The Tor network has a reputation for hosting some disturbing content. Then, there are the darknet marketplaces that deal in stolen credit cards, PayPal accounts, weapons, drugs, and in some dark corners, worse.
So, when the news hits that the authorities have outsmarted the shady criminals that run the darknet markets, you must wonder, what went wrong? Is there a security flaw in the Tor network? Or is it poor operational security that leads to the takedown of seemingly impenetrable Tor hidden services?
Here’s how they catch the owners of darknet markets and why you need extra security while using the Tor network.
What Is a Darknet Market?
A darknet market is an online marketplace hosted on the Tor network. The Tor network is at times referred to as the “darknet,” as the regular internet is known as the “clearnet.” At other times, the term is used interchangeably with “dark web.”
However, the term “deep web” refers to yet another part of the internet. Specifically, the deep web refers to the bits of the internet that you cannot reach using a search engine, but make up the majority of the internet as we know it. Databases, journals, webmail accounts, online banking portals, and unindexed paywalled services are prime examples of the deep web.
Back to the darknet markets.
Darknet markets are notorious for allowing users to buy and sell almost anything—and I mean, anything. Darknet market operators use the anonymity of the Tor network to run their services, while vendors and “shoppers” can rely on Tor to maintain their privacy.
Understandably, authorities around the world are less than enthused about anonymous online marketplaces selling all manner of nefarious goods. But if the Tor network protects the darknet market operators, vendors, and sellers, how do the authorities even begin to think about taking them down?
How Do Authorities Takedown a Darknet Market
In early May 2019, the German authorities succeeded in the takedown of one of the largest darknet markets on the Tor network. The Wall Street Market (WSM) had slowly moved up the rankings to become one of the most popular darknet markets. According to Europol, who led the takedown, Wall Street Market had more than 1.15 million users and over 5,400 vendors for drugs, malware, and other illegal paraphernalia.
It Looks as if Another Darknet Market Era Is Coming to an End | #BTC
— RTGCoin (@RTGCoin) April 26, 2019
The operators were making millions of dollars every year in both cryptocurrency and fiat, as well as making extravagant purchases such as a supercar, a villa, and so on.
So, how did Europol’s “Dark Web Team” and the German federal police (the Bundeskriminalamt, or BKA) combine to take down the Wall Street Market?
WSM Administrator #1: Unstable VPN
An unstable VPN connection.
At least, WSM administrator, Tibo Lousee. Lousee was accessing WSM “primarily through the use of two VPN service providers.” Lousee didn’t notice that one of his VPN connections ceased, continuing to use the WSM infrastructure and backend as usual.
As the administrator’s VPN was no longer securing the connection, the administrator’s continued access ultimately exposed their true IP address.
Now, the authorities couldn’t just go and knock on the door of the location linked to the IP address. That’s because the IP address was linked to a pre-paid USB internet dongle. The dongle was, understandably, registered to a fake name. The BKA used several surveillance techniques to track the specific USB dongle to a house in the North Rhine-Westphalia, not too far from the German border with the Netherlands.
WSM Administrator #2: VPN Metadata
The second WSM administrator arrested also had issues with his VPN. Jonathan Kalla’s VPN didn’t fail, but the metadata available to the German authorities allowed them to correlate an IP address assigned to his home to a VPN account registered using his mother’s name.
While a VPN does protect the data in transit, if an entity can see the entire network, they can attempt to correlate certain activity between connections.
WSM Administrator #3: Leaked Identity
The final WSM administrator, Klaus-Martin Frost, didn’t reveal his identity via a VPN issue. Rather, he cross-contaminated his cryptocurrency accounts with his cryptographic accounts.
The PGP public key for [WSM administrative account] ‘TheOne’ is the same as the PGP public key for another moniker on [another hidden service] Hansa Market, ‘dudebuy.’ As described below, a financial transaction connected to a virtual currency wallet used by FROST was linked to ‘dudebuy.’
[The BKA] located the PGP public key for ‘TheOne’ in the WSM database, referred to as ‘Public Key 1’.
Public Key 1 was the PGP public key for ‘dudebuy.’ The ‘refund wallet’ for ‘dudebuy’ was Wallet 2.
Wallet 2 was a source of funds for a Bitcoin transaction… Records obtained from the Bitcoin Payment Processing Company revealed buyer information for that Bitcoin transaction as ‘Martin Frost,’ using the email address klaus-martin.frost@…
The links between the cryptocurrency accounts, the cryptographic PGP keys used to sign and encrypt messages on multiple darknet markets, and the transaction history are damning. The US Postal Inspection Service which, by-the-by, has a highly trained cyber taskforce, had already begun linking Bitcoin accounts and cryptocurrency transactions to Frost, too.
Wall Street Market Exit Scam
Europol and the BKA were tracking the WSM administrators as early as 2017. However, in mid-April 2019, the admin team began moving huge quantities of cryptocurrency from the site in an attempted exit scam.
An exit scam is the process where a business or organization builds a reputation of trust to entice customers and vendors, only to pull the rug from under their feet when they are comfortable. The three WSM admins plan to steal all of the cryptocurrency stepped up the efforts to capture them, potentially leading to a quicker demise.
Unfortunately for those who already lost their cryptocurrency, it isn’t coming back; it is difficult to claim your cryptocurrency back from the authorities if it was seized in escrow on a darknet market.
Exit scams are just one of the reasons you should consider avoiding the dark web.
Staying Safe on the Dark Web
Privacy advocates sometimes suggest using Tor to protect your identity while online. In truth, Tor can only do so much for your privacy and security. If you are not correctly using Tor, you could end up exposing yourself and your online activity. The repercussions of a Tor data leak depend on what you are using Tor for.
Despite the issues presented above regarding the use of a VPN, I would still strongly advise using one. Not just any VPN, either. A paid-for VPN that does not take logs will protect your privacy significantly more than a free option. A free option must monetize somehow, and your data is often the source.
Two of our favorite VPN providers are ExpressVPN and CyberGhost. Both have long, respected histories of keeping your data private when it matters.
A VPN isn’t the only way you can increase your security and privacy while using the Tor network. Here are three more tips:
- Do not trust anything or anyone because you do not know the real purpose of a Tor hidden service, who owns it, why they are running the service, and so on. That mistrust extends to links, too.
- Remain private. Do not use or provide any personal information on the dark web. As the “underside” of the internet, you never know who is waiting to steal your data.
- Use antivirus and antimalware. An up to date antivirus suite is vital. I would strongly advise using an antimalware suite, too. Malwarebytes Premium has more features than the basic version, such as real-time protection, and is well worth the price of the upgrade.
Avoid the Bad Side of the Dark Web
It is no secret that the dark web has a sinister underside. In all honesty, you don’t have to go far before you find it. The easiest way to avoid encountering nefarious goods, dangerous materials, and the potential of a knock at the door from John Law is to steer clear of the darknet markets altogether.
Want to learn more about the dark web? Sign-up for the free MakeUseOf email course that will help you safely explore the hidden internet.