Security Sidebar: Is Tor No Longer Safe?

The "Dark Web" (sometimes called the "Dark Net") is a collection of thousands of websites that use anonymity tools (like Tor or I2P) to hide their IP address and physical location.  These websites are notorious for conducting illegal activity like drug trade, money laundering, prostitution, etc.  This Dark Web is fascinating because it seemingly allows all this illegal activity to happen in plain sight.  A user who loads one of the anonymity tools and knows the site's URL can easily visit one of these illegal online marketplaces.  Take Tor, for instance (it's the most commonly used anonymity software).  Tor will encrypt web traffic in layers and route it through randomly-chosen computers around the world.  Each computer removes one of the encryption layers before passing it to the next hop point.  Because of this, it's extremely difficult (and many times impossible) to match the traffic's origin with its destination.  This provides a safe haven for illegal activity to take place in plain sight.  Imagine being a law enforcement official who watches all this illegal activity take place right in front of your face every day.  You know you can arrest someone for it, but who?  You can never trace the activity back to a known location/person.

It's easy to understand that law enforcement officials around the world are interested in taking down some of the sites on this Dark Web network...sites like Silk Road 2, Cloud 9, Cannabis Road, and Cash Machine to name just a few.  Of course, the problem has always been knowing who and where to strike.

"We can now show that they are neither invisible nor untouchable"

Welcome to "Operation Onymous."  Europol's Cybercrime Centre, the Federal Bureau of Investigations, the US Immigrations and Customs Enforcement, and the Department of Homeland Security announced earlier this month that they had formed a Joint Cybercrime Action Team and spent six months preparing to take down many of these illegal sites on Tor.  Troels Oerting (head of the Cybercrime Centre) said “we have demonstrated that we are able to efficiently remove vital criminal infrastructures that are supporting serious organised crime. And we are not 'just' removing these services from the open Internet; this time we have also hit services on the Darknet using Tor where, for a long time, criminals have considered themselves beyond reach. We can now show that they are neither invisible nor untouchable."

Many reports disagree on the actual number of sites that were taken down, but even the lowest estimates leave us doubting whether or not the feds were able to crack the secure foundation of the Tor network.  If only one or two sites had been compromised, you could reasonably believe poor OPSEC contributed to the problem.  But, when approximately 50 sites were taken down, it makes you wonder if the entire foundation of Tor anonymity was compromised.  When the feds were finished with their operation, 17 people were arrested including Blake Benthall who is said to have managed and administered the online drug marketplace Silk Road 2.0.


The Silk Road site once looked like this:


...but now looks like this:


As you can imagine, Tor is none too pleased.  A recent post relayed this message: "Tor is most interested in understanding how these services were located and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents."

I guess you always run the risk of law enforcement involvement when you provide an anonymous service and knowingly allow illegal activity to be so pervasive.

Tor is hoping that, when these convicts face trial, the police will have to explain how they broke in.  The police offered a different sentiment when they said “this is something we want to keep for ourselves.  The way we do this, we can’t share with the whole world, because we want to do it again and again and again.”

Despite this global force crackdown, many Tor (and Silk Road) users remain cautiously optimistic (Silk Road has been taken down before, by the way).  One user said “I predict that we will bounce back, stronger than before, but at this point I’m pretty freaked out.”

I guess no matter how you slice it or how you go about accomplishing it, crime doesn't pay.

Published Nov 26, 2014
Version 1.0

Was this article helpful?


  • I guess no matter how you slice it or how you go about accomplishing it, crime doesn't pay. That sums up the whole matter and I love that fabulous ending. I would also be curious to know how the police broke into the system and it would have been a lot nicer if anonymous activities could be filtered and limited to legal ones alone but, that would be very difficult if not impossible. The conclusion of the matter...Crime doesn't pay in any way.
  • JLew-teK_178256's avatar
    Historic F5 Account
    And just like that it's up again. Strange how IP's and DNS names can change so fast. :P
  • back in september 2013 infosecurity magazine did a piece on deanoymizing tor. "Tor is Not as Safe as You May Think" was the name of the article. it looks like watching incoming and outgoing traffic and matching traffic patterns can pinpoint people. They reference their analysis that shows 80% of users can be de-anonymized within 6 months of use and 100% of users from common locations within 3 months. Guess the criminals weren't varying their routine much.
  • Great question, ricky! As you know, most people use Tor to navigate the deep web, and F5 definitely knows all the Tor exit nodes in the world. The ASM is specifically configured to disallow any traffic from any Tor exit node (but that can be changed by your ASM admin if you want). So, while the ASM doesn't specifically have every deep web ip address loaded, it does keep an eye on traffic coming from those addresses based on Tor exit nodes. Hope this helps!


  • How can I see those ip address on ASM configuration ? How can I change this configuration?