2023 Law Enforcement Thought Leadership Compendium

ARTICLE PRESENTED BY

DARK WE B I NV ES TIG A TIONS :

TRACK IN G C R IM I NA L AC TIVIT Y B EYOND TOR

DR . G AR ET H OW ENSO N ,

SE A RC HL IGH T CYBER

When we discuss dark web investigations, we are place on The Onion Router (Tor) Hidden Services. This is because Tor is the most prolific

used by criminals to host dark markets and hide their various illegal activities. However, its notoriety has brought it attention. Recently, blocking and Denial-of-Service (DoS) attempts against the Tor network, along with its low-latency, have caused disruption to the criminal activity that takes place on the dark web.

These conditions may lead criminals to migrate to other dark web privacy networks, such as Invisible Internet Project (I2P) and Zeronet, to achieve the same goal of acting anonymously in the hopes of evading law enforcement. This will

dark web investigations to familiarize themselves with these networks in order to ensure there are no “safe havens” online for criminals to evade justice. For the purposes of this article we are going to take a closer look at I2P, a dark web network that we have observed forum operators testing.

The Tor Project. It is a privacy network and free anonymous internet activity than standard web browsers. It also hosts sites that are inaccessible through standard web browsers, known as Hidden Services or onions.

Tor achieves its anonymity through a process known as onion routing. When using Tor to access a website, data is encrypted in multiple layers – like an onion – before being sent through the onion routing networking protocol. Unlike a standard HTTPS connection, onion routing works by sending the packets of encrypted data through multiple servers, also called relays or nodes. These nodes are located around the world, thus obscuring the user’s true location. As the data passes through each node, a single layer of encryption is removed. When the data eventually reaches the website’s server, its original location is not known, protecting user anonymity.

First

Tor, the best known and most commonly used dark web network. Tor was originally developed at the U.S. Naval Research Lab to enable secure communication and is now maintained and managed by a non-profit organization called

Although ostensibly maintained for privacy advocates, the most prominent users of Tor are criminal actors taking advantage of the perceived anonymity of the network to evade law enforcement, including fraudsters, hackers, and those producing, distributing, or consuming CSEA (child sexual exploitation and abuse) content. As well as online marketplaces, dark web forums, to take part in discussions, knowledge sharing, and reviews relevant to their particular criminal niche.

THE I NVIS I BLE I NTER NET

The Invisible Internet Project (I2P) is an anonymous network layer designed to facilitate private communication between its users. Like through a series of proxies to conceal the identity of the user and their location. However, there are

it is used that investigators should be aware of.

One of the key characteristics of I2P is that it is a decentralized, peer-led network, where users contribute to the bandwidth of the network and also volunteer to act as “nodes”, routing the

trace. This distinguishes it from Tor, which takes a partially centralized, directory-based approach.

Another key distinction is that I2P is not designed for anonymous browsing of the internet, as Tor is. It does not allow its users to connect through it to the internet directly. In that sense, I2P is a closed loop - designed for users to interact anonymously within the network, but not outside. Therefore, the main use of I2P is for the websites built on the network, the equivalent of Tor Hidden Services, which are concealed from the internet at large. As Tor sites end in .onion, I2P’s end in .i2p, but it claims that its sites are optimized to run faster than those on Tor, which is one of the reasons criminals may move to the platform.

TH E DR EA D FOR UM

In 2022 we observed users of the popular dark web forum Dread migrate to its I2P mirror as an alternative to its Tor onion. Dread is a Reddit-style forum that includes conversations on criminal topics that would be banned from a website on the clear web, including discussions around the use of dark web markets and scamming techniques. Almost since its inception, it has been plagued by DoS attacks and its administrator confirmed that the forum's most recent downtime is the result of a persistent actor targeting its onion site. While criminal infighting is very common on the dark web, what is significant about this case is the move to I2P from a significant forum like Dread, which warrants law enforcement to take a closer look at the use of I2P for criminal activity.

MONIT OR ING I2 P

Tor’s “market leading” position, as well as other factors such as its ease of use, mean that it is unlikely to be replaced by I2P or any other dark web network in the near future. However, its high profile makes it a target, and we could well see cybercriminals simultaneously use multiple dark web networks like I2P to maintain their operations, as the administrators of Dread have done. I2P’s own data shows that the number of routers (i.e. nodes) on the I2P network peaked at more than 45k in January 2023, up from 30k in January 2022. While these numbers remain small compared to Tor, which has millions of users, this clearly shows growing use of the network. For law enforcement agencies that are trying to crack down on online crime, it is important to understand how I2P and other dark web networks work. The criminal underground is always evolving and keeping a close eye on new trends is imperative to stay on top of emerging threats.