U.S. and European law enforcement agencies Friday announced the largest strike ever against the Internet’s thriving black markets, shutting down more than 400 sites and arresting 17 people for allegedly selling drugs, weapons and illegal services to anonymous buyers worldwide.
The sweep of the crackdown marked a new level of aggressiveness and coordination by Western governments determined to police shadowy corners of the Internet.
Government evidence showed the shuttered sites were offering a remarkable variety of illicit goods, including cocaine, counterfeit money and explosives.
Many once thought this trade was beyond the reach of police because the sites were accessible only through Tor, a service created by the U.S. government that directs Internet traffic through a succession of routers to hide the identities of users and the locations of servers. The ability of investigators to unmask the alleged operators of Tor sites sent shivers through those who use the service for more legitimate purposes, such as political activists, journalists and diplomats.
Several experts suggested that Tor’s ability to protect users and the locations of servers may have been compromised on a mass scale by sophisticated technological tools used by a coalition of Western law enforcement agencies that has been targeting what is often called “The Dark Web.”
“There are no guarantees of anonymity,” said Steve Bellovin, a Columbia University computer science professor. “It’s clear that buying [illicit goods] on something like Tor is not as safe as people thought a year ago.”
The strike on the Dark Web — code named “Operation Onymous,” a word meaning the opposite of anonymous — began Wednesday with the arrest of a San Francisco man, Blake Benthall, 26, for allegedly starting an illicit online marketplace called Silk Road 2.0. That site began operations a year ago, one month after the FBI shut down a predecessor, called Silk Road. He was charged with several felonies that could lead to lifelong imprisonment.
The action spread internationally Thursday and Friday as authorities in the United States and 16 European nations shut down 410 sites that were reachable through Tor and allowed anonymous transactions, typically using virtual currencies, such as bitcoin, that were difficult for police to track. Police seized bitcoins worth $1 million and $224,000 worth of euros, along with drugs, gold and silver, authorities said.
“It is a plain fact that criminals use advanced technology to commit their crimes and conceal evidence — and they hide behind international borders so they can stymie law enforcement,” said Assistant Attorney General Leslie R. Caldwell in a statement. “But the global law enforcement community has innovated and collaborated to disrupt these ‘dark market’ websites, no matter how sophisticated or far-flung they have become.”
The sites, with names such as “Hackintosh” and “Pablo Escobar Drug Store,” were found in England, Germany, France, Bulgaria, Spain and Switzerland, among other nations, according to Europol, the European Union’s law enforcement agency.
“We are not ‘just’ removing these services from the open Internet; this time, we have also hit services on the Darknet using Tor where, for a long time, criminals have considered themselves beyond reach,” said Troels Oerting, head of the European Cybercrime Centre, part of Europol. “We can now show that they are neither invisible nor untouchable. The criminals can run, but they can’t hide. And our work continues.”
Tor — a name that began as an acronym for “The Onion Router” because it wrapped Internet traffic in protective layers of encryption to hide a user’s identity — was developed by the U.S. Naval Research Laboratory and is run by a nonprofit group that receives State Department funding.
It is popular among privacy activists despite its limitations. A planned talk at a security conference this summer, by researchers at Carnegie Mellon University, was slated to reveal ways that attackers could identify Tor users — a process called “de-anonymization.” The talk was abruptly canceled, raising suspicions that the techniques were unexpectedly sensitive.
That incident generated considerable discussion in the online privacy and security community Friday as news of the crackdown spread. Yet many experts said the takedown may have been unrelated to the Carnegie Mellon de-anonymization techniques because there are numerous ways to potentially target illegal sites on Tor, including some traditional ones such as recruiting informants.
Andrew Lewman, executive director of the Tor Project, which runs the service, said in an e-mail that it does not condone its use for illegal purposes and that it was unclear how authorities discovered the operators of the illicit sites.
“We don’t have any more information. It seems old fashioned police work continues to work well,” he said. “Until we have more details, we cannot speculate any further.”
The investigation took at least two years, said individuals familiar with the matter, who spoke on the condition of anonymity to speak freely. The actual takedown of the illicit sites was highly coordinated and took place within one hour.
Court orders and search warrants had to be coordinated. Key alleged operators, such as Benthall, had to be in custody. Anyone going to one of the actual sites will now see a message saying the site was seized by the U.S. government or the relevant law enforcement agency in that country.
Rodney Joffe, a senior vice president of Neustar, a data analytics firm in Northern Virginia, said: “This is a big deal. They just hit a large number of bad guys internationally who thought they were operating below the radar. What it does is send a really big message that operating on the Dark Web isn’t a guarantee of your staying out of sight. They all thought this was a new domain where, ‘We can operate for many years without anyone going after us.’ They just learned that’s not the case.”
Experts said there were several possible avenues of attack, including using an undisclosed flaw — typically called a “zero-day” — to gain access to computers on the Tor network. It also would be possible, the experts added, to gradually test possible routes through the Tor network over time by tracking certain data packets to map out how traffic flowed.
The National Security Agency has put considerable energy into penetrating Tor, The Washington Post reported last year based on top-secret documents provided by former NSA contractor Edward Snowden.
The FBI and its European partners declined to explain how their operation worked, fueling the speculation.
“I am 95 percent certain that they performed a massive de-anonymization attack on Tor hidden servers and were able to shut down all their targeted servers in the U.S., Europe or anywhere else where U.S. law has meaning,” said Nicholas Weaver, a computer science researcher at the University of California at Berkeley.
Weaver said the operation probably reached its limits in nations that have cool relations with the United States, such as Russia, long a hotbed of illegal activity on the Internet. He predicted that Russia’s reputation as a safe haven from U.S. law enforcement activity would only grow after this week’s crackdown.
Andrea Peterson contributed to this report.
Follow The Post’s tech blog, The Switch, where technology and policy connect.