[Complaint/Warning] Warning about Vendor URL de-anonymization, possible high level attack

Disclaimer: This is a theory based on known evidence of the SR2 vendor URL arrests.

I read about vendors accessing DNM's through the vendor URLs. While the market is painfully slow for buyers, the vendor URL runs extremely fast and lets vendors access the DNM to conduct activities. I don't want to spread fear unnecessarily but this could be a trap.

We've seen this trap executed before on SR2. So there is proof that law enforcement can and will use this method of interception. Looking at all the unproven analysis we have on how LE operate, what we know for certain is the method LE have used before successfully they will use again for the same or better results. This is how we can predict the movements of LE.

Vendors who used the SR2 vendor URL were arrested. Doctor Clu was also arrested and he used the vendor URL. The link between the arrests and the identification of the arrested users was found and confirmed to be the vendor URL.

Without the vendor URL then buyers and vendors are less distinguishable. Vendors can be distinguished when using a vendor URL because only the vendors access the website there. So identifying users who access the vendor URL are expected to be exclusively vendors, and we know these users are the main targets of law enforcement operations.

The DDOS has prevented buyers from accessing the DNM's but allowed vendors to use them with faster vendor URLs. This looks like calculated and targeted attack. The markets are prompted to implement vendor URLs which are watched. How? I don't know. But remember that the "vulnerability" or method used to identify vendors from the SR2 vendor URL was never patched.


Edits: Clearly stated as a theory. It's not possible to produce evidence of a covert LE operation. So think about what proof you are asking for before demanding it. The only thing that has kept this community at least marginally safe has been predicting the moves of law enforcement by looking at their prior movements and drawing logical conclusions. That's all this post is, drawing logical conclusions from known evidence.

Calculated attack or not the exclusive vendor URLs are a bad idea.


Edits: Insider code indicates a Tor vulnerability able to de-anonymize users, exactly what I specified could theoretically happen through the vendor URL attack. Not all the markets, some would be decoys. There's only one or maybe two markets that have implemented exclusive vendor URLs. I also think the Evo migration was a good cover for the DDOS attacks. By the time we realized that the Evo migration alone could not be 100% responsible for the DDOS, the attack had been performed and concluded. I see posts that the DDOS attack has now concluded.

My theory: The Evo exit scam caught law enforcement off-guard. It was unexpected, but LE realized the Evo migration could be the perfect cover for a DDOS de-anonymization attack. This is why the markets worked normally for 5 days following the Evo exit scam. LE was unprepared for Evo to disappear (as evidenced by their rushed subpoenas of Reddit accounts related to Evo informants) but lunged at the rare opportunity for a logical cover to mask their attack, mass Evo migration leading to stressed hidden services. LE worked as fast as possible despite being unprepared and began their DDOS attack 5 days after the Evo scam.

You are correct though /u/Mrg13 - an insider code attack using the vendor URL would mean the hidden service was compromised. More reason than ever that exclusive vendor URLs are a bad idea.


Comments


[15 Points] _Colorado_:

Good luck, I'm behind 7 proxies.


[13 Points] None:

You guys really think there would be proof of what LE is doing? If so, we could stop all the attacks and arrests. Its always good to stay on our toes and never get careless. Thank you N918 for this post. Seems like this subreddit is beginning to get sloppy and thinking nothing like this could ever happen.


[5 Points] None:

[removed]


[4 Points] Theeconomist1:

My theory: The Evo exit scam caught law enforcement off-guard. It was unexpected, but LE realized the Evo migration could be the perfect cover for a DDOS de-anonymization attack.

Now this makes a ton of sense. This I think is fairly likely. Its not way out there and given what we have in terms of facts (next to none), I think this sounds like a great contender for what went on.

One thing that might help support it, and I don't have solid stats on this (maybe selection does from DNStats), but I seem to recall that Agora ran pretty well right after Evo collapsed. The first few days where actually not bad at all. I was able to get on Agora whenever I wanted. Now I would have figured the mass exodus would have begun almost immediately and granted, many vendors were still trying to get on some footing again with a new market, I image that a shitload of customers were still hitting Agora b/c, well, b/c we are drug users. I know I was on Agora a lot that first week or so. the dates kind of blend together but I want to say Agora was fine for a week, but maybe it wasn't that long before it had problems. If I'm right about this, your theory makes even more sense. The mass exodus begins almost immediately after the fall of Evo. LE is caught off guard so they aren't ready right at that moment to begin a DDoS attack. They get their shit together and by then 3-7 days pass (I can't remember the exact dates, but I do have a decent idea) and the attack begins. Sites go down. Like I said, I remember thinking right after Evo fell that I was surprised Agora was still up. Maybe someone with a better memory and will (not as lazy) can give exact dates for these things. But I'm liking the theory.


[3 Points] DNMd:

But remember that the "vulnerability" or method used to identify vendors from the SR2 vendor URL was never patched.

That was directly related to SR2s code if I remember


[2 Points] bikelock45:

The link between the arrests and the identification of the arrested users was found and confirmed to be the vendor URL.

Was it found and confirmed? I'm not doubting but I am interested, can you please link to more about this?

It doesn't really add up, there was what, 17 arrests, only a fraction of that charged. There was 100's using the vendor URL. So there is definitely something more linking the 17 than the use of the vendor URL.


[2 Points] Hank_Vendor:

how do you figure vendors and buyers are more or less indistinguishable? vendors cash out, never deposit, never buy and HAVE LISTINGS OF DRUGS FOR SALE


[2 Points] Gratefulstickers:

I'm not big on conspiracy theories but this is painfully plausible.


[1 Points] ziz1:

But remember that the "vulnerability" or method used to identify vendors from the SR2 vendor URL was never patched.

I don't think that it is true that it was never patched.


From here:

https://blog.torproject.org/category/tags/security-advisory

Posted July 30th, 2014

Relays should upgrade to a recent Tor release (0.2.4.23 or 0.2.5.6-alpha), to close the particular protocol vulnerability the attackers used — but remember that preventing traffic confirmation in general remains an open research problem. Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service.


That's not to say that CERT / FBI haven't found a new way to do traffic confirmation attacks.


[1 Points] Mrg13:

The reason the vendor link attacked worked was because of the SR2 informant/insider put some code that would run and identify the users.

If your theory was correct they would have to have an insider in all the markets experiencing problems.


[1 Points] DogAteMyAcid:

As a possible remedy to this issue, would unique per-user URLs fair better then a single vendor URL? AFAIK this is akin to generating a bitcoin address, is it not? I mean there are no limit to onions.. right? Would there be security issues around a market providing each user its own unique onion upon signup?


[1 Points] The_Free_Marketeers:

I have been thinking the same exact thing, OP.

Vendors: if you must use the vendor-only URL, make darn sure that NoScript is on.


[-2 Points] IsThatPurple:

Do i missing something? Where's the Tin Foil Hat icon?


[-5 Points] doubledoseopimpin:

You have a bunch of claims, but not links or proof of any kind.


[-9 Points] None:

Big talk, many claims, account created less than 30 minutes ago. While I'm not saying that there is no chance of that happening, we see this shit everyday pls go