Global Internet Gumshoes Say They Broke the Super-Privacy Tool Tor

When setting up a global drug market online, here’s a piece of advice: Don’t use your personal and publicly available email address to control the server that hosts that virtual bazaar.

Incredibly, that’s exactly what the man behind one of the world’s largest online drug exchanges did. This week, that man, Blake Benthall, a 26-year-old programmer, was arrested by U.S. federal authorities and charged with running an international drug trafficking ring.

If you want to get in touch with him, try blake@benthall.net, the email address used to register Silk Road 2.0, the “dark web” drug market that emerged after U.S. authorities shut down the original Silk Road, a pioneer of illicit online drug sales:

According to the criminal complaint filed in a New York federal court detailing charges against him, Benthall was easily identified once federal authorities discovered a server used to run Silk Road 2.0. His email address gave away his name and was listed on several publicly available social media profiles, including his account on GitHub, an online forum for programmers.

But Benthall’s arrest is only the most prominent example of a sweeping effort this week by U.S. and European authorities, dubbed Operation Onymous, to crack down on illicit online marketplaces. Altogether, they claim to have taken down more than 410 marketplaces operating via the Tor network, knocking out some of the web’s most prominent distributors of guns, drugs, and a laundry list of other illicit goods and services. Authorities also say they have arrested 17 vendors and administrators.

This section of the Internet, reachable only via a Tor browser, is colloquially known as the dark web, and its use of Tor, which stands for “The Onion Router,” preserves the total anonymity of its users. Tor does this by bouncing the Internet connections of its users off a network of servers distributed around the world. By passing a signal through a series of servers, a user’s Internet activity becomes untraceable. It’s a powerful tool for both human rights activists seeking to avoid being traced by an authoritarian regime and for cyber-criminals trying to dodge the NSA and FBI. Whistleblower Edward Snowden has repeatedly cited Tor as one of the main tools to fight back against mass government surveillance.

Now, Western law enforcement agencies claim to have broken the tool. If true, this week’s arrests and takedowns would represent a huge development in efforts to crack down on anonymous corners of the web. “It’s a game changer,” Ulf Bergstrom, a spokesman for the European Union’s legal coordination agency, told the Wall Street Journal. “You’re not anonymous anymore when you’re using Tor.”

Another mystery in the raft of arrests is how investigators discovered Benthall’s server in the first place.

Originally developed to protect U.S. Navy communications, Tor is regarded by America’s most skilled cryptographers as a formidable technical adversary. The NSA has targeted Tor users in efforts to undermine the network; its continued integrity is one of the main battlegrounds in efforts to maintain the possibility of anonymous online communication.

The discovery of a server through what are called de-anonymization techniques — ways to undermine the privacy protections of tools like Tor — would represent a major breach of the technology and a huge win for those who would like to shut down these illicit corners of the web. Among the more than 400 sites shuttered during the international crackdown were three of the six largest drug markets on the dark web.

That authorities only shut down half of the heavyweight drug sellers is a testament to the system’s resilience.

Yet Tor isn’t a foolproof system. When late last year, U.S. and Irish authorities caught the mastermind behind the dark web’s premier purveyor of child pornography, it did so by exploiting an unknown weakness in the Firefox browser, through which Tor can be run, to infect the computers of those who visited sites maintained by server-provider Freedom Hosting, which had long been associated with child porn. That technique led investigators to Eric Eoin Marques, a 28-year-old Irishman and the architect of Freedom Hosting.

Perhaps more alarming for Tor was when researchers at Carnegie Mellon University claimed this summer that they had been able to determine the identities of users on Tor “in the wild.” Basically, the researchers found that by controlling a large number of servers in the Tor network, they could track signals passing through it. Using sophisticated traffic analysis, they discovered the identities of Tor users.

The Carnegie Mellon researchers were supposed to present their findings at a programming conference but their talk was abruptly canceled, raising questions about whether they instead privately passed on what they learned to the U.S. government. Tor says that the problem has been fixed but acknowledges that it isn’t completely certain.

In an interview with Wired, Andrew Lewman, who serves as the executive director of the Tor Project, the nonprofit that runs the network, downplayed the risk that Tor was compromised. “It sounds like old-fashioned police work continues to be effective,” he said. “It could be [that law enforcement targeted] common people or organizations running these hidden services, or a hosting company, or something more mundane than a hidden service exploit.”

In an email to FP, Lewman offered no further details. “Tor was created to protect people’s privacy and anonymity, and we don’t condone its use for these illegal activities. As more information becomes available, we’ll provide additional comment as warranted.”

But there’s good reason to believe that American and European authorities are overstating their ability to break Tor in an effort to dissuade people from using it. Earlier today, U.K. authorities offered this comment on Twitter:

Still think you’re anonymous on the Dark Web? #Onymous

— NationalCrimeAgency (@NCA_UK) November 7, 2014

Moreover, if U.S. and European authorities have really taken down more than 400 marketplaces, then why did they only arrest 17 people? It’s certainly possible that many dark web markets are run by a small group of savvy users, but the ratio of nearly 25 to 1 between markets and arrests is strikingly high.

Indeed, the criminal complaint against Benthall explains that U.S. investigators had a key advantage against the programmer: They had an undercover agent on his support staff. The complaint doesn’t make it entirely clear how the FBI inserted this agent, but it appears that he or she was present from the site’s creation shortly after the original Silk Road was taken down in October of last year.

That piece of police work would appear to lend credence to Lewman and Tor’s claim that the network wasn’t systematically at fault. Rather, authorities probably discovered a so-called “zero day” exploit, a weakness that Tor and its users were unaware of, and turned it toward their advantage, just like they did in taking down Freedom Hosting.

Tor’s continued viability will probably be best measured by whether the arrests continue to stack up.