What is Tor and the Darknet?

The hidden services on Tor are colloquially known as the Darknet. Designed for anonymity yet freely accessible, the darknet has become a haven for criminal activity.

Originally developed by the US government for secure communications, Tor is now run by a separate organisation; The Tor project. Tor is a network run on servers, contributed by volunteers and requires special software to access it, the Tor browser. The Tor project receives funding from charities, universities, individuals, and governments. It is argued that Tor allows freedom of speech and safe internet access for citizens of repressive regimes.

The anonymity that Tor provides to protect citizens and frustrate snooping technology makes policing of this space extremely difficult. The server providers don’t know what material they are hosting, site admins don’t know where their site is hosted or who is visiting it, and users don’t know who they are visiting or talking with.  Sites hosted within Tor keep complete anonymity making law enforcement and regulation extremely difficult.  These hidden services, or onions, are known as the darknet.  Onions are home to illegal markets, child abuse material, hacking forums and command and control servers for botnets. Onions use randomly generated URLs and are designed not to be discovered.  When combined with crypto currencies, it is possible to buy or sell anything without being traced.

An additional feature of Tor is that it can be used like a VPN to mask a user's real IP address when browsing the world wide web. Avoiding tracking, government firewalls and protecting identity.  This is used by normal people, political dissidents, and hackers alike.

The technology

Tor works on the concept of ‘onion routing’; relaying data across a circuit of nodes.  Traffic is routed in through a Guard node, through internal relays, and out through an Exit node.  Each relay knows the identity of only the previous and next node. The data being relayed is wrapped in encryption making it impossible to read. Sufficient nodes combined with the wrapping of a separate layer of encryption around each hop, means it's possible to keep the identity of the user anonymous.  An encryption layer is decrypted at each successive Tor relay, and the remaining data is forwarded to any random relay until it reaches its destination server.  Only the client using Tor and receiving server can read the data.

What is the darknet used for?

Searchlight Security has developed a suite of tools to enable it to index the darknet and monitor traffic.  Cerberus is a web-based tool that allows users to explore the darknet safely and comprehensively.  This oversight enables a high-level overview of the darknet alongside forensic analysis.  As a result is it possible to not only see what hidden services are being used for but also what users are searching for, where they are going, and what Tor is being used for on the clearnet.

65% of all searches on the darknet are explicitly for illegal content.  That's not to say that the number of searches for illicit content is restricted to that, just that some searches are ambiguous in nature.  Illegal content includes child abuse material and extreme pornography, drugs, cyber weapons and markets selling stolen credentials and fraudulent documents such as passports.

Tor and crypto currency are combined to facilitate the trading of illicit materials including drugs, weapons and stolen data on darknet markets. Notorious examples include Silk Road, Alphabay and Dream Market. It is thought that darknet markets turned over over $600million in bitcoin in 2018 alone.  Crime really does pay on the darknet.

Social media is used by all, including criminals.  Darknet forums build criminal communities specialising in a broad spectrum of topics including child exploitation, fraud, violent crime, money laundering, drug production, hacking and terrorism.

The darknet is increasingly being used by hackers as a layer of protection. Command and control servers for automated hacking tools and botnets are hosted on hidden services allowing the controllers to orchestrate their malware without the risk of being discovered.  Ransomware often directs victims to a hidden service to transfer cryptocurrency to the hacker's account. A recent high profile example of this is the WannaCry attack that disabled a huge number of systems including factories, government facilities and hospitals.

If you are an academic, journalist or have an interest in the darknet, please get in touch through the contact page.

Get in touch with Searchlight to discuss how we can enhance your intelligence capabilities.