Thoughts and Concerns about Operation Onymous

What happened

Recently it was announced that a coalition of government agencies took control of many Tor hidden services. We were as surprised as most of you. Unfortunately, we have very little information about how this was accomplished, but we do have some thoughts which we want to share.

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.

But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.

Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?

How did they locate the hidden services?

So we are left asking "How did they locate the hidden services?". We don't know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services. We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as "parallel construction."

Unfortunately, the authorities did not specify how they managed to locate the hidden services. Here are some plausible scenarios:

Operational Security

The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security. For example, there are reports of one of the websites being infiltrated by undercover agents and the affidavit states various operational security errors.

SQL injections

Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem.

Bitcoin deanonymization

Ivan Pustogarov et al. have recently been conducting interesting research on Bitcoin anonymity.

Apparently, there are ways to link transactions and deanonymize Bitcoin clients even if they use Tor. Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks.

Attacks on the Tor network

The number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. We received some interesting information from an operator of a now-seized hidden service which may indicate this, as well. Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks, but these defenses do not solve all known issues and there may even be attacks unknown to us.

For example, some months ago, someone was launching non-targetted deanonymization attacks on the live Tor network. People suspect that those attacks were carried out by CERT researchers. While the bug was fixed and the fix quickly deployed in the network, it's possible that as part of their attack, they managed to deanonymize some of those hidden services.

Another possible Tor attack vector could be the Guard Discovery attack. This attack doesn't reveal the identity of the hidden service, but allows an attacker to discover the guard node of a specific hidden service. The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. We've been
discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated.

*Similarly, there exists the attack where the hidden service selects the attacker's relay as its guard node. This may happen randomly or this could occur if the hidden service selects another relay as its guard and the attacker renders that node unusable, by a denial of service attack or similar. The hidden service will then be forced to select a new guard. Eventually, the hidden service will select the attacker.

Furthermore, denial of service attacks on relays or clients in the Tor network can often be leveraged into full de-anonymization attacks. These techniques go back many years, in research such as "From a Trickle to a Flood", "Denial of Service or Denial of Security?", "Why I'm not an Entropist", and even the more recent Bitcoin attacks above. In the Hidden Service protocol there are more vectors for DoS attacks, such as the set of HSDirs and the Introduction Points of a Hidden Service.

Finally, remote code execution exploits against Tor software are also always a possibility, but we have zero evidence that such exploits exist. Although the Tor source code gets continuously reviewed by our security-minded developers and community members, we would like more focused auditing by experienced bug hunters. Public-interest initiatives like Project Zero could help out a lot here. Funding to launch a bug bounty program of our own could also bring real benefit to our codebase. If you can help, please get in touch.

Advice to concerned hidden service operators

As you can see, we still don't know what happened, and it's hard to give concrete suggestions blindly.

If you are a concerned hidden service operator, we suggest you read the cited resources to get a better understanding of the security that hidden services can offer and of the limitations of the current system. When it comes to anonymity, it's clear that the tighter your threat model is, the more informed you need to be about the technologies you use.

If your hidden service lacks sufficient processor, memory, or network resources the DoS based de-anonymization attacks may be easy to leverage against your service. Be sure to review the Tor performance tuning guide to optimize your relay or client.

*Another possible suggestion we can provide is manually selecting the guard node of a hidden service. By configuring the EntryNodes option in Tor's configuration file you can select a relay in the Tor network you trust. Keep in mind, however, that a determined attacker will still be able to determine this relay is your guard and all other attacks still apply.

Final words

The task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved.

In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries.

It would be great if there were more people reviewing our designs and code. For example, we would really appreciate feedback on the upcoming hidden service revamp or help with the research on guard discovery attacks (see links above).

Also, it's important to note that Tor currently doesn't have funding for improving the security of hidden services. If you are interested in funding hidden services research and development, please get in touch with us. We hope to find time to organize a crowdfunding campaign to acquire independent and focused hidden service funding.

Finally, if you are a relay operator and your server was recently compromised or you lost control of it, please let us know by sending an email to

Thanks to Griffin, Matt, Adam, Roger, David, George, Karen, and Jake for contributions to this post.

* Added information about guard node DoS and EntryNodes option - 2014/11/09 18:16 UTC

Philip Angus Nunes

November 09, 2014


Too much Inertia hurts us all...

Tor Project is soo focused on Tor Tor Tor, Tor is great, we're 501c3, world peace, blah blah blah. Over FIFTEEN years of Tor totally focused on one particular narrow anonymity design, it's own onion routing.

The anonymity community seriously needs to all step the fuck back from their own pet projects, literally sit their asses the fuck down at a roundtable at some con and seriously ask themselves the following:


Tor, Freenet, I2P, Gnunet, Maidsafe, Retroshare, Bitcoin, etc, etc, everyone just STOP, sit the fuck down with everyone else, and rip things apart, put things together, whiteboard that shit... whatever. But for the love of god, don't keep going forward with broken crap just because it's your pet project or the best you think there is.

This is not claiming any project is broken, but that there are all sorts of technologies that need to be fronted, reviewed, ranked, sorted, and plugged and played and layered and interleaved.

You don't do that while head down in your own little projects. And that sux for anonymity. 2015... the year of the global anonymity summit, review, realignment and rework. Make it happen.

Agree,.There's some decent intelligence about how to do the whole anonymous thing properly and correctly in those groups and it's high time they got together and did just that. Waiting to see how the different sources managed to locate HS owners is not going to get publicised so stop kidding yourselves if you think its going to happen. There appears to be disquiet growing that Tor is now fallible and whilst this may or may not be true wth the latest takedown it doesn't do anyone any favors. Work it out and make anonymous exactly that.

Before you go criticizing Tor why don't you do actual research into how Tor and other anonymity systems work. Yes, there are flaws; some of the design choices limit usability or pose security threats. Yes, some of the side effects of the design choices were unknown when they were made. That doesn't necessarily mean that different decisions would be made if the present knowledge was known. Tor isn't perfect; it's impossible to design a system to give you perfect anonymity in communication without risk of attack, let alone to use the underlying system of the internet which doesn't promote anonymity and actually implement that.

The goal isn't to achieve perfection: that's impossible; the goal is simply to do the best they can. With that said, like any other piece of software it works best if used properly. In the past authorities were able to unmask both simple users and hidden services because they did something stupid. If you want to remain anonymous, you need to know how to use Tor safely. Read as much documentation as you can. As a plus, when you complain about how something needs to work differently in Tor you can give a specific example.

Philip Angus Nunes

November 10, 2014


"low-latency web services is a very hard problem"

With present tor architecture this problem will be persistent.

Therefore tor netdata flow really needs some kind of permanent blank white noise
net traffic?

Philip Angus Nunes

November 10, 2014


If "Tor currently doesn't have funding for improving the security of hidden services", is possible to do like wikipedia, put on the top of every page on a message for funding.
Wikipedia wrote that it has no adv, but to survive need x dollars (and Wikipedia obtain milions of dollars).
Tor can write: to improve security for hidden service we need x dollars and make a list of payment methods.

An alternative can be a crowdfunding site.

What do you think about this? Is possible?

Philip Angus Nunes

November 10, 2014


May I ask a question. Is this possible?

1. Create a list of hidden services you want to find.
2. Create a list of hosts where these servers might be located based on history, anonymous payment options etcetera.
3. DDoS/attack each host one-by-one and check if any of the hidden services are affected in the same way as other hosted sites.

> 1. Create a list of hidden services you want to find.
Already done by

> 2. Create a list of hosts where these servers might be located

1. User set "StrictNodes 1" and "ExcludeNodes {au(not us)}{}{}...".
2. User try to connect whichiwanttoumnask.onion
3. If user can't connect to it, then hidden service might located in {au}.

>3. DDoS/attack each host one-by-one and check if any of the hidden services are affected in the same way as other hosted sites.

If you have enough PC and network like NSA, then you can do it.

There is really no need for DoS. Just monitor web hotels and when they go offline check if any hidden service is down. Or maybe NSA can just ask major web hotels to go offline for 10s.

The most likely reason that some of the largest illegal sites are still online is probably that they are not found. The same reason as why some of these sites weren't taken down 6 months ago.

I guess that these kind of methods can be used to locate the servers. Perhaps it's more likely that the server software leaks the ip or other info. I guess some web hotels also scan the hosted data for hidden services.

Philip Angus Nunes

November 10, 2014


Please can we create a list of all the onion sites with their current setups like: Operating system, Serversoftware, TorVersion, bitcoin-client(yes/no), PHPVersion, CMS(yes/no/cmsname), ServerHoster(Home/Paid)? Something like that? I am guessing that none of the services used Whonix?? If yes, it would be a strong indicator that it is really a problem of the tor software!!!! Please we need more infos? I also think it was no SQL injection attack or something similiar, because I had a look on many of those sites and they were not vulnerable to such attacks, while I know some still existing sites that are vulnerable and are not being attacked! And yes I can provide proof for that!
Version: GnuPG v1


Philip Angus Nunes

November 10, 2014


Why am I allowed to view videos on Tor now? I went to a website that automatically started playing a video. I don't have any plugins installed because flash exposes IPs. The only extra addons I have are Classic Theme Restorer which Tor recommended & AdblockPlus.

I went to a news website and temporarily allowed NoScript. That resulted in the video on the page to automatically play. I then went to Youtube to test if I could view their videos and I could view everything after temporarily allowing NoScript through.

I have the latest version Tor browser bundle 4.0.1.

Probably what you are seeing is HTML5 video. No Flash required.

For whichever site supports it, the browser will play the video natively without needing a proprietary closed-source plugin. So it's safe and shouldn't compromise anonymity (in theory anyway).

Check that Scripts are banned globally,
Then go to Options > Embeddings
And Enable Additional Restrictions for Java/ Adobe Flash/ Silverlight/ etc.

I hope that solves your problem.

Hello, is anyone reading this? I too can view videos on Tor when we're not suppose to. I use the addon Flash Control on Firefox and thought to try it out now on Tor to block all the flash videos but they STILL PLAY. What is going on? Flash is suppose to be disabled because it exposes real IP.

It's HTML5, not Flash. I'm pretty sure Javascript has to be enabled for HTML5 videos to play, and if you want to be especially secure you will disable Javascript. Go to URL about:config, search for javascript.enabled and double click the value field so that it changes to 'false'.

Nowadays, videos are officially supported by HTTP standards. You don't Need Flash anymore, and sites start to make use of HTTP video more and more.

You are talking about youtube? They support html5 which is built into the browser, no flash needed. You can watch streaming video with torbrowser quite well know on any site that supports html5 video (though you are correct you must enable scripting for this to work for some reason).

When using Tor youtube and I presume other websites play videos through HTML5 if you don't have flash enabled; you still need to have javascript enabled though.

Tor Browser (and the Firefox 31 ESR that it is based on) supports HTML5 video elements and can play webm (but not yet mp4) videos natively, meaning some videos will work without any plugins. This is normal expected behavior if you are allowing scripts.

Please do NOT install addons or plugins into Tor Browser. Seriously, remove them now. Most people will not have any addons, so using them will make you obvious; clicking New Identity will still give you a new circuit but a website will be able to recognize you are that same user that always uses Tor, Adblock and Theme Restorer together. If you want to be anonymous you simply have to accept that you will see ads and will have to deal with whatever Firefox UI is current.

Don't just take my word for it, the Tor Project recommend never to install extra features to Tor Browser: . I did see Mike Perry's comment about the Classic Theme Restorer, he wasn't saying it was safe or tested with Tor, simply that people who know and understand the risks can check it out.

Can you 'get smart' - changing you useragent from ten highest popular strings _do not_ 'harm you privacy'!! Don't be stupid! It's just like 'i win - i vote for winners'!!

it's HTML5 video, welcome to the future.

It's enabled because it doesn't cause any known IP address leaks in TBB (but if you find any, please report it!)

is it just the same myth as the sentence "you ports are closed - nothing to be bothered about" ( 'use your little grey cells' - any packet need to be investigated by the driver and the ip stack ... )

Philip Angus Nunes

November 10, 2014


Well, how to know if your eve server is on the route to a hidden service?
* contibute a small delay pattern (on eve relay node) and check if you can see the same delaypattern on probing/attacking machine
* measure time between sending a request and seeing a particular pattern on your eves relay: attacker to eve to hs
* mesaure time between response from hs and your eve relay to attacker
* try to maximize attack to eve relay by chance to get closer to guard
* measure time from attacker to hs and back (rtt) subtract time of attacker to eve, eve to attacker, and delay pattern
* i call this result network to network time
* if you have lots of pinging statistics from one network to another (like some have), you can measure and guess which network you is of your interest and take all asn of your list with too bad rtt
* guard will change some day
* now do all the measuring again
* if you are lucky enough you are the last hop before the guard.
* try to remove asn by asn from your list, until you end up with one to ten.

Philip Angus Nunes

November 10, 2014


doesn't the NSA and other adversaries have the capability to monitor large parts of the internet ?

this should make the following possible:

carefully construct an innocent looking GET request with a hidden but fingerprintable signature.

send it through the TOR network to your target hidden service.
monitor the internet for that fingerprint.

voila, IP revealed...

you should your HS somewhere out of monitor reach, which is likely impossible.

HTTP normalization. which would also be very hard or maybe even impossible because of the openness of the protocol.

Philip Angus Nunes

November 10, 2014


I can remember a very long thread on a message board a year or two ago about a hacking organisation that had at least 20 entry and exit nodes in use. At the time the nodes were all held on 4 servers.

The worry was that accessing Tor through an entry node and exit node operated by the same people on the same server could help them to end-to-end match a user and the sites (s)he visited

So now we have nodes identified, sites identified and users identified. Interesting.

BTW, the organisation? CCC - the Chaos Computer Club. I'm not accusing them (why not?, I ask myself), but maybe NSA or GCHQ or Echelon have taken their idea and put it to their own use.

Philip Angus Nunes

November 10, 2014


Court docs show Defcon was not using tor but Google chrome. They used that including NSA helping him with admin to locate his server location sure you can fig the rest out. Tor needs help $ someine with business at stake needs to help them $ we are going to lose this whole operation soon if the minds and $ DONT stip to take a time with basics in this darkweb game

Philip Angus Nunes

November 10, 2014


Scallion/Scorpion can generate Tor hidden site's private key.
If FBI has much PC power to use, it's easy to generate private_key and setup fake server to tor network.