The German police have located and closed the servers of Hydra, supposedly one of the largest online underground stores in the world.
Investigators from the Bundeskriminalamt (BKA, the Federal Criminal Police Office) claim that Hydra’s Russian-language dark website, accessible via the Tor network, had around 17 million customer accounts (many individual buyers may have had multiple accounts, of course) and more. 19,000 merchant accounts at the time it was closed.
As you would expect from a dark web marketplace, the main products traded online were illegal drugs, but the site also apparently offered a “coin tumbler” money laundering service aimed at creating hard-to-trace cryptocurrency transaction records. , and made a brisk trade. on forged identification documents.
according to a report From the BBC, locating the actual servers used to run Hydra was no easy task (the site has been online since at least 2015), but German police said they began following an advisory in mid-2021 that suggested the servers They were actually staying in Germany.
That led to the shutdown on Tuesday 2022-04-05, with the site’s front page changed to look like this:
What makes a Tor takedown difficult?
Tracking clients and servers back to their source in the tor networkdeliberately designed to protect privacy and resist removal, it is much more complex than sniffing conventional network traffic.
Regular network packets on their way to a destination contain a source IP number (network location) that indicates the first known device in the chain of traffic and a destination address that determines the IP number that is supposed to be connected. that must be sent.
But source IP numbers don’t always identify the exact computer that originated the request, because there could be an intermediate server handling traffic on behalf of that computer, although source IPs often identify a related device that could help track the true origin.
On a typical home network, for example, your router is presented as the source address for all outgoing network traffic, so the rest of the world sees your entire network as a single device, with a single IP number.
Your router keeps track of which response packets belong to which internal devices and redirects the necessary data internally when responses return.
This prevents law enforcement from immediately identifying exactly which device within your home was responsible for a specific network connection, but your router’s IP number usually, and very conveniently, identifies your home address, since your router’s IP number is assigned to your connection. by your ISP.
Your ISP can, and almost certainly will, respond to investigators’ legally authorized demands by identifying the home associated with your IP address, whether your router is the start (for example, you’re visiting suspicious locations) or the destination (for example, you are running a server that accepts suspicious connections) of apparently illegal activity.
Similarly, if you use a VPN (virtual private network), all your network traffic appears to originate from one of the VPN provider’s servers, often in a different country.
The VPN provider effectively becomes both your router and your ISP, and while tracing you back to the VPN itself may be easy, law enforcement may have a hard time getting the VPN to tell them where you live, especially since the VPN operator VPN could be in a different jurisdiction, and you may not even know your true identity.
However, the VPN provider can identify your IP number while you are connected, because without it they would not be able to relay traffic to you: you could send packets, but not receive responses.
Some VPNs claim that they do not keep any logs of past connections and thus claim that it is impossible for the police in your country or anywhere else to trace old traffic, because no logs of any IP numbers are kept.
But there are plenty of cases where “no-logs” VPN providers turned out to not only keep logs anyway, but also suffered data breaches that leaked this “non-existent” information to outsiders.
In fact, the problem with trusting a VPN provider as your primary way of maintaining your anonymity is that you have to have complete confidence in the technical skills and ethics of the provider and all of its staff.
What if you can’t trust the person in the middle?
Tor aims to improve the problem of “what if you can’t trust the person in the middle?” bouncing anonymous traffic through three different randomly chosen “routers” in succession.
When you create a Tor connection, your client software randomly selects three nodes from a pool of approximately 7,000 different Tor nodes run by volunteers from around the world and directs your traffic through those three nodes, like so:
Client -> Tor Node 1 -> Tor Node 2 -> Tor Node 3 -> Server
Also, and this is the clever part, the identity of Server encrypted with the public key of the Tor3 node, and this encrypted blob is encrypted with the public key of Tor2which is then encrypted with the public key of Tor1.
Therefore, the routing details of your network traffic are encrypted at multiple layers, like an onion, which is why Tor’s full name is The onion router.
So he Tor1 The node knows its IP number and can use its private key to decrypt the outer layer of the onion to find the IP number of the node.Tor2 node, to which passes the remaining layers of the onion.
But Tor1 cannot look deeper into the encrypted onion and discover the identity of Tor3 Or the Server where you want to end.
Also, the Tor3 node can remove the final layer of the onion, revealing the innermost secret of the Server that you want to visit, but you can only track your traffic up to Tor2and therefore has no idea where Tor1 is located, let alone where the Client the computer is.
the Tor2 the node in the middle is there to add another layer of anonymity protection, because it keeps Tor1 and Tor3 Besides.
That means yes Tor1 and Tor3 they are simply “volunteered” nodes by collaborating law enforcement teams or intelligence agencies, they cannot directly collude to match your traffic patterns and unmask your identity that way.
In other words, to unmask an individual connection, an attacker would need to monitor all Tor nodes chosen for that connection and keep a careful and detailed record of every relay connection on each node.
(Tor also works against collusion by regularly “reconnecting” long-lived connections, typically rebuilding each virtual circuit automatically every 10 minutes, and creating a new circuit with new nodes for each new connection.)
hide the server
If he Server The one you connect to in the diagram above is a normal server on the internet, then your network connection emerges from Tor in plain sight after Tor3so the content of your traffic to Serverand the physical location of that online server is also on display.
But if the end server is itself a darkweb server on the Tor network, identified by one of those mysterious URLs that end with .onion instead of a regular top-level domain name, your traffic never leaves Tor once it enters the Tor network through the Tor1 node.
Generally speaking, in a true darkweb connection, the final server connection is handled as a fourth hop in the Tor chain, which adds quite a bit of anonymity on both ends.
A “four-hop” Tor connection not only means that the server doesn’t know your IP number and therefore couldn’t reveal it even if it wanted to, it also means that you will never know the server’s IP number.
In other words, even if you yourself are placed under surveillance or arrested, your browsing activity and logs will not, and cannot, reveal the likely physical locations of the darkweb services you have been using.
Therefore, ISPs who don’t care what kind of customers they serve and who don’t tell the truth when presented with search warrants or other “know your customer” requests, can, in theory, surreptitiously operate well-known services. in jargon as bulletproof hostseven though they themselves may be in a country with strict “know your customer” rules and powerful lawful interception provisions.
Thanks to the multi-hop “onion encryption” of an anonymization service like Tor, clients and servers can establish contact without revealing where on the Internet the other end can be found, making servers of this type much more difficult to locate, and therefore much more difficult to shoot down.
Yet tracked and traced
In this case, Tor was not enough to prevent the location of the alleged Hydra servers from being tracked and “reused” by law enforcement, as happened when the BKA replaced the Hydra home page with the site seizure message. shown above.
As an aside, we note that the handcuffs in the image very unusually have three identical wristbands, which seems redundant, given that almost all humans have two arms at most, and dangerous, given that, if those restrictions were applied to a two-armed suspect , the loose handcuff could be swung around by the arrested person as an improvised weapon.
So we can’t help but wonder if those triple bangles are a visual metaphor referencing the three-node base of Tor connections.
Perhaps the three interconnected bracelets are there to remind us that, with good intelligence and technical determination, even three seemingly disconnected and anonymous Tor relays can be linked in obvious ways and break the anonymity of the system?
(Note that Tor is not intended to guarantee your anonymity or be able to immunize your connection from takedown no matter what, so if you have a legitimate reason to use Tor, be sure to read the project guidelines before we begin, and remember Tor’s own advice that “[g]In general, it’s impossible to have perfect anonymity, even with Tor.”)
Whats Next?
Following the German takedown, during which around $25,000,000 worth of cryptocurrency was seized, both the US Justice Department (DOJ) and the Treasury Department Office of Foreign Assets Control (OFAC) issued press releases on the US follow-up to the intervention.
As OFAC notes:
In addition to sanctioning Hydra, OFAC is identifying more than 100 virtual currency addresses associated with the entity’s operations that have been used to conduct illicit transactions. The Treasury is committed to sharing additional illicit virtual currency addresses as they become available.
The DOJ added:
Along with the closure of Hydra, criminal charges were announced against Dmitry Olegovich Pavlov, 30, a resident of Russia, for conspiracy to distribute narcotics and conspiracy to commit money laundering, in connection with his operation and administration of the servers used to run Hydra.
Russia, like many other countries, does not extradite its own citizens, even in peacetime, so it is anyone’s guess whether those criminal charges will have any effect.
However, as the metaphor of the three-armed handcuffs reminds us, as the Tor Project itself carefully and explicitly states, and as this multinational takedown operation shows, it is impossible to have perfect anonymity on the Internet.