Analysis casts doubt on FBI claims over Tor website seizures

The majority of Tor-based hidden services closed down by law enforcement agencies last week were clones or fakes, according to a new analysis of the operation.

In what the 16-member states of Europol, the FBI, US Immigration and Customs Enforcement (ICE) and Homeland Security called Operation Onymous, more than 410 hidden services hosted on .onion pages through the Tor network were closed down this month, according to the agencies.

Over $1 million in Bitcoin, 180,000 euros in cash, drugs, gold and silver were also seized during the sting.

The Tor Project group said at the time they were surprised at the closures, and had "very little information about how this was accomplished," — appealing to the general public for theories and potential answers in the process.

"[We are] most interested in understanding how these services were located and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents," the group said.

However, a new analysis published Monday reveals interesting findings that place the law enforcement agencies' claims in doubt. Blogger Nik Cubrilovic and others conducted a web crawl on the Tor network, and according to the Australia-based blogger, while Europol and the FBI claimed to have seized 410 services, a crawl of over 9,000 onion sites found that only 276 services were taken down.

153 of these addresses belonged to clone, scam or phishing sites, and out of these 153 sites, 133 were clones and 20 were malicious.

Cubrilovic says that in a number of cases, the FBI was only able to take the clone or scam version, but left the real site operational.

"In May of 2014 a bot known as the 'Onion Cloner' was discovered and became known to Tor hidden service operators," Cubrilovic writes. "This bot would find Tor hidden sites and clone them on its own address in an effort to steal passwords or intercept Bitcoin transactions. Of the 133 clone sites that the FBI seized, a large number of them were clone sites produced by the Onion Cloner that were mistaken for the real copy."

Read this

FBI Director: Mobile encryption could lead us to 'very dark place'

Apple's and Google's encryption plans have not gone down well with US law enforcement, and the agency's director says the companies are leading us down a dark path.

• Read more

The blogger also claims that out of 32 onion addresses mentioned in the DOJ seizure notice, three are scam sites and nine are clones. Interestingly, while Cubrilovic says every single Onion Cloner clone site on the network was seized, a number of sites were also seized but have not been mentioned in any official notice.

Among these websites is "Pink Meth," a revenge porn website, and an additional 200 sites that have not been disclosed.

Cubrilovic says:

If this research is corroborated, it would be good news for privacy advocates who feared the existence of a major security flaw that left the network exposed, as the Tor Group had no idea how the take-downs occurred. While the Tor network is used for some illegal means, the onion system does boost private security — which can be essential in some countries for political dissidents and campaigners who need to keep their identities hidden.

In related news, the Tor Group released the latest version of their software, 4.5 alpha 1, on Monday. As part of Tor's planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only.

Read on: In the world of security

• Apple Pay rival CurrentC hacked

• FBI Director: Mobile encryption could lead us to 'very dark place'

• FBI chief compares Chinese hackers to 'drunk burglars'

• Hackers infiltrate White House network

• Teen hackers charged with stealing $100 million in Army, Microsoft tech

• Enterprise network security takes backseat to speed: McAfee

• Military secrets theft hacking trail leads to Russia

• Facebook doubles advertising bug bounty