Using Bitcoin Transaction Analysis In Deanonymizing Users of Tor Hidden Services
Anonymity over the world wide web has never been a more critical issue. To achieve bulletproof anonymity, multiple solutions are being currently implemented by internet users all over the world. The most popular of which is the Tor network that represents the busiest anonymous communication network on the internet serving millions of users every day. Tor also enables webmasters to preserve their anonymity via hosting their websites on Tor in the form of hidden services.
Bitcoin is still the most preferred payment method over the Tor network, and other Darknets too, even though its anonymity and privacy features are far from being perfect. Dependence on bitcoin, as a main payment method, greatly undermines the anonymity of both Tor users and webmasters of hidden services. Even though several research studies have proven that transactions over bitcoin’s network are not anonymous, bitcoin is by far the most widely used currency on the deep web. Researchers have recently proven that even if bitcoin is used over decentralized networks such as Tor, users are still susceptible to deanonymization attacks and man-in-the-middle attacks, namely at the network level. Users of Tor’s hidden services represent a special category of bitcoin users who are greatly concerned about their anonymity, simply because users and webmasters of hidden services rely on Tor to preserve their anonymity. Nevertheless, they are both vulnerable to deanonymization once their bitcoin addresses have been revealed. Via analyzing transactions sent and received by these addresses, a great deal of information can be obtained and utilized to conclude sensitive information regarding Tor’s hidden services and their users, leading to successful linking of a user to a specific hidden service.
A recently published paper provided the first ever research study to highlight how the combination of publicly available data from various online social networks, such as Twitter, Bitcointalk.org…etc, and bitcoin’s network and Tor’s hidden service can leak sensitive information that can lead to deanonymization of users of the Tor network.
How Were Tor Users Deanonymized Via Their Bitcoin Transactions?
Via studying the landing pages of various Tor hidden services, the researchers found out that it is relatively easy to obtain the bitcoin address of each of these services. Consequently, they used a special crawler to analyze 1,500 pages of various Tor hidden services and compile a list including 105 bitcoin addresses which were controlled by these services, in addition to a few addresses linked to ransomware. They also crawled Twitter and Bitcointalk Forum for publicly published bitcoin addresses. 5 billion tweets and 1 million forum pages were crawled yielding 4,200 and 41,000 online identities respectively, along with their bitcoin addresses, in addition to their personal information.
The transactions of the obtained bitcoin addresses were analyzed to link bitcoin users, whose identities were identified by their social network profiles, to Tor hidden services. This led to successful linking of identities with certain Tor hidden services and accessing their full transaction history over bitcoin public ledgers. Via a simple heuristic approach, the researchers complemented the transaction analysis with a special wallet closure technique to expand the obtained bitcoin addresses per user. As such, for each bitcoin address in the study’s compiled list, the researchers were able to detect other addresses controlled by the same user owning that address. Consequently, they managed to boost the number of detected links between users and various Tor hidden services; thus, increasing the number of users who were successfully deanonymized.
The study successfully linked 81 users to several Tor hidden services including WikiLeaks and The Pirate Bay. Closure analysis increased the number of successfully deanonymized users to 125. Further analysis via means of two cases studies, the researchers managed to deanonymize users of The Pirate Bay’s Tor hidden service, revealing their personal information including age and geolocation. Another case study revealed users of various ages, from various parts of the world, who had links to bitcoin addresses of the Silk Road. Interestingly enough, one of those users was 13 years old, who used multiple social media accounts that showed his real world identity!
Analysis of the economic activity of the studied Tor hidden services revealed that the addresses of the Darknet Bitcoin Mixer and the Wikileaks were amongst the addresses receiving most of the payments on Tor. Also, the flow of money in and out of hidden services was almost identical, denoting that operators of hidden services don’t leave their funds on the addresses they use for receiving payments; instead, they usually distribute the received coins to other addresses.