Law Enforcement and Darknet Market Attribution

By Michael Borkenstein –

During a 30 day period in 2014, $650,000 in Bitcoin moved through the Darknet markets each day (Soska & Christin, 2015, p 47). This level of throughput is incredibly alarming considering it exists after the famous takedown of The Silk Road in 2013. While there is turnover within the active markets, these transfers of power stem from events internal to their economic environment. Common reasons for market closures are exit scams and administrator retirements as opposed to arrests.  These drug bazars have proven to be remarkably resilient to interference from law enforcement and operate with virtual impunity today. This beckons the question: “If online drug markets are this immune to external intervention, how was the Silk Road compromised?” Contrary to popular belief, it was not penetrated through some backdoor to their encryption or with a bleeding-edge hack, but with traditional investigative techniques that capitalized on the mistakes of the suspects. The FBI monitored forums, tracked administrators, and posed as merchants until it gathered enough evidence to arrest the market’s inner circle (Zetter, 2013).

The greatest challenge for law enforcement is the inability to track the IP addresses of suspected traffickers. Black markets base their infrastructure on Tor, an anonymity network that allows users and vendors to bounce their encrypted network traffic off of multiple locations that external entities cannot predict.  Without this veil, the FBI could discover the IP addresses of black market servers and could subpoena an ISP to release their customer records. However, Tor allows a black market to set up a “Hidden Service” that abstracts the actual IP address through a circuit of exit nodes that forward all traffic to the secret IP address (Tor). A vulnerability in this system may have led to the takedown of The Silk Road 2 (a.k.a. SR2), the successor to its namesake. The undertaken attack was rather novel and involved two separate exploits: A Sybil attack, and a traffic confirmation attack. These attacks entailed an external entity registering 115 relay nodes in the Tor network, and monitoring specially encoded signals sent between them. The illegitimate nodes attempted to match an unknown user who accessed the Hidden Service directory in order to access SR2 (Arma, 2014) to known users requesting unknown resources on the other end of the interaction. It is not confirmed that this attack was undertaken by a government agency, but the date of the SR2 takedown immediately follows the five month window during which the attack took place (Goodin, 2015). Since the attack was discovered the vulnerability has been patched by Tor so it cannot be used again to stop further markets. However, the opportunity for traffic confirmation attacks will never be thwarted while there are ways to monitor unique user identifiers in traffic metadata.

Despite this setback, other options exist to disrupt the operation of the Darknet markets. Although it has not yet been heavily pursued by law enforcement, arresting users as opposed to vendors could be a successful measure. The difficulty with this strategy is the use of encryption in all communications between users and vendors. This precludes a government agency from gathering concrete evidence that a suspect intentionally ordered illicit products. All the defendant would need to do is argue that they were delivered to him/her by mistake.

However, these roadblocks do not leave the agencies with no course of action. An avenue that could be followed in the future is using a confirmation attack with fake drug markets hosted by law enforcement agencies. If it is possible to extract a unique combination of metrics from a user, cross-reference those values with existing records, and confirm the identity of a drug market user. These metrics could be collected by injecting JavaScript into the user’s browser during the purchase process that gathers statistics and sends them to a remote server. These metrics should be qualities of the user’s environment like mouse scroll speed, pixel positions of various HTML elements, or even a CPU benchmark (Norte, 2016). Once collected, the data would be compared to a large dataset of these metrics. This could come from browsing sessions that occurred without an anonymity network like Tor. Any match would be a strong indication of the suspected user and could be further investigated more directed techniques. However, this strategy is a difficult one to enact because it requires several unlikely prerequisites: a fake law enforcement run drug market with traffic from real drug buyers and a large dataset of metrics that have matches to user identities. On top of this, many market buyers use environments like Tails that do not leak such environment metric. This would limit possible targets to un-savvy users.

An alternate strategy that government agencies have already began following is the investigation of infamous drug forums where users discuss product and gossip about market politics. These forums are commonly visited by market staffers, and therefore have come into the crosshairs of the authorities. The DHS has subpoenaed to release records about five users of the popular drug community r/darknetmarkets. has neither confirmed nor denied if it has complied with the subpoena, but did reference their TOS that disclaims they record user IP addresses for 90 days. It is unclear if investigations of drug forums will prove effective in apprehending drug traffickers or if they will be pushed to other, more secure, Tor based communities (Greenberg, 2015).

Despite countermeasures and tactics being undertaken by authorities, Darknet markets continue to operate without much trepidation. The successful market takedowns that have occurred have not intimidated buyers because only large vendors were impacted, and vendors remain unfazed because their profits justify the risk. This leaves authorities with several recourses. Continue their monitoring of drug markets in the hope that administrators will make mistakes in concealing their identities, begin targeting users that brazenly flaunt their successes in conspicuous communities, or agencies can continue searching for ways to compromise Tor as they did with SR2. However, until a comparable vulnerability will be discovered, the markets will continue to thrive.

Works Cited

Arma. “Tor Security Advisory: “relay Early” Traffic Confirmation Attack.” Tor Security Advisory: “relay Early” Traffic Confirmation Attack | The Tor Blog. N.p., 30 July 2014. Web. 22 Nov. 2016.

Goodin, Dan. “Did Feds Mount a Sustained Attack on Tor to Decloak Crime Suspects?” Ars Technica. Conde Nast, 21 Jan. 2015. Web. 22 Nov. 2016. <;.

Greenberg, Andy. “Feds Demand Reddit Identify Users of a Dark-Web Drug Forum.” Conde Nast Digital, 30 Mar. 2015. Web. 26 Nov. 2016.

Norte, Jose Carlos. “Advanced Tor Browser Fingerprinting.” Advanced Tor Browser Fingerprinting. N.p., 6 Mar. 2016. Web. 26 Nov. 2016.

Soska, Kyle, and Nicolas Christin. “Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem.” Usenix Security Symposium (2015): n. pag. Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem | USENIX. USENIX Association, Aug. 2015. Web. 22 Nov. 2016. <;.

“Tor” Tor: Hidden Service Protocol. N.p., n.d. Web. 22 Nov. 2016. <;.

Zetter, Kim. “How the Feds Took Down the Silk Road Drug Wonderland.” Conde Nast Digital, 18 Nov. 2013. Web. 22 Nov. 2016.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s