Large Number of Tor Hidden Sites Seized by the FBI in Operation Onymous were Clone or Scam Sites
This post is the first in a series dealing with the takedown of Silk Road 2.0 and Operation Onymous. The data in this post was put together with @secruedmh and @imposter. A big thanks to Juha Nurmia and his Tor Hidden Service Index, and researchers who share their work or report on stories such as lamoustache, gwern, deepdotweb along with others who don’t wish to be named for helping us fill in our index and cache. For updates follow on twitter.
In the two weeks since Silk Road 2.0 and a large number of other Tor hosted hidden services were taken down as part of Operation Onymous, we have crawled and indexed onion sites to find out just how many sites were seized and what sites were seized. Initial reports said 410 sites were seized, then 400 and this number has continued to be revised down until Europol said only some two-dozen sites were seized. Our crawl of just over 9,000 onion sites has found 276 seized onion sites.
The full table of seized onion sites discovered is below, an overview of the data and some findings:
- Out of a total of 276 seized onion addresses found, we identified 153 of the addresses as belonging to either clone, scam or phishing sites.
- Of the 153 clone or scam sites, 133 were clones and 20 were scam or phishing sites.
- In a number of cases the FBI has seized the clone or scam version of a site while leaving up the real site.
- In May of 2014 a bot known as the “Onion Cloner” was discovered and became known to Tor hidden service operators. This bot would find Tor hidden sites and clone them on its own address in an effort to steal passwords or intercept Bitcoin transactions. Of the 133 clone sites that the FBI seized, a large number of them were clone sites produced by the Onion Cloner that were mistaken for the real copy.
- Of the 8 websites mentioned in the FBI press release, 2 are clones and 1 is a scam site.
- Of the 32 onion addresses mentioned in the DOJ seizure notice filed in US court, 3 are scam sites and 9 are clone websites.
- As far as our survey has revealed and based on prior data about the Onion Cloner, every single Onion Cloner clone site has been seized or is no longer available.
- For the following sites, the clone or fake version was seized while the real site remains live: Cannabis UK, CStore, Dedope, Executive Outcomes, FakeID, Fake Real Plastic, Hackintosh, Pablo Escobar Drug Store, Real Cards Team, Smokeables, Zero Squad. Some of these sites were mentioned in the FBI press release or court seizure notice as having been taken down when in fact the clones were seized.
- There are almost 200 sites that have been seized that are not mentioned in any seizure notice or press release. These include the (real) sites for Fish Squad, Exposed, Hack the Planet, Cash Machine, DOXBIN, Pink Meth, OnionSphere, Mr Ouid’s Forum. That list includes personal websites, forums or other sites that had no outward appearance of illegal activity, and they are also not mentioned in any court or press documents. These sites were seized with what appears to be no, or little legal justification.
- Scam or phishing versions of Silk Road 2.0, Agora, Real Cards Team, Evolution and many other sites were seized.
- For some of the onion addresses, being mentioned in the FBI press release or the seizure notice is the first and only ever public web mention of the address.
- The website “Executive Outcomes”, which the FBI claims in seizure notices and press releases was a retailer of firearms was a well known scam site – it never shipped any weapons but took users funds.
- A clone of a Jihad funding website called “Fund the Islamic Struggle without leaving a trace” was seized, while the real website remains live (and has accepted over 5 BTC in donations)
Indications of Method
That the FBI seized so many clone and fake websites suggests a broad, untargeted sweep of hidden services rather than a targeted campaign. The slapshot nature of how sites were seized suggests that rather than starting with an onion address and then discovering the host server to seize, this campaign simply vacuumed up a large number of onion websites by targeting specific hosting companies. We have tracked down the hosting companies affected and the details will be published in a follow-up.
On that note, if you were the administrator of a hidden site that was seized, be it a clone or a real site, please get in touch. I’ve spoken to a number of admins and hosting companies and have put together what the seized sites had in common in order to deduce the method used to locate them. Information from admins and hosts is invaluable in working out what the weaknesses of the seized sites was, and what can be learned from the seizures. There is a high likelihood that none of the seizures will be tested or revealed in court, at least not in the short term, so getting this information is important.
Tor Onion Data
The database of hidden sites, which I believe is the largest that has been collated, will be posted to this GitHub repository sometime in the next couple of days. An earlier version of the crawler used is also available on GitHub. We are currently putting together an index of data from the seized sites, including the forums, and other Tor hidden services along with a search engine. If you’re interested in contributing or adding data to it send a pull request.
|Tor Bazaar Forum|
|Tor web developer:||Clone|
|The Hidden Wiki (mirror):||Clone|
|Sea Kitten Palace:||Clone|
|Fund The Islamic Struggle Anonymously|
|Exposed – The Secret Web||Clone|
|EasyCoin Bitcoin Wallet & Mixer”||Clone|
|Jotunbane’s Reading Club:||Clone|
|1 Hour Laundry:||Clone|
|GreenPaper Counterfeiters (Super Notes)||Scam||*|
|The Green Machine||*|
|Doxbin / DeDope||*|
|Green Dragon Supplier|
|Wall Street Tor:||Clone|
|Onion Identity Services||Scam|
|Lossless Audio Files:||Clone|
|SOL’s Unified USD Counterfeit’s||Clone||*|
|Cloud Nine (Main)|
|Buy Twitter Followers:||Clone|
|Hack The Planet|
|Cstore – Carded Store|
|MAGIC MUSHROOMS STORE:||Clone|
|The Pot Shop|
|Steal This Wiki mirror:||Clone|
|Clean My Coins Fake||Clone|
|Blackbank Market (Scam)||Scam|
|Pablo Escobar Drugstore||Scam||*|
|The Armory clone|
|Real Cards Team||Clone||*|
|Sell your pictures for Bitcoins||Clone|
|Cstore – Carded Store||Clone||*|
|Deutschland im Deep Web||Clone|
|Bitcoin For Proxy||Scam|
|Welcome, We’ve been expecting you!:”||Clone|
|USA/EU Fake Documents store:||Clone|
|Apples 4 Bitcoin||Scam|
|Double Your Bitcoins||Clone|
|konkret – das linke magazine|
|Deep Web Radio:||Clone|
|The Pirate Market:||Clone|
|Fake Real Plastic||*||*|
|Super Notes Counter||Clone|
|Site do Renan Jackson:||Clone|
|Mr Quid’s Forum|
|The House of Cards:||Clone|
|Onion Identity Services||Clone|
|The Hidden Wiki|
|The Tor Library:||Clone|
|Kamagra for Bitcoin:||Clone|
|The PayPal Center|
|The PayPal Center||*|
|The Secret Story Archive:||Clone|
|Tor Bazaar Beta|
|The Secret Story Archive #1st:||Clone|
|Green Dragon Supplier|
|Old Man Fixer’s Fixing Services||Clone|
|Tor Carding Forums|
|UK Guns and Ammo||Clone|
|Example rendezvous points page:||Clone|
|Silk Road 2.0||Scam|
|Silk Road Forums|
|Wikileaks New link:||Clone|
|Флибуста | Книжное братство”||Clone|
|[Forum PHISHING LINK]||Scam|
|Apples 4 Bitcoin||Scam|
|â… TOR-SERV â…:||Clone|
|Galaxy Social Network||Clone|
|The Hidden Market|
|Real Cards Team|
|keys open doors:||Clone|
|Fake Real Plastic||Clone|
|Green Star Station:||Clone|
|Hack The Planet:||Clone|
|lol 20th Century Western Music||Clone|
|Clean My Coins|
|RepAAA’s Hidden Empire||*|
|Peoples Drug Store:||Clone|
|The Intel Exchange:||Clone|