Is TOR Starting to Unravel?

A report released earlier this month again brought into question of how secure The Onion Router (TOR) really is. Netizens are used to this type of warning, as this is not the first time that TOR’s security has been brought into the spotlight. However, the legitimacy- or unjust paranoia caused by- this claim has prompted the most popular dark web marketplace to temporarily close its doors.

Is Agora’s Paranoia with TOR founded?

Agora is a typical dark web marketplace. By accessing the site through TOR you gain access to firearms, illicit drugs, and much more. This week they posted to several sites explaining,  “We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again.”

The research they are referencing is a study conducted by researchers at MIT. During the study they created an algorithm that could deanonymize traffic headed to an ‘onion site’ with 88% accuracy. The algorithm was not used on a large scale and several factors limit the attack from being easily attainable.

The attack uses a technique called fingerprinting. Which isn’t new in itself, companies like CitizenLab have been able to use it to identify software distributed by Hacking Team. However, this technique requires time in order for the attacker to build up a database of packet information. Meaning, the algorithm must learn over time what it is looking for- the abnormally large sizes of TOR internet packets- to be able to pick it out effectively.

Not only does the attacker need to spend time collecting data, but they must also control the entry node- of which there are more than 5,000 nodes that could possibly be the entry node- of the target. Of course controlling as many nodes as possible would speed this process up. Nevertheless, this type of attack takes time, money, and some luck to be effective.

The founders and owners of TOR praised the research but said that the limitations pointed to the fact that methods outlined in the study was a long way off from being effective in the wild.

Agora, which is Greek for an open space used for gatherings and marketplaces, has found the possibility of this attack being used, credible. This claim and subsequent shutdown should not be taken lightly. Being that they are quite a large marketplace they will be losing a lot of money everyday they are not operating; and even advised current users to withdraw all their funds from the site. Furthermore, the post also said this, “Vendors, we strongly advice you to abort any orders that haven’t been sent out or processed yet, as we cannot guarantee what will happen with the orders in resolution.”

News of the Agora shutdown and their caution has sent shivers through TOR network users.

IBM Advising Against TOR

Just a day apart, IBM has also released a warning to companies against using TOR. They even go as far as to suggesting that they completely block it from their network.

The reason is that they have seen a marked increase of malicious ‘events’ in the first half of this year. From January to May of this year IBM claims there were over 300,000 events of cyberattacks where the attackers used TOR to mask their origin. Of these, the most popular countries of origin are the US with 200,000, the Netherlands with 150,000, and  Romania with 75,000.

IBM says that companies that use TOR are at a significantly increased risk to attacks like ransomware and Distributed Denial of Service attacks (DDoS).

It seems that the bulk of the attacks are aimed at injecting code into web servers that deliver content to end users. A popular case is that of Jamie Oliver’s, a famous TV chef, website. Malicious code that attempted to download the Fiesta exploit kit onto visitors’ computers that did not have the most up to date Flash, Silverlight, and Java was found to be operating on their website. The site was found to have been running the malicious code for two months before discovered. Even after it was discovered by Malwarebytes and fixed it was found a month later to still be injecting the same code on users’ computers.

More Issues Regarding TOR

As if that wasn’t enough problems for TOR users to think about. You also have the new neighbors known as Darkode to worry about.

Before being dismantled, Darkode was the world’s largest online English crime forum. 70 out of the 250-300 members in 19 countries were arrested, including the suspected site administrator. Later, it came out that the FBI had infiltrated the site 18 months beforehand. The method they used to accomplish this was not released.

Morgan Culbertson, 20, pleaded guilty to charges related to a program called Dendroid. The 20 year old claims to have spent a year developing the program that once installed on an Android phone could; take pictures, record audio, video, and calls, as well as download data like pictures to the attacker. He posted the the malware on Darkode for $300 and charged much more for the source code. Plus, the development of this program may have overlapped with a four month internship he spent at respected FireEye.

There was at least one app on Google Play Store that used Dendroid.

His sentencing is scheduled for December 2nd where he will face a max of 10 years in prison and a $250,000 fine.

The problem for TOR users is that only two weeks after the raid, the site reopened and moved to TOR network. Although criminal activity on TOR is nothing new, having the suspects in a high profile case simply change addresses and open up shop again only draws more attention to the anonymizing service, bringing more heat on those that use TOR for ‘legitimate’ purposes. This only highlights the inherent problem with anonymity-that criminals like it as much as average people, whistleblowers, and journalists.


There is no doubt in my mind, that TOR will continue to be used for some time: especially because the government has a vested interest in its survival. But it is ever increasing as a target for cyber criminals to deliver malicious code, hack netizens’ personal information, and perform attacks in hopes of gaining ransom. Not only that, law enforcement, be it the FBI or other international agencies are consistently looking for a way in as well.

It seems that over time, TOR will increasingly lose its value as a tool for whistleblowers, journalists, and the average user concerned about their privacy as it will be solely populated by hackers and law enforcement trying to stop them. The threat to the user’s hardware and personal information won’t be worth the risk of logging onto TOR.

Feature image courtesy of wikimediacommons

If you take your privacy as seriously as we do, then you should follow @LiquidVPN

You can follow the author @FreelanceTony

Sharing is Caring!