Nik Cubrilovic

This post is the first in a series dealing with the takedown of Silk Road 2.0 and Operation Onymous. The data in this post was put together with @secruedmh and @imposter. A big thanks to Juha Nurmia and his Tor Hidden Service Index, and researchers who share their work or report on stories such as lamoustache, gwern, deepdotweb along with others who don’t wish to be named for helping us fill in our index and cache. For updates follow on twitter.

In the two weeks since Silk Road 2.0 and a large number of other Tor hosted hidden services were taken down as part of Operation Onymous, we have crawled and indexed onion sites to find out just how many sites were seized and what sites were seized. Initial reports said 410 sites were seized, then 400 and this number has continued to be revised down until Europol said only some two-dozen sites were seized. Our crawl of just over 9,000 onion sites has found 276 seized onion sites.

The full table of seized onion sites discovered is below, an overview of the data and some findings:

1. Out of a total of 276 seized onion addresses found, we identified 153 of the addresses as belonging to either clone, scam or phishing sites.
2. Of the 153 clone or scam sites, 133 were clones and 20 were scam or phishing sites.
3. In a number of cases the FBI has seized the clone or scam version of a site while leaving up the real site.
4. In May of 2014 a bot known as the “Onion Cloner” was discovered and became known to Tor hidden service operators. This bot would find Tor hidden sites and clone them on its own address in an effort to steal passwords or intercept Bitcoin transactions. Of the 133 clone sites that the FBI seized, a large number of them were clone sites produced by the Onion Cloner that were mistaken for the real copy.
5. Of the 8 websites mentioned in the FBI press release, 2 are clones and 1 is a scam site.
6. Of the 32 onion addresses mentioned in the DOJ seizure notice filed in US court, 3 are scam sites and 9 are clone websites.
7. As far as our survey has revealed and based on prior data about the Onion Cloner, every single Onion Cloner clone site has been seized or is no longer available.
8. For the following sites, the clone or fake version was seized while the real site remains live: Cannabis UK, CStore, Dedope, Executive Outcomes, FakeID, Fake Real Plastic, Hackintosh, Pablo Escobar Drug Store, Real Cards Team, Smokeables, Zero Squad. Some of these sites were mentioned in the FBI press release or court seizure notice as having been taken down when in fact the clones were seized.
9. There are almost 200 sites that have been seized that are not mentioned in any seizure notice or press release. These include the (real) sites for Fish Squad, Exposed, Hack the Planet, Cash Machine, DOXBIN, Pink Meth, OnionSphere, Mr Ouid’s Forum. That list includes personal websites, forums or other sites that had no outward appearance of illegal activity, and they are also not mentioned in any court or press documents. These sites were seized with what appears to be no, or little legal justification.
10. Scam or phishing versions of Silk Road 2.0, Agora, Real Cards Team, Evolution and many other sites were seized.
11. For some of the onion addresses, being mentioned in the FBI press release or the seizure notice is the first and only ever public web mention of the address.
12. The website “Executive Outcomes”, which the FBI claims in seizure notices and press releases was a retailer of firearms was a well known scam site – it never shipped any weapons but took users funds.
13. A clone of a Jihad funding website called “Fund the Islamic Struggle without leaving a trace” was seized, while the real website remains live (and has accepted over 5 BTC in donations)

Indications of Method

That the FBI seized so many clone and fake websites suggests a broad, untargeted sweep of hidden services rather than a targeted campaign. The slapshot nature of how sites were seized suggests that rather than starting with an onion address and then discovering the host server to seize, this campaign simply vacuumed up a large number of onion websites by targeting specific hosting companies. We have tracked down the hosting companies affected and the details will be published in a follow-up.

On that note, if you were the administrator of a hidden site that was seized, be it a clone or a real site, please get in touch. I’ve spoken to a number of admins and hosting companies and have put together what the seized sites had in common in order to deduce the method used to locate them. Information from admins and hosts is invaluable in working out what the weaknesses of the seized sites was, and what can be learned from the seizures. There is a high likelihood that none of the seizures will be tested or revealed in court, at least not in the short term, so getting this information is important.

Tor Onion Data

The database of hidden sites, which I believe is the largest that has been collated, will be posted to this GitHub repository sometime in the next couple of days. An earlier version of the crawler used is also available on GitHub. We are currently putting together an index of data from the seized sites, including the forums, and other Tor hidden services along with a search engine. If you’re interested in contributing or adding data to it send a pull request.

*Table key: Column S = Site mentioned in DOJ seizure notice. Column P = Site mentioned in FBI press release*