an overlay network designed to provide a fully anonymous way to browse the web and exchange messages or data over the internet. The “darknet” is supposed to be free from eavesdropping and surveillance, but resourceful agencies can still breach its many onion-like layers to go and get a suspect’s true identity.
German law enforcement agencies have successfully targeted, tracked, and arrested four suspects in a single investigation. The outlaws used Tor to hide their identities and activities in managing a ransomware operation and hosting child sex abuse material (CSAM) on their servers. Investigators identified the suspects using a “timing analysis” attack. The officers directly monitored many Tor nodes over time, looking for a specific connection between the servers hidden within the darknet and local internet connections.
Authorities tracked four people in their investigation, eventually taking over the Tor address belonging to a ransomware group. Police redirected its traffic to a new page to prevent users from sharing previously stolen encrypted files. Then, the investigators used timing analysis techniques to uncover the identity of “Andres G,” an individual operating a .onion service known as “Boystown” that hosted CSAM.
The Tor team claims that users can only access Onion services from within the Tor network, so any discussion about monitoring exit nodes is irrelevant. The Tor Project developers also claim that a suspect tracked by German authorities was using an old version of the Tor-based, decentralized instant messaging application Ricochet. The outdated Ricochet release didn’t protect against timing analysis. Developers addressed this shortcoming in a new application fork (Ricochet-Refresh).
The Tor team assures Tor users that they can continue to use Tor Browser to access the web securely and anonymously.