Home » Articles » An Overview of Modern Tor Deanonymization Attacks
Click Here To Hide Tor

An Overview of Modern Tor Deanonymization Attacks

Tor was designed to provide a decentralized, censorship resistant network that can offer internet users, websites and various web services anonymity via easy-to-implement means. Nevertheless, since the advent of Tor, some users have failed to maintain their anonymity. Throughout this article, we will discuss Tor’s deanonymization techniques that are available today. We will go through traffic and timing correlation attacks, operational security (OPSEC) failure, electronic fingerprinting and remote code execution as discussed by a recently published research study.

Given the fact that Tor network harbors controversial content, including drug markets, child pornography…etc, law enforcement agencies (LEAs) have been utilizing a myriad of exploits to deanonymize some of Tor’s users. These techniques involve exploits of human errors, in addition to complicated mathematical methods that can take advantage of software flaws. Moreover, operational security (OPSEC) failures, which are usually related to mistakes committed by users, can facilitate deanonymization.

Operational Security (OPSEC) Failure:

The most famous example of this approach is how the identity of Ross Ulbricht, the mastermind behind Silk Road, was revealed. Attackers monitor the pattern of behavior of a Tor user, and collect critical cumulative info to deanonymize him/her. Ross used multiple aliases including “frosty”, “Dread Pirate Roberts” (DPR) and “altoid” on Silk Road and online forums throughout which he communicated with his clients.

LEAs used multiple observations regarding Ross’s online behavior and correlated them to reveal his identity and accuse him of running the “Silk Road” darknet market:

1. On October 11, 2011, an account named “altoid” posted on bitcointalk.org a thread titled “a venture backed bitcoin startup company”, looking for partners for a bitcoin startup. Altoid referred people to contact him at [email protected] He also discussed the “Silk Road” marketplace in the thread. Shortly after, Silk Road was advertised on the forum “shroomery.org” by a user also named “altcoin”.

2. Ross’s Youtube channel and Google Plus page included links to Mises Institute, an Austrian blog that published content related to the economic theory. On the Silk Road forum, DRP also backlinked to Mises Institute and shared the site’s content there. Through one of these posts, he mentioned that his time zone is the (PT), i.e. the Pacific Time zone.

3. Ross posted on Stakoverflow this question “How can I connect to a Tor hidden service using curl in PHP?”. Initially, Ross posted the question using an account aliased with his real name, yet less than a minute later, the account’s alias was changed to “frosty”.

4. Ross bought 9 fake identification documents that included his real picture, yet different names. The US border customs intercepted the package which had been shipped from Canada to Ross’s apartment in San Francisco.

These OPSEC, or operational security, related events helped the FBI close in on Ross, who was arrested in a public library. Access to Ross’s laptop provided massive evidence that facilitated his conviction as the owner and administrator of the Silk Road marketplace.

Attacks Targeting Tor Network Affiliated Systems:

Tor is nothing more than a service that a server or a user might be running. As such, systems affiliated with Tor’s network are still vulnerable to traditional cyberattacks. Depending on the exposure and the special configurations of the system, various techniques could be utilized to uncover the real identity of a web user or a hidden service within the Tor network. The deanonymization process ensues after the attacker obtains relevant information or even fully controls the target Tor affiliated system.

Service visibility heightens the exposure of a system and hence, the probability of a successful cyberattack. Typical attacks at application level include session handling, input validation and access control, while at the level of the operating system, attacks usually target misconfiguration. Moreover, system performance can be undermined via denial-of-service DDoS attacks, which can precipitate system crash, or failure.

Typically, input validation attacks rely on injection and usually involve buffer overflows, cross site scripting (XSS) and upload of malicious files. Session handling attacks are based on targeting tokens exchanged throughout communication to guarantee a correct state at the two endpoints of communication and include token value guessing, token value eavesdropping and session fixation. Access control attacks are centered on privilege escalation, i.e. an ordinary user will be promoted to a user with administrator privileges.

In August 2013, the FBI found a vulnerability in the Firefox/Tor browser that they exploited to attack Freedom Hosting sites and turn them into malware spreading trackers. Freedom Hosting was a web hosting company that hosted child pornography websites on a wide scale. The FBI manages to access Freedom Hosting’s servers and inject a malicious Javascript code. The code searches for a hostname and a MAC address and then relays them back as HTTP requests to servers in Virginia, exposing the real IP address of the user.

Attacks On Hidden Services:

These forms of attacks exploit flaws and mistakes that can reveal critical info about a Tor website or a hidden service.

SSH services are typically used to provide remote login to Linux machines for an onion address. If the same SSH service is offered on a public IP address, as well as through an onion address, this will lead to uncovering of the IP address of Tor’s hidden service. The following represents a demonstration of this deanonymization technique:

Tor listens to SOCKS connections via the localhost port. As such, any application that interacts with Tor will connect to localhost. Due to the fact that the application acts as if the connections are routed from localhost, a new risk for undermining anonymity is exposed as many online frameworks consider localhost a safe zone. A perfect example is the commonly used Apache HTTP Server and the Apache Server Status module which by default, comes activated to localhost connections Typically, this represents a safe configuration, as localhost is mostly a safe zone, and only users who have login credentials to the server can have access to this server status page. Nevertheless, with an onion address and Tor, connections to this page via Tor to Apache are routed from localhost, and Apache will show the page http://somehsaddress.onion/server-status/ to the public. Such services can deanonymize Tor’s hidden services.

Traffic & Timing Correlation Attacks:

Tor is not immune against end-to-end timing attacks. An attacker that observes traffic reaching the first relay node (entry guard), as well as traffic reaching the final destination (hidden service, exit relay node….etc) can utilize statistical analysis to determine that they belong to the same circuit. As such, Tor does not promote absolute anonymity. The user’s address as well as the destination address of the monitored traffic are obtained by the attacker, who can successfully deanonymize the target via correlation attacks. It is worth mentioning that the attacker needn’t have full control over the first and last router along a Tor circuit to be able to correlate traffic streams monitored at those relay nodes. The attacker only needs to be able to monitor the traffic.

Occasionally, deanonymization does not require performing sophisticated forms of statistical analysis. For instance, a student in Harvard University was arrested for sending fake bomb threats, via Tor, to get out of an exam! According to FBI data, the emails were sent from an email provided by Guerilla Mail, an email provider that allows users to create temporary emails. Guerilla embeds the IP address of the sender in all outgoing emails, and in this particular case, this pointed to the IP address of the user’s exit node on Tor. The FBI stated that the student sent the emails via Tor from the campus wireless network. Correlation helped the FBI identify the student, who confessed during interrogation.

Traffic and correlation attacks are somehow easy to execute when the anonymity set (number of clients using Tor) is relatively small. In other words, if there is a small number of people using Tor, within the context of a specific network, then it is relatively easier to deanonymize them. More complex forms of attacks require more complicated techniques of statistical analysis of both traffic and timing. Recent research studies have proven that these techniques can deanonymize a considerable percentage of Tor users and hidden services.

This was a brief overview of the techniques available currently for deanonymization of Tor users and hidden services. As you might have noticed, the weakest link along the chain of anonymity is the user. The Tor Project offers users detailed tutorials and extensive guidelines to help them protect their anonymity online. Nevertheless, as we presented throughout the article, even the most technically savvy individuals can sometimes fail to implement simple OSPEC guidelines, or simply commit silly mistakes that lead to uncovering of their real identities.


  1. Fucking TOR and leaving JS on is the problem...

    “As you might have noticed, the weakest link along the chain of anonymity is the user.”

    The weakest link in most of these attacks is still the platform, as those open wounds even allow an incompetent person to send their IP in a temp email in the first place, or to allow for their server users to be hunted down because TOR fucking refuses to turn off Javascript by default and make their users get with the pure HTML program.

    LEA have a much harder time finding people on Freenet because the platform doesn’t expressly allow for clearnet browsing (although possible) and Javascript, the most exploitable part of anything browser related, isn’t even allowed to be used on websites hosted on the network.

    The only example of pure stupid enduser was Ross for even linking to anything related to his real world interests or asking about Darknet questions on clearnet while doing dirt…he’d have gotten better information without the risk of being busted by asking people within his own community.



    • I don’t know what you mean by “multisig,” but javascript is code that is downloaded and executed right in the browser. It’s like clicking on every .exe you see on the web or receive in email without even pausing to think about it. The javascript problem extends beyond tor. Browsers try to “sandbox” javascript executables to keep them from being able to do bad things, but they don’t catch everything.

      Browsers executing javascript can be exploited in all sorts of ways. Web sites get pwned and have their javascript replaced by attackers from time to time (and sometimes they don’t even have to be pwned – for example, yahoo.com inadvertendly delivering malware to yahoo users via javascript provided by malicious advertisers – twice!) so it’s not safe to allow javascript to execute even from web sites you think you can trust.

      Web developers should stop the knee-jerk use of javascript. The majority of web sites that use it don’t need it.

  3. Javascript is never preferred with anonimity

  4. Far as I know FH was exposed due to the enormous bandwidth consumed by their servers.

    Recall those persons regularly busted for cultivating weed indoors?

    Their ‘lectric consumption for temperature maintenance was so high that the utility area management became concerned and investigated – and thus was obliged to tip off the authorities. Not often does one see a suburban residence or remote farm use as much ‘lectric as a busy factory.

    So it was with FH located somewhere (Ireland, I think it was) remote but needing a huge supply of bandwidth without much much visible commercial activity to justify such consumption. All lea needs do is keep an eye open for such unusual activities and then close ’em down when such activities are illegal.

    Once lea finds a sever with a huge traffic passing through it becomes a simple administrative exercise to obtain a judicial warrant to tap into their ip and thus monitor their activities. Lea has tried to keep this warrant process confidential but it was exposed a few years ago.

    Exploitation of human errors is what law enforcement is all about. It doesn’t need rocket scientists to figure this out.

    Then we also have those johnnies who foolishly believe that tor also makes them invisible outside the of the tor network. They access the regular internet with tor believing themselves now ‘invisible’

    There are also those who stay logged onto a site in order to stay up-to-date with the newest offerings. Such morons make it easy to monitor their entry and exit nodes. Again, it’s not rocket science!

    The trick with tor usage is to get into the network, do your business and then get out – don’t hang around. Tor is about rapid private and accessible communicating. Not for lollygagging around while waiting for dubious persons to notice the illicit offerings.

    There’s very little conspiracy and serious statistical analysis required to trap unintelligent criminals. Criminals, by nature, foolishly signal their activities loudly.
    They move themselves outside the box -and then hope that no one will notice that they’re outside the box. LOL

    Anyone who keeps up with tor news will know how hard the tor enterprise is working in order simply to keep themselves viable and relevant.
    The PC market is too small for tor so they’re now jumping onto the smartphone wagon as well in the expectation that this will engender more support. Very few persons actually ‘need’ tor but tor isn’t really a secure proposition if only a few persons use it.

    And this site with it’s deep-dark-web nonsense is exploitative and designed purely to generate advertising revenues by spreading fake news and conspiracy theories which have only a very tenuous relationship with the real, boring world in which we all live.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *