Pedophiles vs DNM users' OPSEC

"14 days running a secret Dark Web pedophile honeypot (and why I now think Tor is the devil)"

Although this project was initially intended to secretly track the activities and behavior of three types of Tor users - those interested in or seeking counterfeiting services, illegal drug products, and pedophiles - the faux-pedophile Tor hidden service struck a particularly disheartening chord with me. First, the pedo site saw magnitudes more traffic than the counterfeiting or drugs websites - in the order of 100 times more traffic than the other two combined.

...Three Tor hidden service honeypots were created, each strongly hinting that illegal content lie behind a secure "locked door". The three websites (drugs, counterfeiting, and pedophilia) were then seeded in the Dark Web spider report described above and flagged so they would never be marked as "offline" or "inactive" in the nightly Dark Web crawl.

...The hidden service websites posed as new hidden service sites that were in the process of "coming online". There was no direct mention of illegal content but it was strongly hinted that what they sought lie behind the curtain. For instance, counterfeit documents were simply referred to as documents, drugs as "product", and pedophile content as "files". Using suggestive site names and promoting a sense of secrecy was all it took to convince users that the content that was locked away behind the authentication system was what they were seeking. Thus, users were encouraged to register in order to see what lie behind the authorization system.

...For instance, after the first five days, the counterfeiting site had 2 registrations while the faux-drug sales site saw six registrations. Both sites saw hundreds of visitors. The pedophile site however, saw several thousand visitors in just five days and brought in over 200 member registrations during its first five days of operation. In addition, the counterfeiting and drug websites saw no additional registrations after five days while the pedophile site continued serving content to over 1,000 visitors each day. By the end of the 14 day test, nearly 600 pedophiles had registered on the website...Potential "members" were told that they must register to access the product (files, chat forums, merchandise, etc.) and that membership was based on five levels. Higher level members were granted more access but to reach those levels, the potential member must complete more and more stringent "tests" to be granted access to the higher membership level and related website content.

...The sites required an email address be used as the username. The reason for this requirement was not disclosed to the visitor leaving them to wonder if an email verification link was going to be used to validate their registration. Out of hundreds of registrations, only a single user complained about having to use their email address to register...The various methods used to capture the user's identifying information were ratcheted up over time. As the days rolled on, more intrusive methods were introduced in an attempt to secure more information about the user while dangling the carrot of "exclusive membership" before them. This period of time allowed a sense of trust to be built between me and the site's visitors. While they may not have liked the more intrusive methods used to secure the site, they seemed to appreciate that someone was taking the time to build a solution that took great care to guarantee their anonymity on the Dark Web.

The scanner is a simple Windows program which grabs network information from the client machine along with the login username, running processes, software installed, and a sample of filenames from the user's My Pictures folder. Indeed, analysis of these items could be used to determine whether a user's machine configuration were secure and worthy of elevated access to the website (in one instance I saw signs of malware running on the user's computer). Not only is the information collected security related, but it reveals without question, the true identity of the user including their PC footprint, Windows username, real name, true IP address, internal network IP address (if on a home or business network), and much more...A small Windows program was written to pop as a small window which displayed "scan progress and results". A long intro was displayed when the program started up. This intro explained what the scanner would do and noted that the user had the option to cancel out of the scan at any time. What was not mentioned however, was that the scan ran while they were reading the intro. The option to cancel merely flagged the scan results as "cancelled" and would have purged them from the database had anyone actually attempted to cancel the scanner program. During its operation, only a single person cancelled out of the scanner (and they quickly returned to run it again to completion)...Around 4-7% of the registered users chose to run the scanner and thus, stepped outside of the Tor network and revealed their true identity...During each of the last five days, about 4-7 percent of the registered users ran the security scan leaking their real name and true external IP address.

...Despite visitors knowing nothing about my new website, I managed to invoke this sense of trust in many of the visitors. One user mentioned not hearing about the website in "the usual forums", my first clue that they operated within their own trusted online communities on the Dark Web...Many visitors offered photos from their "private collection" as a means to bribe me for entrance to the website. They took care to note that the material they were offering me was original. One pedophile even sent me a link to a picture of a "young New York girl" that he took (I refused to click through).

HN discussion: https://news.ycombinator.com/item?id=9849160

Don't be those guys.

EDIT: a throwaway claiming to be a Tor pedophile user says that the incompetence is more like desperation and a lack of any good CP sites these days: https://www.reddit.com/r/TOR/comments/3cpu43/a_pedophiles_statement_about_the_recent_cp/


Comments


[73 Points] Aluminum_Foil_Hat:

tl;dr pedophiles jump on any new site, cause they're sick.
drug addicts know where to go, 20 fucking markets, we don't need no more.
don't dl programs from a shady new site.


[22 Points] None:

[deleted]


[15 Points] None:

It seems like the feds really target Darknet Markets a whole lot more than pedophile rings and that right there, in itself, is sickening. They would rather spend millions, hunt down, and take freedom/lives away from people that think people deserve an easier, more safer way to buy their desires with higher quality, powered by the trusty review. Than go after child rapists. This does prove that they are targeting them, but they should put more efforts into stopping these pedophile fucks than computer nerds that believe in human rights.


[14 Points] verbify:

The most surprising thing to me was that people downloaded his program. I always assume not running arbitrary code on your computer is opsec rule #1, and I also make the assumption tor users are more technically proficient than other users.

I'm curious what percentage of users offered the program downloaded the program to their pc.


[11 Points] gradient_x:

The “link trap” method required an active click by the user. A link trap links the user to a Clearnet website where the exit node IP address becomes easily visible and allows for capture of other information as well (browser version, operating system – all the typical data a Clearnet website can capture).

Oh, you've got the exit node IP?!? That's ... utterly worthless unless you control all of the other hops used in the circuit.


[8 Points] sdfhgdhjbdafcadv:

A very large percentage of people in military prisons are there for CP. If that many people are willing to download the stuff to government owned computers then this does not surprise me at all.


[5 Points] Interversity:

More pedophiles will use Tor hidden services than drug users. It's possible to get a lot of drugs on the street with a risk level that could be higher or lower depending on your view, but you can't just hit up your stoner friend for CP. Thus places where they can see things anonymously and eternally will attract huge amounts of them, including some who prefer not to act on their desires/do anything with children in real life.


[3 Points] berryman13:

100 times more traffic than the other two combined.

holy mother of shit


[6 Points] esterbrae:

99% of your users were probably cops anyway.


[3 Points] DareToHope:

crazy


[1 Points] None:

The sad thing is that the same principles protecting the darknet pedophile community are the same protecting the darknet drug trade. You can't stop either from continuing.

The only difference is that when you take away drug vendors/marketplaces/dealers with good clean product, you jeopardize the lives of potential users by possibly forcing them to resort to buying bunk/inferior product.

When you take away the pedos, you could make progress by offering safety or peace pf mind to both present and potential victims. Another bonus is if he gets stabbed in prison *which apparently happens to plenty of sex offenders, we won't have to waste our tax dollars on keeping him there! Gotta love karma.

The latter seems more productive to me, really. The FBI & co. should fuck off and reconsider their values, including how much energy they put into preventing victimless crimes.


[3 Points] young_k:

i'd guess whatever traffic metric he's using is based on amount of data transferred....drug markets dont have video files and shit...


[2 Points] None:

Ugh that's sick. Thought most of us were in this for the drugs.


[2 Points] IntellectualEuphoria:

If it makes him feel any better, most people know that the drugs/counterfeiting sites are obvious scams, while the pedos are just after free content.


[1 Points] Hank_Vendor:

Don't be the paedos???

Solid advice there actually.

Maybe I read too fast but was it the paedos who clicked anything that moved ? Or everyone ?

How did we fair against the paedos and evo admins ??

I think I'll havecto read this again


[1 Points] None:

IT comes across like he is a private citizen not working for any law enforcement - is that correct?

If that is the case then having child pornography to distribute to make the site look legit - How could he do that without risking prison himself?

Surely he would have had to have some sort of approval to get some sort of "stock paedophilia images" if such a thing exists.

I don't get how he could set up a site like that & get these pedos so interested in signing up unless he was providing content that was worthwhile to them meaning they must have been quite horrific themselves.

So he would have had to have seen these images yet he refused to click on a custom picture! That bit does not make sense to me because he should have been immune relatively to these things & an extra image may have helped put a predator away.

I often wonder how cops etc dealing with horrific crimes against children are able to cope when they see it day in day out. Personally, they need to concentrate on this stuff more than chasing a consenting adult taking a chemical substance to gain clarity & introspection.

I realise this was put here to illustrate poor user behaviour when using encryption etc.


[1 Points] darknetpotter:

How can ANYONE be stupid enough to download a program, that even calls itself a scanner, for their illegal darknet activity?

Anyway, as long as the pedophiles are this idiotic, I hope it'll make LE focus on them and not the drug buyers who are harder to get anyway.


[1 Points] HalfPastTuna:

jesus fucking christ tor is a weird place


[-1 Points] None:

You're pasrt of the problem. Leave busting the kiddie fiddlers to the professionals.