Computer Security

Share this article:

Computer Security

  • Join our comunity:

Law Enforcement is on a Tor Offensive

By: , Posted on: November 14, 2013

200px-Tor-logo-2011-flat.svgOn October 2, 2013, media reported the arrest of the alleged leader behind Tor’s Silk Road, Ross Ulbricht, aka, Dread Pirate Roberts (DPR). Last week we saw another arrest, this time the suspect, Matthew Crisafi, was allegedly selling semi-automatic weapons on another underground site, Black Market Reloaded. The general public, fueled by news media and the entertainment industry frequently assumes that these crimes are solved in the same time-frame as a TV show or movie. We often overlook or gloss over statements, such as year or two year long investigation and hone in on the bad guy was arrested today. These recent Tor arrests should not be taken to mean law enforcement just started to take notice to Internet crime on the anonymous Information highway known as Tor.  To the contrary, law enforcement have been working these cases for a while now.  Let’s briefly examine these Internet investigations centered on the area known as Tor.

  • In April of 2012, the two-year investigation, “Operation Adam Bomb” resulted in a twelve count federal indictment against eight men who allegedly ran “The Farmer’s Market”, a drug market on Tor which hooked up sellers and buyers in 34 countries. The Farmer’s Market, originally known as Adamflowers, moved from using hushmail to Tor in 2010. Unlike, the Silk Road, the Farmer’s Market accepted cash, Western Union and PayPal transactions. This investigation involved law enforcement agents from several U.S. states and several countries, including Colombia, the Netherlands and Scotland. The investigation, in part, involved an undercover agent who bought drugs through the site.
  • Sometime prior to July 2012, Australian Customs and Border Protection Service intercepted a number of packages bound for Paul Leslie Howard, which they opened and found a total of 46.9 grams of pure MDMA and 14.5 grams of cocaine. This was enough for a warrant, which was executed on July 12, 2012. Located were scales, baggies, a money counter, $2,300 in cash, and 35 stun guns disguised as mobile phones. Additionally, they found real mobile phones, with thousands of  incriminating text messages like “I got 5 grand worth if you want” and ” … promote the LSD I got more in. I sold 200 cubes last week.” Howard later plead guilty to 32  counts of possessing a controlled weapon, importing a marketable quantity of a border-controlled drug and trafficking controlled drugs.
  • In April 2013, federal agents commenced an investigation into illicit weapon sales on  Black Market Reloaded. In May 2013, an undercover agent made online contact with a seller and arranged to purchase semi-automatic weapons for bitcoins. The investigation involved not only the undercover communication but the involvement of the U.S. Postal Inspection Service as the packages were sent via U.S. Mail. The investigation resulted in the earlier noted arrest of  Matthew Crisafi.
  • In August of 2013, Freedom Hosting, a particularly nasty illegal Tor site, began sending out an error message with hidden code embedded in the page. It turns out that the servers hosing Freedom Hosting, were taken over by the FBI in July of 2013. The embedded code exploited a security hole in Firefox to identify Tor users by reporting back to a mysterious server in Northern Virginia.  The Freedom Hosting’s operator is currently fighting extradition to the United States, where he faces serious criminal allegations. Look for more arrests and indictments as law enforcement follow up on the results of their Tor unmasking efforts.
  • October 2, 2013, we have the arrest of Ross Ulbricht, allegedly Silk Road operator. Media reports reflect this arrest was the collimation of a two year investigation. The investigative effort included Internet research  which revealed Ulbricht may have been initially been identified as he used his personal e-mail account in some early efforts to promote Silk Road. The investigation also included over 100 undercover purchases of  drugs. After Ulbricht’s arrest, eight more suspects were apprehended in  Britain, Sweden, and the United States. Again, look for more arrests as law enforcement continues to dissect and follow up on the leads generated from this case.

It should be clear by now Tor criminal activity has not gone unnoticed by law enforcement. We have investigative efforts going back at least to 2012. But hasn’t Tor been around since about 2002?  Tor Hidden services, where these illegal activities are occurring, started in 2004. However, remember that initially using Tor and getting to the hidden services was not for the technically faint of heart. This began to change in about 2008, when Tor became more user friendly with the introduction of a bundled browser.

By 2010, we have the above noted Farmers Market moving to Tor, with arrests occurring in 2012. Silk Road started up in 2011, with indictments and arrests occurring in 2013. Freedom Hosting has been around since at least 2010. It was reported in 2011 that it was attacked by Anonymous due to its illicit material and services. So law enforcement had to be aware of it existence due to this well publicized hacking attack. Again, an arrest occurs in 2013.  BlackMarket Reloaded, was launched in 2011. However, its code was “leaked” in 2013, resulting in a brief shutdown. Apparently there is no honor about criminals. Whether it resumes at full speed, with site owners eventually being arrested, is anyone’s guess. So as Tor gets easier to use and more criminals start using it. This is the same pattern that we have seen repeated in all manner of cybercrime.  The easier the technology gets to use more folks find criminal uses for it. Read more about Tor in the sample chapter provided below:

Download (PDF, Unknown)

We also see a common time frame of about two years between the illicit site start up,  its takedown and arrest of its operators. Investigations involving individuals, such as the Paul Leslie Howard, (Australian drug dealer) and Matthew Crisafi (suspected BlackMarket Reloaded arms dealer) are resulting in arrests at a much faster rate, typically in six months or less. These time-frames are somewhat consistent with similar criminal investigations occurring in the brick and mortar world.

There are other commonalities in these investigations. Many involved undercover work. There is also the background type inquires to locate identifying information about suspects occurring, as noted in the Silk Road case. Additionally, we have the tracking and surveillance of packages to suspects.  These are common investigative law enforcement techniques.  The really only new and novel technique here is the Freedom Hosting tracking exploit. But then in the end this technique will be followed with tracing IP addresses and traditional investigative work to get the evidence needed for an arrest and conviction. (Todd and I discuss all these investigative techniques in our book, providing new and experienced officers a one stop text for working these cases.)

Additionally another factor is coming out. Although many of these cases involve federal or national law enforcement agencies, they frequently also involve police from all levels in numerous jurisdictions. Many of these cases, such as the Freedom Hosting and quite possibly, the Silk Road case, are going to provide investigative leads to others involved in Internet crime. The feds can’t work all of these cases. Local law enforcement will no doubt help follow these leads up.  Additionally these illicit websites are selling to someone, somewhere, in the “real” world. Local law enforcement may arrest the next criminal in their community, who is dealing with someone on an illicit Tor site, starting the next round of Tor centered investigations. These cases aren’t going away. Silk Road 2.0 is already up and running. Clearly, law enforcement at all levels has a part to play in working these Internet cases. Todd and I are confident they can learn the techniques needed and that is why we wrote our book. We believe these enforcement efforts will make the Internet and our communities safer places. On that thought I think I will light up a good cigar!

Investigating Internet Crime

If you liked this blog post and Art’s sample chapter on Tor, you can pre-order your very own copy of Art’s new book, Investigating Internet Crimes, 1st Edition: An Introduction to Solving Crimes in Cyberspace at a 30% discount. Just enter discount code “STBCNF13” at checkout.

About the Author

art bowker biopicArt Bowker (@Computerpo) has over 27 years’ experience in law enforcement/corrections and is recognized as an expert in managing cyber-risk in offender populations. In addition to co-writing Investigating Internet Crimes, 1st Edition: An Introduction to Solving Crimes in Cyberspace, he is also the author of The Cybercrime Handbook for Community Corrections: Managing Offender Risk in the 21st Century.

Art is a lifetime member of the High Technology Crime Investigation Association (HTCIA) having served on its Executive Committee, including as President in 2008. In 2013, he received the American Probation and Parole Association (APPA) Sam Houston State University Award for his writing contributions to promote awareness of cybercrime and tools for helping the community corrections field combat computer crime. Additionally, Art was recognized as the 2013 Great Lakes Region, Thomas E. Gahl Line Officer of the Year by the Federal Probation and Pretrial Officer Association for his work in the cybercrime area. You can learn more about Art, his work and interest at his website,

References/Further Reading


Connect with us on social media and stay up to date on new articles

5 thoughts on “Law Enforcement is on a Tor Offensive

  1. Pingback: Viewpoints
  2. “Freedom Hosting” was not a “particularly nasty illegal Tor site” at all – that is an ignorant description for s supposedly expert author. It was a web hosting service like Amazon’s or many others. A hidden service could be full of cat videos or boring vacation photos for all the web hosting service knows. Many hidden services have been hosted on Amazon or other major web hosters – those hosting services should not be held responsible anymore than the postl service should be held responsible fr contraband in the mail . The alleged difference with Freedom Hosting is they actively advertised that they would host hidden services and it turned out many of their customers were running illegal sites on those hidden services. But it was the *customers* who ran the illegal sites. The legal and moral issue is whether or not Freedom Hosting knew about these.

Comments are closed.

Computer Security

Securing computer systems is crucial in our increasingly interconnected electronic world. With so many business, consumer, and governmental processes occurring online, a growing potential exists for unauthorized access, change, or destruction of those processes. For years, Elsevier’s Syngress imprint has helped computer and information security professionals learn theory, strategy, and tactics for protecting digital assets in this constantly evolving field. Our books and eBooks in areas such as info security, digital forensics, hacking and penetration testing, certification, and IT security and administration. Click here for Syngress companion materials Click here for access to our archive of free eBooks, booklets and downloadable PDFs for Syngress and Computer security content. Access companion materials and instructor’s resources for all our books from the Elsevier Store. Search by author, title or ISBN, then look for the “Resources” tab on any book page.