This Researcher Is Hunting Down IP Addresses of Dark Web Sites

Tor is not enough to guarantee hidden services stay hidden.

|
Jun 22 2015, 3:25pm

Image: Alexandr Trubetskoy/Flickr

The attraction of the dark web is that sites can exist without the location of their servers being revealed. In turn, this means that drugs, child porn, and weapons can all be advertised in an open, brazen fashion, with little fear of law enforcement being able to track down whoever is behind the sites.

Now, in an attempt to highlight a general lack of security on the dark web, one researcher has been harvesting information about the servers of hundreds of these sites, and in some select cases even their IP addresses. But this isn't due to any fancy attack on Tor, nor the deployment of a powerful new exploit: it's because the site administrators haven't set up their sites correctly.

Last week, Thomas White, a Tor hidden server developer, published a blog post claiming that he had recently discovered the IP address of the now-defunct site "Kiss Marketplace," which primarily sold drugs.

Kiss Marketplace shut down in May after it was hacked, according to a log kept by Deep Dot Web. Since the site no longer exists, White had "no problem in releasing" the IP address it used, he wrote in his blog post.

This idea that Tor is not enough to protect sites on the dark web has become more and more apparent

White shared the IP address of Kiss Marketplace with Motherboard back in March, while the site was still live. When the IP address of 185.61.148.62 was typed into a web browser, a login page for Kiss Marketplace was displayed.

White claims to have also discovered the IP address of the server that was running "Tor Carders Market V.2," a stolen credit card site, and told Motherboard that he uncovered this one in January of this year. Again, this site has now disappeared, so White felt that he had "no further responsibility to withhold this information," he wrote on his blog.

On top of this, White claims to have gathered information on more than 500 sites, and the IPs of eight, seven of which are active sites. He says he has more data to analyse, too.

Screenshot of Kiss Marketplace. Image: Motherboard

"It's safe to say everything is under threat right now," White told Motherboard. "Scam sites, the "dark net" markets, fraud-type vendors, alleged hacker groups (probably scammers too), child porn sites, blogs, IRC servers."

"You might as well just copy and paste that categories from the Hidden Wiki," he added, referring to a site that lists many of the most popular sites on the dark web.

White says he is doing this to raise awareness of "the spectrum of security," he told Motherboard. "Tor will help hide the location of the servers but it is not a magic fix by any means, and lots of these hidden services, both legal and illegal, are not taking any measures to defend [their] system."

He said that he won't be handing the data over to any government, nor will he put people at risk. "That is not to say they are safe though," he added. "There are others out there like myself who could piece together my work and repeat it within days."

White is using a variety of methods for digging into different dark web sites. One of those includes trying to make the site fetch materials stored on a server that he controls, and then looking whether a non-Tor IP was used. Another is by checking whether the sites have bothered to change their default server settings, some of which can provide helpful information. White did this to reveal that several sites, which are probably scams, were likely being run by one shared hosting provider.

After beginning his research in February, White says he has started to "automate the collection process," and has been putting together his own toolkit to carry out the analysis. He considers the lax efforts taken by site administrators to be the "biggest problem" for the security of hidden services.

"The fundamental problem is that people behind these sites are not serious techies. There is a difference between protecting a system from a script kiddie, and from agencies like the FBI," he said.

It's worth remembering that a misconfiguration of a CAPTCHA is how the FBI allegedly found the Silk Road server. It appears that plenty of other sites may be vulnerable because of sloppy work by their administrators.

This idea that Tor is not enough to protect sites on the dark web has become more and more apparent. While some market administrators have been busted, other criminals who are still free have shown that criminal smarts are more important for staying ahead of the police. Now, it appears that a much deeper understanding of how to a run website securely is needed too.