A third of the 414 dark net addresses seized in Operation Onymous may have simply been ‘cloned’ sites with no actual illicit commercial activity taking place on them, according to new research by independent security analyst Nik Cubrilovic.
In a blog post presenting his findings, Cubrilovic says 11 dark markets with commercial activity taking place on them remained operational, while their clones had been seized.
“Some of these sites were mentioned in the FBI press release … as having been taken down when in fact the clones were seized,” he adds.
According to Cubrilovic, the markets named by the FBI release that are still trading are Executive Outcomes, FakeID and Fake Real Plastic.
Operation Onymous was a sweep through dozens of dark markets involving law enforcement agents from 16 European countries and the United States.
Some $1m-worth of bitcoins were seized, along with €180,000 in cash, gold, silver and narcotics. Bitcoin is the de facto currency of the dark markets.
The Onion Cloner bot
One reason for the existence of cloned sites could be the use of a bot called Onion Cloner, which became popular among dark-website operators in May. Dark net addresses are known as ‘onion’ addresses.
Onion Cloner found and copied dark websites so that its operator could steal passwords or bitcoin transactions, Cubrilovic argues.
Some 133 sites seized by law enforcement were clones, Cubrilovic says, and a large proportion were produced by Onion Cloner. In fact, Cubrilovic concludes that all Onion Cloner sites in existence had been swept up in Operation Onymous.
Cubrilovic, who worked with two associates, also disputes the official figure from law enforcement that 414 dark net addresses were seized. He found 276 seized addresses after independently assessing the extent of dark net seizures.
How law enforcement agents did it
Cubrilovic also offers a theory about how Operation Onymous was conducted. This has been a subject of some concern as it is possible that law enforcement officials have successfully ‘broken’ the anonymity afforded by the Tor network, where dark websites are run.
The security researcher argued that the large number of cloned websites caught up in Onymous’ net suggests that the operation was a “broad, untargeted sweep” instead of an effort to nab specific illicit marketplaces.
Therefore, instead of finding a dark market’s onion address and then tracing it back to a host server to capture the operator, law enforcement agents appear to have done the opposite – identifying specific hosting companies and then seizing the hidden sites they serve.
Cubrilovic says that he will publish the details of the affected hosting companies. He is also speaking to the hosts in an effort to uncover the techniques used by law enforcement agents in conducting Onymous.
Featured image via Cliff / Flickr