Operation Onymous

Operation Onymous was an international law enforcement operation targeting darknet markets and other hidden services operating on the Tor network.

Background
Operation Onymous was formed as a joint law enforcement operation between the Federal Bureau of Investigation (FBI) and the European Union Intelligence Agency Europol. The international effort also included the United States Department of Homeland Security, Immigration and Customs Enforcement (ICE), and Eurojust. The operation was part of the international strategies that address the problems of malware, botnet schemes, and illicit markets or darknets. It was also linked with the war on drugs effort with the participation of the U.S. Drug Enforcement Administration (DEA).

Raids
On 5 and 6 November 2014, a number of websites, initially claimed to be over 400, were shut down including drug markets such as Silk Road 2.0, Cloud 9 and Hydra. Other sites targeted included money laundering sites and "contraband sites". The operation involved the police forces of 17 countries. In total there were 17 arrests. A 26-year-old software developer was arrested in San Francisco and accused of running Silk Road 2.0 under the pseudonym 'Defcon'. Defcon was "one of the primary targets". Within hours of the seizure a third incarnation of the site appeared, 'Silk Road 3.0'; Silk Road had previously been seized in October 2013, and then resurrected, weeks later, as 'Silk Road 2.0'.

$1 million in Bitcoin was seized, along with €180,000 in cash, gold, silver and drugs. Of the "illicit services" that were initially claimed to have been shut down, few were online marketplaces like Silk Road. A complaint filed on 7 November 2014 in the United States District Court for the Southern District of New York, "seeking the forfeiture of any and all assets of the following dark market websites operating on the Tor network", referred to just 27 sites, fourteen of which were claimed to be drug markets; the others allegedly sold counterfeit currency, forged identity documents or stolen credit cards.

US and European agencies sought to publicise the claimed success of their six-month-long operation, which "went flawlessly". The UK National Crime Agency sent out a tweet mocking Tor users. The official Europol press release quoted a US Homeland Security Investigations official, who stated: "Our efforts have disrupted a website that allows illicit black-market activities to evolve and expand, and provides a safe haven for illegal vices, such as weapons distribution, drug trafficking and murder-for-hire."

Other leading drug markets in the Dark Web were unaffected, such as Agora, Evolution and Andromeda. Whereas Silk Road did not in fact distribute weapons, or offer contract killings, Evolution did allow trade of weapons as well as drugs. Prior to the closure of Silk Road 2.0, Agora already carried more listings than Silk Road, and Evolution was also expected to overtake it. Agora and Evolution are more professional operations than Silk Road, with more advanced security; the arrest of the alleged Silk Road manager is thought to have been largely due to a series of careless mistakes.

The figure of 414 dark net sites, which was widely reported internationally, and appeared in many news headlines, was later adjusted without explanation to "upward of 50" sites. The true figure is thought to be nearer to 27 sites, to which all 414 .onion addresses direct. Australian journalist Nik Cubrilovic claimed to have discovered 276 seized sites, based on a crawl of all onion sites, of which 153 were scam, clone or phishing sites.

Tor 0-day exploit
The number of sites initially claimed to have been infiltrated led to the speculation that a zero-day vulnerability in the Tor network had been exploited. This possibility was downplayed by Andrew Lewman, a representative of the not-for-profit Tor project, suggesting that execution of traditional police work such as tracing Bitcoins was more likely. Lewman suggested that such claims were "overblown" and that the authorities wanted to simply give the impression they had "cracked" Tor to deter others from using it for criminal purposes. A representative of Europol was secretive about the method used, saying: "This is something we want to keep for ourselves. The way we do this, we can’t share with the whole world, because we want to do it again and again and again."

It has been speculated that hidden services could have been deanonymized if law enforcement replicated the research by CERT at Carnegie Mellon University up until the July 30th patch that mitigated the issue. If sufficient relay nodes were DDOSed which would force traffic to route over the attacking nodes, an attacker could perform traffic confirmation attacks aided by a Sybil attack. Logs released by the administrator of Doxbin partially supported this theory.

Court documents released in November 2015 generated serious research ethics concerns in the Tor and security research communities about the warrantless exploit (which presumably had been active in 2014 from February to 4 July). The Tor Project patched the vulnerability and the FBI denied having paid Carnegie Mellon $1 million to exploit it. Carnegie Mellon also denied receiving money.