Last week's arrest of a man alleged to help run the Silk Road 2.0 online drug bazaar has touched off speculation he was identified using a controversial attack that for six months last year systematically worked to deanonymize users of the Tor privacy service.
In a search warrant affidavit filed earlier this month, a special agent with the Department of Homeland Security said the Silk Road follow-on site was accessible only as a hidden service on Tor, a measure that typically would have made it impossible to identify the IP addresses hosting the underlying servers, as well as IPs used by end users who accessed them. Despite the use of Tor, FBI investigators were able to identify IP addresses that allegedly hosted and accessed the servers, including the Comcast-provided IP address of one Brian Farrell, who prosecutors said helped manage SR2. In the affidavit, DHS special agent Michael Larson wrote:
From January 2014 to July 2014, a FBI NY Source of Information (SOI) provided reliable IP addresses for TOR and hidden services such as SR2, which included its main marketplace URL (silkroad6ownowfk.onion), its vendor URL (vx3w763ohd256iyh.onion), its forum URL (silkroad5v7dywlc.onion) and its support interface (uz434sei7arqunp6.onion). The SOI's information ultimately led to the identification of SR2 servers, which led to the identification of at least another seventeen black markets on TOR.
The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address. A user cannot accidentally end up on the vendor site. The site is for vendors only, and access is only given to the site by the SR2 administrators/moderators after confirmation of a significant amount of successful transactions. If a user visits the vendor URL, he or she is asked for a user name and password. Without a user name and password, the vendor website cannot be viewed.
The timeframe of the information leak bears a striking resemblance to a deanonymization attack uncovered in July by Tor officials. For six months, the people behind the campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services. The decloaking effort began in late January 2014 and ran until early July when Tor officials shut it down. The Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who a few weeks earlier canceled a security conference presentation on a low-cost way to deanonymize Tor users. The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.