- The Tor network is the most anonymous network in the world
- Methods of analyzing Tor
- The ‘Ricochet’ chat service trap
- Expansion of international cooperation
- Tor representatives firmly say “no”
- Conclusions
The Tor network is considered one of the most reliable tools for anonymous browsing. However, there is information that law enforcement agencies have begun to penetrate it to expose criminals.
The political magazine ARD Panorama and STRG_F (funk/NDR) conducted an investigation, concluding that investigators in Germany have been monitoring servers in the Tor network for several months to de-anonymize users. This is particularly true for dark web sites. Data obtained during the surveillance is processed using statistical algorithms in such a way that Tor’s anonymity is completely compromised. Reporters from Panorama and STRG_F were able to review documents that indicate four successful cases taken as part of a single investigation. These are the first documented cases of so-called “timing analysis” in the Tor network worldwide, which until now was considered nearly impossible.
Сеть TOR – cамая анонимная сеть в мире
Wikipedia defines Tor as follows:
Tor (short for The Onion Router) is free and open-source software for implementing the second (V2) and third (V3) generations of so-called onion routing. It is a system of proxy servers that allows for anonymous network connections protected from eavesdropping. It is viewed as an anonymous network of virtual tunnels that provides data transmission in encrypted form.
With Tor, users can maintain anonymity online while visiting websites, blogging, sending instant and email messages, and working with other applications that use the TCP protocol. Traffic anonymization is achieved through a distributed network of servers — nodes. The Tor technology also protects against traffic analysis mechanisms that threaten not only online privacy but also the confidentiality of trade secrets, business contacts, and the secrecy of communication in general.
Tor operates at the network levels of onion routers, allowing for anonymous outgoing connections and anonymous hidden services.
Currently, nearly 8,000 Tor nodes operate in 50 countries. About two million people use it every day. It is popular among journalists and human rights defenders, especially in countries where the internet is censored. In Germany, media outlets, including NDR, also use anonymous “mailboxes” in the Tor network to allow whistleblowers to safely transmit information. For example, Deutsche Welle has made its website accessible on the dark web to avoid censorship in some countries.
Methods of analyzing Tor
Anonymity also attracts criminals who use Tor, for example, to conduct cyberattacks or operate on illegal marketplaces in the dark web. For many years, the Tor network was practically an insurmountable barrier for investigative authorities. The investigation conducted by Panorama and STRG_F showed that they have apparently solved this problem. This requires monitoring individual Tor nodes, sometimes for many years. This is called “timing analysis.”
The more nodes in the Tor network are controlled by authorities, the higher the likelihood that a user will attempt to mask their connection through one of the controlled nodes. By analyzing the transmission time of individual data packets, anonymous connections can be traced back to the Tor user, even if the connections in the Tor network are encrypted multiple times.
The ‘Ricochet’ chat service trap
The investigation reports that the Federal Criminal Police Office of Germany (BKA) and the Public Prosecutor’s Office in Frankfurt successfully applied “timing analysis”: during the investigation of the activities of a dark web-based pedophile platform known as “Boystown,” they were able to identify Tor nodes used by one of the operation’s organizers for anonymization several times.
For example, the BKA checked the Tor nodes used by platforms managed by the then-administrator of “Boystown,” Andreas G., to connect to the Tor network on two occasions. This included, for instance, a chat where leading participants from various pedophile forums shared information. In two cases, they also managed to identify so-called “entry servers” from the chat service “Ricochet,” which G. used — this was a breakthrough for the BKA. For final identification, the district court in Frankfurt ultimately ordered the provider Telefónica to find out from all clients who connected to one of the identified Tor nodes. The investigation led to the arrest of Andreas G. in North Rhine-Westphalia. In December 2022, he was sentenced to several years in prison. The sentence has not yet come into effect.
Expansion of international cooperation
The BKA received important information regarding the “Boystown” case from the Netherlands. This is apparently not a coincidence: most Tor nodes are operated in Germany, the Netherlands, and the USA. The responsible prosecutor’s office in Frankfurt stated in response to an inquiry that it would neither confirm nor deny the use of “timing analysis” in the “Boystown” case. The Federal Criminal Police Office (BKA) also declined to comment.
However, reporters from Panorama and STRG_F managed to speak with individuals who have independent knowledge of the large-scale monitoring of such Tor servers. Reports indicate that in recent years, the number of monitored Tor nodes in Germany has sharply increased. Recorded data also suggests that they are likely being used for “timing analysis.” Experts who were able to review the research documents from Panorama and STRG_F independently confirmed the findings of the investigation. Matthias Marks, one of the representatives of the Chaos Computer Club (CCC), explains: “The documents, combined with the described information, convincingly indicate that law enforcement agencies have repeatedly and successfully conducted attacks using timing analysis against individual Tor users over several years to de-anonymize them.”
Tor representatives firmly say “No”
The non-profit organization Tor, based in the USA and dedicated to supporting the anonymization network, stated in response to inquiries that it is not aware of any documented cases of “timing analysis.” However, there have been no indications that the Tor browser has been subjected to attacks, said a representative of the organization: “Tor users can continue to use the Tor browser for safe and anonymous access to the Internet.” A representative of “Ricochet,” now called “Ricochet Refresh,” stated that she is not aware of any other cases of user de-anonymization. According to her, the software has been improved in recent years and is one of the safest ways to communicate online.
Conclusions
The information presented in the report suggests that authorities clearly acted based on a tip-off in any case. There may have been a case of de-anonymization, but it certainly did not occur in a vacuum or from scratch. For now, the Tor network remains the most reliable means of preserving anonymity online.
As creators of a Bitcoin mixer, we strive to use all possible means to protect the anonymity of our users. Our mixer is designed to protect your funds from all known analytical algorithms. You can also use our Tor platform — we are confident in its anonymity. Moreover, our site on Tor operates without Javascript: in the Tor version of the site, the calculator and transaction detector are intentionally disabled, as these cannot be implemented without Javascript.