What are Tor and the Darknet?

The hidden services on Tor are colloquially known as the Darknet. Designed for anonymity yet freely accessible, the darknet has become a haven for criminal activity.

Originally developed by US government for secure communications, Tor is now run by a separate organisation, The Tor project.  Tor is network run on servers contributed by volunteers and requires special software to access it, the Tor browser. The tor project receives funding from charities, universities, individuals and governments. It is argued that Tor allows freedom of speech and safe internet access for citizens of repressive regimes.

The anonymity that Tor provides to protect citizens and frustrate snooping technology, makes policing of this space extremly difficult. The server providers don’t know what material they are hosting, site admins don’t know where their site is hosted or who is visiting it, and users don’t know who they are visiting or talking with.  Sites hosted within Tor keep complete anonymity making law enforcement and regulation extremely difficult.  These hidden services, or onions, are known as the darknet.  Onions are home to illegal markets, child abuse material, hacking forums and command and control servers for Botnets. Onions use randomly generated URLs and are designed not to be discovered.  When combined with crypto currencies, it is possible to buy or sell anything without being traced.

An additional feature of Tor is that it can be used like a VPN to mask your real IP address when browsing the world wide web; avoiding tracking, government firewalls and protect to one’s identity.  This is used by normal people, pollical dissidents and hackers alike.

The technology

Tor works on the concept of ‘onion routing’; relaying data across a circuit of nodes.  Traffic is routed in through a Guard node, through internal relays and out through an Exit node.  Each relay knows the identity of only the previous and next node and the data being relayed is wrapped in encrytion, making it impossible to read. With sufficient nodes, and wrapping each hop in a separate layer of encryption, it is possible to keep the identity of the user anonymous.  An encryption layer is decrypted at each successive Tor relay, and the remaining data is forwarded to any random relay until it reaches its destination server.  Only the client using Tor and recieving server can read the data.

What is the darknet used for?

Searchlight Security has developed a suite of tools to enbale it to index the darknet and monitor traffic.  Cerberus is a web-based tool that allows users to explore the darknet safely and comprehensively.  This oversight enables a high-level overview of the darknet along with forensic analysis.  As a result is it possible to not only see what hidden services are being used for but also what users are searching for, where they are going and what Tor is being used for on the clearnet.

65% of all searches on the darknet are explicitly for illegal content.  That's not to say that the number of searches for illicit content is restricted to that, just that some searches are ambiguous in nature.  Illegal content includes child abuse material and extreme pornography, drugs, cyber weapons and markets selling stolen credentials and fruadulent documents such as passports.

Tor and crypto currency are combined to facilitate the trading of illicit materials including drugs, weapons and stolen data on darknet markets. Notorious examples include Silk Road, Alphabay and Dream Market. It is thought that darknet markets turned over over $600million in bitcoin in 2018 alone.  Crime really does pay on the darknet.

Social media is used by all including criminals.  Darknet forums build criminal communities specialising in a broad spectrum of topics including child exploitation, fraud, violent crime, money laundering, drug production, hacking and terrorism.

The darknet is increasingly being used by hackers as a layer of protection.  Command and control servers for automated hacking tools and botnets are hosted on hidden services allowing the controllers to orcastrate thier malware without the risk of being discovered.  Ransomware often directs victims to a hiddenservice to tranfer cryptocurrency to the hacker's account.  A recent high profile example of this is the WannaCry attack that diabled a huge number of systems including factories, government fascilities and hospitals.

If you are an academic, journalist or have an interest in the darknet, please get in touch through the contact page.

Get in touch with Searchlight to discuss how we can enhance your intelligence capabilities.