from the here-come-the-fuzz dept
As the government continues to play Whac-a-Mole with darknet drug bazaars, one of the Silk Road’s leading darknet market replacements says it has temporarily suspended service over Tor vulnerability concerns. In an encrypted post to the site’s buyers and dealers (copied over to PasteBin and over at the /r/darknetmarkets subReddit), Agora’s administrators say the darknet market is nervous about law enforcement’s ability to take advantage of recent Tor vulnerabilities, and as such are pulling the market offline for an undisclosed amount of time to protect the site:
“Recently research had come that shed some light on vulnerabilities in Tor Hidden Services protocol which could help to deanonymize server locations. Most of the new and previously known methods do require substantial resources to be executed, but the new research shows that the amount of resources could be much lower than expected, and in our case we do believe we have interested parties who possess such resources. We have a solution in the works which will require big changes into our software stack which we believe will mitigate such problems, but unfortunately it will take time to implement.”
While the post doesn’t specify which Tor vulnerability the market’s responding to, a paper recently published by researchers from Qatar University and MIT (pdf) argued that it was possible to use a Tor vulnerability to identify Tor hidden services with as much as 88% accuracy. Tor director Roger Dingledine responded to these findings in a blog post back in July. Dingledine downplayed the ability of the vulnerability to be exploited in the wild, while pointing out that researchers have long over-estimated the ease of such fingerprinting methods in the real world.
To succeed in the fingerprinting process, the attacker needs to control the Tor entry point for the server hosting the hidden service, and have previously collected unique network identifiers allowing for the fingerprinting for that particular service. Still, Agora itself strongly hints that they’ve seen some (presumably law enforcement) behavior in the wild already attempting to take advantage of the vulnerability, and wasn’t willing to take the risk:
“…We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again, however this is only a temporary solution. At this point, while we don’t have a solution ready it would be unsafe to keep our users using the service, since they would be in jeopardy. Thus, and to our great sadness we have to take the market offline for a while, until we can develop a better solution. This is the best course of action for everyone involved.”
Agora’s decision to forgo possible revenue for the sake of OPSEC (operational security) resulted in some Reddit posters praising Agora for its “iron testicles”. The outfit does appear to be slowly paying funds back to dealers and users (funds for DarkNet markets are usually held in escrow until deals are completed), but payments appear to be taking 24 to 48 hours for Agora to process. Meanwhile, admins for other darknet markets, like Middle Earth, have subsequently proclaimed that they have already covered their bases and aren’t worried about the vulnerability:
“We noticed the strange happenings early on. We KNOW that TOR devs are the best of the best. This is only theoretical paper from MIT students. TOR updates daily on a development level, they would fix any vulnerabilities from any theoretical paper. Emphasis: Theoretical Paper, Not Successful Tests. We have covered all bases.”
While the Agora shutdown combined with dropping Bitcoin value (due to the potential forking of currency development by those concerned about scalability) have Bitcoin advocates and Darknet market users sweating a bit, Agora’s shutdown would seem to be only a temporarily bump in the road to future darknet opsec skirmishes. Agora already had survived last November’s Operation Onymous, which took down Silk Road 2 and 400 other websites. It’s still debated whether those seizures were thanks to a Tor vulnerability or old-fashioned detective work (law enforcement obviously isn’t keen on being illuminating).
Even if Agora doesn’t return, there’s a half-dozen or more already established Darknet markets happy to fill the void and satiate the globe’s inexhaustible supply of drug buyers and dealers, those entertained by the endless game of opsec cat and mouse, and the government’s insatiable need to fill its mole-whacking quota.