JUHA NURMI Understanding the Usage of Anonymous Onion Services Empirical Experiments to Study Criminal Activities in the Tor Network Tampere University Dissertations 62 ! "#" # $ %& '!( " ! ( '!( ! ( " ! ! ! % $( ! ! )*+, (%-..( . *%% / % *0!(!.1 "#" # %'!( ! ( " ! ! ! ' ( ! 2 ) (()( ' ( 2 2 (( !" ($ &3. 211$ 2(( -( & ( $ !!. ( "!. !1 " 4+*, " 5 !1 ),678,98+:8*+,+89; < ),678,98+:8*+,*8;< /7,8,7+; < /,+8++7;< 5== 1 =5 )5,678,98+:8*+,*8 2 >3( PREFACE To tell You the truth, I would love to borrow the flying whip of words of Ralph Waldo Emerson, playfulness of scientific text from Carl Sagan, and from the ancient stoics their powerful touch in textual matter. It is generally considered a mark of inexperience to write if a book begins with a few lines about ancient Rome. Never- theless, as an inexperienced writer, I am delighted to do my mistake by referring to emperor Marcus Aurelius, who ruled Rome from 161 to 180 AD. He has a reputa- tion for being the only wise philosopher king in the history of humans. Essentially in his nightly diary, Meditations, he wrote that ”Nothing has such power to broaden the mind as the ability to investigate systemati- cally and truly all that comes under thy observation in life.” This is the real preface for a scientific inquiry. To me, during 2010, it meant that I wanted to study what kind of websites there are on Tor. But there was no search engine available for anonymous onion websites in the Tor network. What could I do? I registered ahmia.fi domain and started to create my own search engine for the Tor network. It was the starting point of my journey to understand how people use these anonymous onion services. I guess we can see the path only afterwards and under- stand that we were meant to walk it. It is time to summarise this research and thank everyone on this path. The dissertation was written with the help of Laboratory of Pervasive Comput- ing at Tampere University of Technology. Information security company Cyber Intelligence House greatly supported my work. Furthermore, people behind the Tor Project supported me. Professor Billy Bob Brumley served as the supervisor of this dissertation. I am deeply grateful to Billy. When the student is ready, the wise supervisor will appear. Feedback of pre-examiners assistant professor Diana Dolliver and assistant pro- fessor Damon McCoy allowed me to take the precision and scientific quality of this iii dissertation to the next level. I would like to express my sincere gratitude to Mikko Niemelä, Joona Kannisto, Markku Vajaranta, professor Atte Oksanen, Teemu Kaskela and Jussi Perälä, who all wrote the research papers with me. Warm thanks to my few friends, for all the good times. Special thanks to my wife who understands me better than anyone else. Teamwork is essential for success. So I would like to take this opportunity to thank my colleagues with whom I enjoyed working with in my path in different organizations. Feel free to send your feedback on these thesis and other aspects of this work to juha.nurmi@ahmia.fi. Furthermore, https://ahmia.fi/ - my very own search engine - enables you to search onion websites. Wishing You a safe journey inside the Tor anonymity network! iv ABSTRACT Technology is the new host of life, and with each passing year, developments in digitalization make it easier to destroy our understanding of authenticity. A man is more than his distorted shadow on Facebook wall. Another essential shadow dwells under anonymity. The aim of this thesis is to understand the usage of onion services in the Tor anonymity network. To be more precise the aim is to discover and measure human activities on Tor and on anonymous onion websites. We establish novel facts in the anonymous online environment. We solve technical problems, such as web-crawling and scraping to gather data. We represent new findings on how onion services hide illegal activities. The results are merged with wider range of anonymous onion ser- vices usage. We selected to cast light to the criminal dark side of the Tor network, mainly black marketplaces and hacking. This is a somewhat factitious selection from the wide range of Tor use. However, an archetype villain is found in nearly every story so naturally, for the sake of being interesting, we selected criminal phenomenon to study. To be clear, the Tor network is developed and utilised for legal online privacy and several other essential ways. The first finding is that as the Tor network becomes more popular also illegal activities become wide spread. Tor and virtual currencies are already transforming drug trade. Anonymous high-class marketplaces are difficult for the law enforcement to interrupt. On the other hand, now illegal activities are paradoxically more public than ever: everyone can access these onion sites and browse the product listings. The illegal trade is transparent to be followed. For example, by the means of web-crawling and scraping, we produced nearly real-time picture of the trade in Finland following one of the marketplaces on Tor. As a result, statistics shed light on substance consump- tion habits: the second study estimates that sales totalled over two million euros v between Finnish buyers and sellers. Due to the network’s anonymity and nature of illegal sales, reputation systems have replaced the rule of law: a buyer trusts the seller’s reputation because the law is not guaranteeing the delivery. The only available information is the seller’s repu- tation and capacity which were both associated with drug sales as we prove. Finally, we will identify the limits of online anonymity ranging from technical limitations to operation security dangers. Technology is merely a communication channel and major criminal activities still happen in the physical world. For in- stance, a drug trade requires that the seller sends the products using post service to the buyer’s address. Before that the seller has acquired enormous amounts of ille- gal drugs. The buyer has to give away his address to the seller who could later be placed under arrest with a list of customers addresses. Furthermore, we show case by case how criminals reveal and leak their critical identity information. The law enforcement agencies are experienced to investigate all of these aspects even if the Tor network itself is secure. vi CONTENTS 1 Introduction . 13 1.1 Objectives and contributions of the dissertation . 16 1.2 Structure of this thesis . 18 1.3 Research methods and restrictions . 19 1.3.1 Tradition of methodology . 19 1.3.2 Scope and restrictions . 21 2 Background of online anonymity environment and related research . 23 2.1 A brief history of the Internet and its revolutionary ethos . 24 2.2 Defining online privacy . 26 2.2.1 What is privacy? . 26 2.2.2 Internet privacy . 27 2.3 Characterization of online anonymity . 29 2.3.1 Evolution of anonymity systems . 29 2.3.1.1 Type 0: remailing system . 29 2.3.1.2 Type I: the Cypherpunk remailer . 31 2.3.1.3 Type II and III: Mixmaster remailer . 32 2.4 Tor enabling strong practical anonymity . 33 2.5 Onion websites on Tor . 37 2.6 Decentralised digital currency revolution . 40 2.7 Earlier research on Tor usage . 42 2.8 Earlier research on marketplaces operated on Tor . 45 3 Investigating usage of onion services . 49 vii 3.1 Limits of anonymity . 50 3.1.1 Operation security is difficult . 52 3.1.2 Weak security of the end user device . 56 3.1.3 Unintentional features of server software behind Tor . 57 3.1.4 Special conditions enable traffic and timing correlation attack 60 3.2 Watching incoming traffic to onion honeypots . 63 3.3 Following illegal trade on black markets . 64 3.3.1 The marketplace . 64 3.3.2 The insider with many names . 67 3.3.3 Administration’s point of view to anonymous conversation . 70 4 Understanding the results . 73 4.1 Motivations and limitations of anonymity . 74 4.2 Anatomy of the marketplace . 77 4.3 Technical research methods to understand marketplaces . 78 5 Conclusions . 81 6 Discussion . 83 6.1 Author’s final words . 84 References . 87 Publication I . 101 Publication II . 111 Publication III . 119 Publication IV . 129 Publication V . 147 viii ABBREVIATIONS AES Advanced Encryption Standard DARPA Defense Advanced Research Projects Agency DDoS attack Distributed Denial-of-Service attack DHCP Dynamic Host Configuration Protocol DHT Distributed Hash Table DNS Domain Name System DPI Deep packet inspection FBI Federal Bureau of Investigation GCHQ British Government Communications Headquarters GDPR General Data Protection Regulation HSDir Hidden Service Directory HTTP Hypertext Transfer Protocol HTTPS HTTP Secure IP address Internet Protocol address MITM attack Man-in-the-middle attack NAT Network Address Translators NSA National Security Agency OPSEC Operational Security PESTEL Political, Economic, Social, Technological, Environmental and Legal factor analysis PGP Pretty Good Privacy ix SMTP Simple Mail Transfer Protocol SSH Secure Shell TCP Transmission Control Protocol TLS Transport Layer Security Tor The Onion Routing UDP User Datagram Protocol x LIST OF PUBLICATIONS This dissertation is a compilation of five publications, of which two (publications I and III) are journal articles, three ( II IV and V) appear in conference proceedings. Finnish Publication Forum1 ratings indicate the quality of the publication chan- nels. The classification has three levels: 1 is basic; 2 is leading; 3 is top. Other iden- tified publication channels which have not received rating are marked with 0. The publications are reproduced with kind permissions from the publishers (THL, IEEE, Springer and Elsevier). I Nurmi, J., Kaskela, T. (2015). “Silkkitie. Päihteiden suomalaista nappikaup- paa.” Yhteiskuntapolitiikka, vol 80, no. 4, pp. 387–394. [1] Publication Forum level 2.