By Michael Borkenstein –
During a 30 day period in 2014, $650,000 in Bitcoin moved through the Darknet markets each day (Soska & Christin, 2015, p 47). This level of throughput is incredibly alarming considering it exists after the famous takedown of The Silk Road in 2013. While there is turnover within the active markets, these transfers of power stem from events internal to their economic environment. Common reasons for market closures are exit scams and administrator retirements as opposed to arrests. These drug bazars have proven to be remarkably resilient to interference from law enforcement and operate with virtual impunity today. This beckons the question: “If online drug markets are this immune to external intervention, how was the Silk Road compromised?” Contrary to popular belief, it was not penetrated through some backdoor to their encryption or with a bleeding-edge hack, but with traditional investigative techniques that capitalized on the mistakes of the suspects. The FBI monitored forums, tracked administrators, and posed as merchants until it gathered enough evidence to arrest the market’s inner circle (Zetter, 2013).
The greatest challenge for law enforcement is the inability to track the IP addresses of suspected traffickers. Black markets base their infrastructure on Tor, an anonymity network that allows users and vendors to bounce their encrypted network traffic off of multiple locations that external entities cannot predict. Without this veil, the FBI could discover the IP addresses of black market servers and could subpoena an ISP to release their customer records. However, Tor allows a black market to set up a “Hidden Service” that abstracts the actual IP address through a circuit of exit nodes that forward all traffic to the secret IP address (Tor). A vulnerability in this system may have led to the takedown of The Silk Road 2 (a.k.a. SR2), the successor to its namesake. The undertaken attack was rather novel and involved two separate exploits: A Sybil attack, and a traffic confirmation attack. These attacks entailed an external entity registering 115 relay nodes in the Tor network, and monitoring specially encoded signals sent between them. The illegitimate nodes attempted to match an unknown user who accessed the Hidden Service directory in order to access SR2 (Arma, 2014) to known users requesting unknown resources on the other end of the interaction. It is not confirmed that this attack was undertaken by a government agency, but the date of the SR2 takedown immediately follows the five month window during which the attack took place (Goodin, 2015). Since the attack was discovered the vulnerability has been patched by Tor so it cannot be used again to stop further markets. However, the opportunity for traffic confirmation attacks will never be thwarted while there are ways to monitor unique user identifiers in traffic metadata.
Despite this setback, other options exist to disrupt the operation of the Darknet markets. Although it has not yet been heavily pursued by law enforcement, arresting users as opposed to vendors could be a successful measure. The difficulty with this strategy is the use of encryption in all communications between users and vendors. This precludes a government agency from gathering concrete evidence that a suspect intentionally ordered illicit products. All the defendant would need to do is argue that they were delivered to him/her by mistake.
An alternate strategy that government agencies have already began following is the investigation of infamous drug forums where users discuss product and gossip about market politics. These forums are commonly visited by market staffers, and therefore have come into the crosshairs of the authorities. The DHS has subpoenaed reddit.com to release records about five users of the popular drug community r/darknetmarkets. Reddit.com has neither confirmed nor denied if it has complied with the subpoena, but did reference their TOS that disclaims they record user IP addresses for 90 days. It is unclear if investigations of drug forums will prove effective in apprehending drug traffickers or if they will be pushed to other, more secure, Tor based communities (Greenberg, 2015).
Despite countermeasures and tactics being undertaken by authorities, Darknet markets continue to operate without much trepidation. The successful market takedowns that have occurred have not intimidated buyers because only large vendors were impacted, and vendors remain unfazed because their profits justify the risk. This leaves authorities with several recourses. Continue their monitoring of drug markets in the hope that administrators will make mistakes in concealing their identities, begin targeting users that brazenly flaunt their successes in conspicuous communities, or agencies can continue searching for ways to compromise Tor as they did with SR2. However, until a comparable vulnerability will be discovered, the markets will continue to thrive.
Arma. “Tor Security Advisory: “relay Early” Traffic Confirmation Attack.” Tor Security Advisory: “relay Early” Traffic Confirmation Attack | The Tor Blog. N.p., 30 July 2014. Web. 22 Nov. 2016.
Goodin, Dan. “Did Feds Mount a Sustained Attack on Tor to Decloak Crime Suspects?” Ars Technica. Conde Nast, 21 Jan. 2015. Web. 22 Nov. 2016. <http://arstechnica.com/tech-policy/2015/01/did-feds-mount-a-sustained-attack-on-tor-to-decloak-crime-suspects/>.
Greenberg, Andy. “Feds Demand Reddit Identify Users of a Dark-Web Drug Forum.” Wired.com. Conde Nast Digital, 30 Mar. 2015. Web. 26 Nov. 2016.
Norte, Jose Carlos. “Advanced Tor Browser Fingerprinting.” Advanced Tor Browser Fingerprinting. N.p., 6 Mar. 2016. Web. 26 Nov. 2016.
Soska, Kyle, and Nicolas Christin. “Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem.” Usenix Security Symposium (2015): n. pag. Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem | USENIX. USENIX Association, Aug. 2015. Web. 22 Nov. 2016. <https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/soska>.
“Tor” Tor: Hidden Service Protocol. N.p., n.d. Web. 22 Nov. 2016. <https://www.torproject.org/docs/hidden-services.html.en>.
Zetter, Kim. “How the Feds Took Down the Silk Road Drug Wonderland.” Wired.com. Conde Nast Digital, 18 Nov. 2013. Web. 22 Nov. 2016.