How did they track the hosting for all the seized sites?

Hi,

I'm wondering how did LE manage to track/trace the hosting for all the seized sites? I'm assuming SR2 was easy as there was an UC admin, but how about the others?

I thought thats what made TOR special, the fact it can't be traced, unless they did some pen testing to expose IPs off the servers.

THoughts?

Edit: From WIRED Article:

THE SHEER NUMBER OF TOR-HOSTED SITES AFFECTED BY THE TAKEDOWN RAISES QUESTIONS ABOUT WHETHER LAW ENFORCEMENT OFFICIALS MAY HAVE FOUND NEW VULNERABILITIES IN TOR'S WELL-TESTED ANONYMITY SHIELD.


Comments


[9 Points] pinkprincess1:

From what I've read the UC was invited into the forum after Ross' arrest where they were discussing SR2 being set up. He would have been privy to all the discussions about companies to use, where to go and so on I would imagine. And had admin privilages. And he's been around from day 1. Can you imagine everything he knows?

SR2 never had a chance.

Wonder who it is? It has to be someone high profile.


[8 Points] warz:

Hidden services are probably no longer anonymous. First they find the server, then with parallell constuction they can often find enough evidence for how they tracked it through other means.

If you have any doubt read this report with conclusion:

"We have analyzed the security properties of Tor hidden services and shown that attacks to deanonymize hidden services at a large scale are practically possible with only a moderate amount of resources."

I believe this is how they shut down freedomhost, perhaps even the original silk road.


[3 Points] throwitawww2:

they guys over at /r/tor have some kind of explanation:

http://www.reddit.com/r/TOR/comments/2lip12/silk_road_as_well_as_others_were_likely/


[1 Points] sharpshooter789:

My guess is the UC used some hacking techniques in the admin panel to locate the server. I think it was either an SQL injection or XSS. The latter would have been effective in doxxing defcon (Blake) since we know he connected to the site through chrome so he likely had JS enabled.


[1 Points] CB21:

Xfo


[-3 Points] blakebenthall:

Read the FBI complaint. He used his own IP and his own personal gmail account to register for the server. He also logged into the server from a hotel IP address when he was staying at the hotel. One of the mods was an undercover agent from day 1. The FBI imaged the server in May 2014. They've been fucked since day 1.

/thread


[-2 Points] lockd0wn:

For something this large, in the short amount of time, my professional opinion is that a secret deal with Tor allowed the compromises to occur. The framework for this would have be initiated when SR1 went down and used again in the latest sweep.

My guess is that the undercover agent was a different operation in a multi pronged attack. I'd also wager they still have informants in staff positions at other sites to see how the 'community' is going to react. It would be unwise of them to go completely blind.