Third of Sites Seized in Operation Onymous Were 'Clones'

Operation Onymous seized more than 100 'cloned' sites, where no illicit trading was taking place, a security researcher has found.

AccessTimeIconNov 18, 2014 at 12:33 p.m. UTC
Updated Sep 11, 2021 at 11:20 a.m. UTC

A third of the 414 dark net addresses seized in Operation Onymous may have simply been 'cloned' sites with no actual illicit commercial activity taking place on them, according to new research by independent security analyst Nik Cubrilovic.

In a blog post presenting his findings, Cubrilovic says 11 dark markets with commercial activity taking place on them remained operational, while their clones had been seized.

"Some of these sites were mentioned in the FBI press release ... as having been taken down when in fact the clones were seized," he adds.

According to Cubrilovic, the markets named by the FBI release that are still trading are Executive Outcomes, FakeID and Fake Real Plastic.

was a sweep through dozens of dark markets involving law enforcement agents from 16 European countries and the United States.

Some $1m-worth of bitcoins were seized, along with €180,000 in cash, gold, silver and narcotics. Bitcoin is the de facto currency of the dark markets.

The Onion Cloner bot

One reason for the existence of cloned sites could be the use of a bot called Onion Cloner, which became popular among dark-website operators in May. Dark net addresses are known as 'onion' addresses.

Onion Cloner found and copied dark websites so that its operator could steal passwords or bitcoin transactions, Cubrilovic argues.

Some 133 sites seized by law enforcement were clones, Cubrilovic says, and a large proportion were produced by Onion Cloner. In fact, Cubrilovic concludes that all Onion Cloner sites in existence had been swept up in Operation Onymous.

Cubrilovic, who worked with two associates, also disputes the official figure from law enforcement that 414 dark net addresses were seized. He found 276 seized addresses after independently assessing the extent of dark net seizures.

How law enforcement agents did it

Cubrilovic also offers a theory about how Operation Onymous was conducted. This has been a subject of some concern as it is possible that law enforcement officials have successfully 'broken' the anonymity afforded by the Tor network, where dark websites are run.

The security researcher argued that the large number of cloned websites caught up in Onymous' net suggests that the operation was a "broad, untargeted sweep" instead of an effort to nab specific illicit marketplaces.

Therefore, instead of finding a dark market's onion address and then tracing it back to a host server to capture the operator, law enforcement agents appear to have done the opposite – identifying specific hosting companies and then seizing the hidden sites they serve.

Cubrilovic says that he will publish the details of the affected hosting companies. He is also speaking to the hosts in an effort to uncover the techniques used by law enforcement agents in conducting Onymous.

Featured image via Cliff / Flickr


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.