Operation Onymous

Operation Onymous was an international law enforcement operation targeting darknet markets and other hidden services operating on the Tor network.

Raids

On 5 and 6 November 2014, a number of websites initially claimed to be over 400, were shut down including drug markets such as Silk Road 2.0, Cloud 9 and Hydra. Other sites targeted included money laundering sites and “contraband sites”. The operation involved the police forces of 17 countries. In total there were 17 arrests. Defcon was “one of the primary targets”.

$1 million in Bitcoin was seized, along with €180,000 in cash, gold, silver, and drugs.

US and European agencies sought to publicize the claimed success of their six-month-long operation, which “went flawlessly”.

Other leading drug markets in the Deep Web were unaffected, such as Agora, Evolution, and Andromeda. Whereas Silk Road did not, in fact, distribute weapons, or offer contract killings, Evolution did allow trade of weapons as well as drugs. Prior to the closure of Silk Road 2.0, Agora already carried more listings than Silk Road, and Evolution was also expected to overtake it. Agora and Evolution are more professional operations than Silk Road, with more advanced security; the arrest of the alleged Silk Road manager is thought to have been largely due to a series of careless mistakes.

The figure of 414 darknet sites, which was widely reported internationally, and appeared in many news headlines, was later adjusted without explanation to “upward of 50” sites. The true figure is thought to be nearer to 27 sites, to which all 414 .onion addresses direct. Australian journalist Nik Cubrilovic claimed to have discovered 276 seized sites, based on a crawl of all onion sites, of which 153 were scam, clone or phishing sites.

Tor exploit

The number of sites that police initially claimed to have infiltrated led to speculation that a weakness in the Tor network had been exploited. This possibility was downplayed by Andrew Lewman, a representative of the not-for-profit Tor project, suggesting that the execution of traditional police work such as following Bitcoins was more likely. Lewman suggested that such claims were “overblown” and that the authorities wanted to simply give the impression they had “cracked” Tor to deter others from using it for criminal purposes.

It has been speculated that hidden services could have been deanonymized if law enforcement replicated the research by CERT at Carnegie Mellon University up until the July 30th patch to mitigate the issue. If sufficient relay nodes were DDOSed, an attacker could perform traffic confirmation attacks in conjunction with a Sybil attack, by forcing traffic to route over law enforcement controlled nodes, a theory partially supported by logs released by the administrator of Doxbin. Court documents released in November 2015 generated serious research ethics concerns in the Tor and security research communities about the warrantless exploit (which presumably had been active from February 2014 to July 4, 2015). The Tor Project patched the vulnerability and the FBI denied having paid Carnegie Mellon $1 million to exploit it. Carnegie Mellon also denied receiving money.

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Originally published at https://cryptonomad.info on September 11, 2019.