Has TOR been compromised? The technical facts

The Dutch police was fairly open in a press conference Thursday July 20th which was published on Facebook. I don't have an account on Facebook but I was able to fetch it with youtube-dl

The investigation which was conducted by the Netherlands Police’s Team High Tech Crime and darkweb team.

The speakers were:

• Head of the Central Criminal Investigations Division Wilbert Paulissen
• Cyber Officer of the public prosecutor Martijn Egberts
• Deputy Director for Europol Wil van Geembert

Let's catch some Alphabay refugees

Colleagues of the FBI were having a press conference at the same time. Hansa was captured for 27 days by the Dutch Police. The former Hansa administrators were captured in Siegen Germany on the 20th of June. But in order to not raise suspicion Hansa needed to continue to run without a hitch.

Safe Haven Master Plan

What made this operation really special was the strategy developed by the FBI, DEA, the Dutch Police and Europol to magnify the disruptive impact of the joint action to take out AlphaBay and Hansa. This involved taking covert control of Hansa under Dutch judicial authority a month ago, which allowed Dutch police to monitor the activity of users without their knowledge, and then shutting down AlphaBay during the same period.

As soon as authorities shut down AlphaBay, sellers began migrating to other sites, according to Kela Targeted Cyber Intelligence, a Tel Aviv company that specializes in monitoring the dark net.

When AlphaBay was still up and running, competitors Hansa and DreamMarket had about 5,000 new listings a week, Kela said. Once AlphaBay went down, their new listings tripled to approximately 15,000 a week.

Before AlphaBay was seized, there were approximately 150 new listings per week for sellers of heroin or fentanyl on DreamMarket, Kela said. Since AlphaBay's demise, that has jumped to 700 to 800 new listings — a five-fold increase.

Wilbert Paulissen confirms that they already were in contact with the FBI during its takedown of AlphaBay. The most logical thing to do was to team up and wait for the buyers and sellers to migrate to Hansa and monitor them. The Dutch police then captured the Hansa server in Lithuania. Which they then migrated to a server in Holland.

There was just 1 minute of downtime [of the Hansa site]

There were obviously technical challenges but also social engineering challenges. Since the police had to take over the function of moderators without anyone noticing, he explained how they had to act, react and use the proper slang.

Humans need not to apply

Nicknames like highQualityWeed or AmsterdamConnection of course do not automatically lead you to the natural person in question

I especially noticed the term "natural person" or straw man the chief of police used.

This highlights the fact that the police actually don't deal with people! You can read more about this in one of my previous posts where I talk about the US which is not a country but a corporation! There is a proper way out of this mess and that is not creating joinder with the artificially created person. This is actualy the real way out of the messy war on drugs but it takes a lot of learning how the now compromised legal system works.

The Technical glitches of Hansa

Physical transport of goods, but postal addresses were not encrypted

By closing the transaction and providing information of physical addresses for the delivery of goods, that's when buyers run into the most risk. Sellers never have to disclose their physical address, this is not required for the postal service. A seller would surely use a fake address to make sure there is no leading trail.

The User eXperience (UX) of Hansa was also it's weak spot. Most of the buyers were lazy and didn't use PGP to encrypt their home address but let the site encrypt their communication. By disabling this encryption the Dutch police was able to intercept postal addresses and apprehend many people.

Trust in stupid mistakes

But there is more. Not only did the users laud the (new) administration the Dutch Police even had to celebrate the 2 year anniversary of Hansa market!

Similar foolish mistakes were the reason of the apprehension of AlphaBay admin Alexandre Cazes:

In December 2016, law enforcement learned that Cazes’ personal email was included in the header of AlphaBay’s ‘welcome email’ to new users in December 2014

Trace usernames and login passwords

When a buyer / dealer logged in with password “iselldrugs123” they took note of it then tested to see if that password worked on other markets with the same username. Many dealers and some buyers would have used their PGP key for login and these people wouldn’t have been exposed by this method.

Invizbox writes.

And that's exactly what the Dutch police did.

Choosing targets

This is when it gets murky. The strategy of the Dutch Police was to collect valuable information on high value targets and delivery addresses for a large volume orders. Martijn Egberts, commented as an example that someone who ordered 50 pills was not just a buyer but a reseller and had to be tracked and apprehended. I didn't find his answer to be particularly satisfying especially considering the fact that he is representing the legal side officially. In fact, the whole atmosphere of the press conference was clumsy with overly stiff and serious actors.

Streams of money

2 Million in the last few days.

Wilbert Paulissen continues to explain how the Hansa market's multi-signature worked and that they were able to intercept the keys so that the money would not go from buyer to the seller but into the wallet of the public prosecutor. But he does not go into details. Luckily the TOR router Invizbox wrote about the PGP key switcheroo.

The PGP key switcheroo was going to catch out even those who weren’t lazy unless they had previously stored the correct dealer key before. Some buyers did realise the change had occurred (there was at least one thread on reddit warning about it before the big reveal).

A supposedly live video stream of the site is shown, where Martijn Egberts comments what is being displayed: the admin panel, messages, comments... AmsterdamConnection's transactions and it's states are shown - I would't want to be in this vendors shoes! And simultaneously taking place in the backgrond is the press conference of the FBI in the USA.

The state as the drug dealer

You think you are safe on the darknet? Not if we are admin
Martijn Egberts makes a case in the press conference by noting that after internal debate a trade off had been made by allowing drug trafficking to take place. We are led to believe that the information obtained was supposedly more valuable then deals being made right in front of their eyes.

We know that there are big fish in the Netherlands and we'll do everything to catch them

Silk Road has demonstrated what happens when agents go rogue and I found his statements to be rather weak. It could be summarized that this whole mission was intented to scare drug dealers. His closing arguments were that misdeeds (criminal actions) should not pay off.

TOR

You may wonder why the Dutch Police was involved in the first place?

With the help of Bitdefender, an internet security company advising Europol's European Cybercrime Centre (EC3), Europol provided Dutch authorities with an investigation lead into Hansa in 2016. Subsequent enquiries located the Hansa market infrastructure in the Netherlands, with follow-up investigations by the Dutch police leading to the arrest of its two administrators in Germany and the seizure of servers in the Netherlands, Germany and Lithuania.

Unfortunately the Dutch police did not comment how they found out that the Hansa server was in Lithuania. But they did confirm that they didn't found a vulnerability in TOR.

How they figured out that the server was in Lithuania is not yet clear and if it was through a weakness in Tor, we can expect to see more seizures of this nature. I don’t think this is the case or we would have seen more takedowns and / or more high level dealer arrests already.

Invizbox writes.

International cooperation

Deputy Director for Europol Wil van Geembert takes over and explains the international aspect of the operation.

Traditional techniques such as working undercover, financial investigation and observation were combined with modern methods such as big data analysis, tracing virtual currencies and forensic cyber techniques.

Millions have been seized and this had certainly an impact on the criminal underground economy.

European threat assessed this to be an engine of crime.

The trading volume is growing exponentially which is a direct result of how a criminal technical infrastructure is able to not only sustain itself but stay ahead. Therefore we need strong coordinated efforts of international cooperation and I'm glad to say this has been the case with Europol, the United States and members of the European Union.

Unfortunately he is obviously a bit vague

We have provided Europol more than 600 intelligence packages wich were send [per post] to 37 countries [to track] more than 30.000 [drugs] transactions. Investigations in these transactions are either ongoing or will be started soon.

This operation is a huge success and we can say that 1 + 1 is not 2 but more like 3,5

From the Dutch Police website

Accounts with a total of more than 1,000 bitcoins, representing a value of some two million euros, were seized.

On average, 1,000 orders per day were placed in response to almost 40,000 advertisements. Last year, Hansa Market had 1,765 different sellers. Since the authorities seized control of Hansa Market there have been more than 50,000 transactions, mainly involving soft drugs and hard drugs.

Some 10 000 foreign addresses of Hansa market buyers were passed on to Europol.

More than 500 Dutch delivery addresses were reported to couriers and postal services with the intention of stopping the deliveries.

Summary of the capture:

• the TOR technology was not breached according to the Dutch Police
• copies of login passwords were made and tried with their respective usernames on other darknet markets
• buyers addresses were copied if they had lazily checked the “encrypt” checkbox and not used PGP
• PGP keys were switched and funds were thus redirected from the sellers to the public prosecutor

This ranks as one of the most successful coordinated takedowns against cybercrime in recent years

Executive Director Rob Wainwright of Europol.

Good security is a sum of it's parts

How to make sure you stay you

No mix up of identities can occur when you sign all your information with your key. But then your recipients - buyers should be able to verify that you are still you and not law enforcement. The only way to do that is that your buyers save your (public) key on keep it secure. Only then they can verify in the future that any new information they read has been signed by you the seller.
If you make thousands of euro's on selling drugs to them are you going to trust, your host in this case the administrators of Hansa market? Or are you going to make sure you stay in a relationship with your customers?

Cut out the mediocre middle man by using signatures and encryption

If you think about it, having a username and password to protect your account when even clearnet sites are hacked all the time is not very smart. A PGP key pair can survive multiple darknet market relocations, you just need a place which is going to exist at least a few years, cannot be altered ie. be immutable and does not trace back to you.

Private data like postal addresses but also a purchasing history like notes and discounts, that you do not want to be public, can be encrypted. If you worry that all your secrets and history when your private key is be compromised you could opt for ephemeral (short lived) keys for encryption and sign them with your private key. Also called Perfect Forward Secrecy.

This means that you would encrypt sensitive or private information each time with a different key but made sure it stayed yours by signing it. This way if you were ever to have your private / secret key lost, stolen or otherwise compromised like during a body search at the airport, any secrets you had left could not be all decrypted with that single key. But you would "loose" your known identity. This is inevitable; once you choose a public/private key pair you protect your chosen identity with it, so that nobody can ever impersonate you.

Escrow

A banker is a fellow who lends you his umbrella when the sun is shining, but wants it back the minute it begins to rain.

Mark Twain

The multi-signature escrow in the Hansa market meant that if at least 2 out of 3 would sign the transaction would finalize ie. sent to the recipient. This was optional for buyers. Since the funds were locked between two or three people it was impossible for the market or law enforcement to steal the funds out of this multi-sig escrow.

For each order Hansa offered "Locktime" transactions, ensuring that the seller could retrieve his funds after 90 days should the market ever go down. If used right transactions in multi-sig escrow are insured against any losses.

The future are blockchain markets

Actually, Steem is a really good example of how a succesfull online market could function:

• an immutable blockchain with a fast response time
• flagging
• upvotes
• comments
• a fast cryptocurrency

But Steemit (the website) could be compromised

• it uses passwords, ie. if Steemit were to be run by law enforcement people could impersonate me or anyone they'd choose.
• I don't believe it has escrow or smart contracts
• witnesses (their IP addresses) are not protected by TOR
• images are not kept in the blockchain
• built-in wallet

Building a blockchain (dark) market is a considerable effort. Investors would have to stay cloaked and their funds locked in a smart contract. Not unlike Steem's weekly pay out system. Developers too would presumably have to stay hidden or cloak their involvement. Hard to say who would want to hire you when you have darknet development on your resumé. I therefore assume such a darknet would begin with a fork of an existing platform an iterate through until the technology is mature enough.

In the end it is also worth mentioning that such (dark) blockchain markets provide opportunity for the sales of beneficial instruments like (VAT free) computers and security hardware, herbal and other FDA banned medicine. Blockchains can also be used to log clinical trial results or incentivize people to take part of clinical trials with their smartphones full of sensors.

On the other hand such gate-less blockchains could attract the nastiest of the nastiest like child pornography. But as spammers are voted down and flagged here on Steem, the same could work for similar undesirable effects on (dark) blockchain markets. I was amazed of the bots here on Steemit and there seem to be such even with a quirky personality who wouldn't mind cleaning up someone else's mess!

De één zijn dood is de ander zijn brood

one man’s misfortune is another man’s opportunity

The real victims?

In the months before it was taken down, AlphaBay came under intense scrutiny over the large number of dealers selling synthetic opioids like fentanyl. AlphaBay’s role in the sale of such drugs was detailed in a front-page article in The New York Times last month.

NYT

One victim was just 18 years old when, in February, she overdosed on a powerful synthetic opioid which she had bought on AlphaBay. The drug was shipped right to her house, through the mail.

Jeff Sessions

As sad as these stories are one should be suspicious of what is not being said.

Depressants, opioids and antidepressants are responsible for more overdose deaths (45%) than cocaine, heroin, methamphetamine and amphetamines (39%) combined.

You wouldn't believe what fish oil could do to your mood during the winter but is it being actively prescribed? I smell a rat and I'm sure I'm not the only one. Steemit is a great place filled with people who for one reason or the other have chosen not to go with the status quo.

AlphaBay's unprecedented size for a darknet market, estimating that its nearly 300,000 listings of drugs, stolen credit cards, and other contraband brought in—as a conservative estimate—between $600,000 and $800,000 a day in revenue.

Last but not least the war on drugs has made more victims than victors. It seems that the Deep State is actively protecting poppy fields in Afganistan and making billions on the drugtrade. So what was the real motivation behind the capture, lost money?

---

I've put a lot of time, effort and expertise into writing this post! Please resteem if you like it! And I wouldn't mind if some random whale would upvote it either : ) It was challening but also fun, I learned a lot and dusted off some of my cryptography knowledge.

All the best,

@Nutela

---

Sources:

• https://www.invizbox.com/details-darknet-market-takedowns/
• https://krebsonsecurity.com/2017/07/exclusive-dutch-cops-on-alphabay-refugees/
• https://www.politie.nl/en/news/2017/july/20/press-invitation.html
• https://www.om.nl/actueel/nieuwsberichten/@99730/bewaring-bevolen/
• https://www.politie.nl/nieuws/2017/juli/20/ondergrondse-hansa-market-overgenomen-en-neergehaald.html
• http://www.nbcnews.com/news/us-news/alphabay-hansa-shut-drug-dealers-flock-dark-web-dreammarket-n785001
• https://www.justice.gov/opa/pr/alphabay-largest-online-dark-market-shut-down
• https://www.europol.europa.eu/newsroom/news/massive-blow-to-criminal-dark-web-activities-after-globally-coordinated-operation
• http://www.thedailybeast.com/the-mistake-that-brought-down-alphabay-the-dark-webs-biggest-market
• http://politiepcvh42eav.onion/
• http://hansamarket.link/how-to-set-up-2-of-3-multi-sig-on-hansa.html
• https://www.reddit.com/r/HansaDarknetMarket/comments/59usgc/indepth_multisig_and_hansa_setup_guide/
• http://blogsofwar.com/hacker-opsec-with-the-grugq/
• https://pastebin.com/6YnMPuPU
• https://www.deepdotweb.com/2017/07/08/behind-scenes-darknet-market-ethereum-blockchain/
• http://www.dwotd.nl/2012/05/1010-de-een-zijn-dood-is-de-ander-zijn-brood.html
• https://www.drugfreeworld.org/drugfacts/prescription/abuse-international-statistics.html
• http://www.washingtonsblog.com/2013/11/us-drug-afgahnistan-opium.html
• https://www.wired.com/story/alphabay-takedown-dark-web-chaos/