Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

German law enforcement successfully de-anonymises Tor network, report claims

Despite apparent success in identifying criminals using Tor, the project’s executive director claims the network is still safe.

user icon David Hollingworth
Fri, 20 Sep 2024
German law enforcement successfully de-anonymises Tor network, report claims
expand image

The German Federal Criminal Police Office and the Public Prosecutor General’s Office in Frankfurt am Main have reportedly been able to de-anonymise traffic on the Tor browser, successfully identifying and arresting the administrator of a dark web forum hosting child sexual abuse material.

The arrest occurred in 2021, and authorities remained quiet at the time about their methods, but new reporting from German media has revealed exactly how German police and allied agencies were able to sniff out the administrators of the forum, which was called Boystown.

According to German news outlet NDR, German authorities were able to isolate and monitor individual Tor nodes to identify the administrator. Using timing analysis, authorities were then able to trace individual data packets back to a specific user.

============
============

Tor – which stands for The Onion Router – anonymises traffic by routing data through nodes spread throughout the world. For instance, traffic might be routed through a node in Germany, then the United States, and finally the Netherlands. The data is then encrypted at the exit node, keeping a user’s IP address secure.

Anti-malware firm Malwarebytes described the process in a 19 September blog post.

“If you can monitor the traffic at both the entry and the exit points of the Tor network, you may be able to correlate the timing of a user’s true IP address to the destination of their traffic,” Malwarebytes said.

“To do this, one typically needs to control or observe both the entry node and the exit node used in a Tor circuit.”

Malwarebytes did note, however, that this process does not work on onion sites – the sites typically used by many ransomware gangs to host their leak sites, as “the traffic would never leave the Tor network in such a case”.

Timing analysis does not reveal the contents of a data packet, only its size and when it was sent.

Tor’s executive director, Isabela Fernandes, commented on the claims of de-anonymisation in a post to the TOR Project’s mailing list titled “Update on an upcoming German broadcasting story about Tor/Onion Services”.

Fernandes said that The TOR Project was contacted by journalists on 12 September “with a request for comment to their upcoming reporting of ‘investigative measures by German and international law enforcement agencies in the Tor network, in particular the localisation and de-anonymisation of onion services’”.

“The reporter claims to have ‘evidence that shows that in several cases German law enforcement authorities were able to locate the Tor entry node of onion services and thus successfully de-anonymise Tor users. V2 and V3 onion addresses were affected at least between Q3/2019 and Q2/2021’. The reporter further claims that ‘law enforcement agencies used so-called timing analyses and broad and long-term monitoring of Tor nodes in data centres’.”

The TOR Project, Fernandes said, has not been granted access to any of the evidence, and so it has not been able to verify the claims or make any “responsible disclosures to the Tor community, relay operators, and users at this time”.

Fernandes added a callout for the Tor community to provide any information they may have on the claims, but she considers the network currently safe to use.

“Tor users can continue to use Tor Browser to access the web securely and anonymously. Nothing that the Tor Project has learned about this incident suggests that Tor Browser was attacked or exploited,” Fernandes said.

“We encourage Tor Browser users and relay operators to keep software versions up to date.”

Law enforcement agencies from Canada, the Netherlands, the United States, and Australia were also involved in the Boystown investigation. The Australian Centre to Counter Child Exploitation, the Australian Federal Police, and the Queensland Police Service all took part in the investigation.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.