Torhoo onion mirror : torhoocc3yugradvhrppml2fin4xob7kgg7uf42s4xk7p6r5vzy62ead.onion

⛬ Tor security discussion ⛬ Operation RapTor ⯐ “your anonymity ends where our global reach begins” - Nemesis, Tor2Door, Bohemia and Kingdom Market : OpSec | Torhoo darknet markets

Introduction

3 points

1 month ago*

Not enough characters space left to add these 2 parts.

[ I didn't write down where this came from as it was in my research notes from years back ]

Raptor Attack

The Raptor attack published in 2015 assumes a powerful adversary [120]. It is assumed that the attackers can use autonomous systems (ASes). There is already evidence that intelligence agencies are cooperating with ASes [110].

The Raptor attack is a combination of three individual attacks and exploits the Border Gateway Protocol (BGP) [105]. First, the Raptor attack uses asymmetric traffic analysis. This means that client and server can be de-anonymized as long as the attacker can observe incoming or outgoing traffic at both the client and the server. Sequence numbers of data packets and/or sequence numbers of acknowledgments can be correlated. This is possible because the TCP headers of the packets are not encrypted at both ends of the client’s circuit, and therefore are visible when intercepted by the malicious AS. Asymmetric traffic analysis can be advantageous, because the incoming and outgoing traffic between the client and the entry node or between the exit node and the server might go through different ASes. With asymmetric traffic analysis, only one direction of traffic at both ends of the circuit is needed to correlate the client and the server.

Second, the Raptor attack exploits that BGP paths change due to for example link or router failures. This means that communications between the client and the entry node might go via different ASes over time. Every change in the BGP paths might include a malicious AS into the path between the client and the entry node, which can then perform asymmetric traffic analysis. Asymmetric traffic analysis is only needed once to correlate the client and the server. This means that the chance that the client and the server have been correlated increases over time.

Third, the malicious AS can perform a BGP hijack or BGP interception attack. In a BGP hijack, the malicious AS advertises an IP prefix that does not belong to that AS, as its own. This results in some network traffic intended for that prefix to be captured by the malicious AS. A problem with BGP hijack is that the captured traffic is not forwarded. In a BGP interception attack the malicious AS also advertises an IP prefix that does not belong to that AS. The intercepted traffic is analyzed and then forwarded to the actual destination. BGP Interception might be useful to relate the client with the entry node, when the entry node is known. Paragraph [sec:congestionattack] describes an attack to retrieve the entry node of a circuit. BGP Interception might then be used with an IP prefix of the entry node to find all the IP addresses that communicate with the entry node. Asymmetric traffic analysis can then be used to find the client that is communicating via the circuit.

Related work
A realistic comprehensive analysis was done of the security of Tor against traffic analysis by Johnson et al. [66] for a more generalized attack. It focused on how to make Tor safer for its users, and showed that there are greater risks than previous studies suggested. It discusses how Tor’s security can be improved and how users themselves can increase their security against this kind of attack.

Predatory vendors who come to your house and force you to sniff cocaine, inject heroin, puff ganja, do the dishes and leave

A direct quote I found superbly hypocritical and out of touch from reality from LE involved in the operation Chief Postal Inspector Gary Barksdale of the United States Postal Inspection Service

This operation was about protecting innocent people from predatory criminals who profit from violence, addiction, and fear.

I don't think we should be blind to yes darknet sales can lead to real life conflicts. Such are however limited and far less than real life drug dealing. Conveniently lacking point of view when these police chiefs boasts.

But I mean seriously do they see themselves as protectors of criminals and fear? The entire world is at the feet of elites who run things making people self censor not to upset powers that be regardless in which country. That's the worst kind of fear. A fear of getting killed by gangs while walking home was previously real in El Salvador. That's fear. Joe Shmoe selling weed on the darknet is fear too?

Instead of tackling real evil in the world here they are arresting people who peddle miniscule amounts compared to the real drug trade in the world.

❌ Epstein logs reveal, going after pedos and abuses of power

✅ Joe Shmoe the vendor selling 200 grams of weed per week to feed his kids

/u/oopsidontknow

1 points

1 month ago

Even Chelsea Manning is still alive after what she did. Shows you where the Global Adversaries' priorities lie.
How many PM's did you receive with people with some of the highest threat models telling you what they really do to keep themselves safe from the "RapTors"?

/u/Yugong 📢 P I can move mountains ⛰️

1 points

1 month ago

I mentioned some detection in another comment /post/12b9f500f87bba5c3a0d/#c-f8ab68555cb502033c

User perspective admins too best you can do is make sure your ISP is RPKI signed and filtering but any connections leaving it can be anyones guess. A lot Tor relays operators don't have control over their AS/IP spaces and are mainly hosted on unsecured upstream providers making the whole BGP attacks like RAPTOR a lot easier for attackers.

/u/oopsidontknow

1 points

1 month ago

It's clear to me that standard Tor markets right now have a life cycle in accordance with estimations of police operations with the tools they have (Global) assuming that at the very least the security of the server infrastructure is up to par for long-term operation.

Other types of hidden services might require the meme'd ideas of satellite servers or servers in international waters as they're more sensitive than Tor markets. I'm sure these ideas were tested in practice before, just in service of different goals or market niches.

The best thing to be is a moving target, shedding some weight along the way.

/u/Reaperr

1 points

1 month ago

the 'Great' information you mentioned just made me sad.
there is no Privacy in New World Order.
obviously the DN market owners have knowledge to maintain their services
but they can't hide anymore with this Shit operations.
i mean isn't there any sign for them to find out that they are being chasing down?

/u/Yugong 📢 P I can move mountains ⛰️

1 points

1 month ago*

It's actually a rather complex thing to answer but I'll provide two versions.

The short answer

but they can't hide anymore with this Shit operations.

There are things which can be done to evade for sure it isn't a lost cause. The situation isn't looking pretty though.

Most admins aren't concerned or know of the dangerous beyond what they can see from their servers. I doubt any markets currently have control over their own network spaces making them vulnerable to BGP hijacks, BGP interceptions, RAPTOR attacks and the likes. Dread could be one if /u/HugBunter or /u/Paris has foreseen such issues as he does like to play with those entry guards. But that would require more resources and less movement neither of whom I think they have/do.

Changing servers constantly is the simplest and most effective solution. But as changing Tor entry guards such technique has its own set of risks.

Tor relays themselves have been BGP hijacked in the past there are recorded incidents. BGP Hijacks have also been used to steal cryptocurrencies from exchanges.

Overall it does take someone who is a routing expert to monitor issues on such level. Still today outside of Tor itself, BGP security is a large problem. You can check if your ISP or hoster has implemented some protections at

isbgpsafeyet com

i mean isn't there any sign for them to find out that they are being chasing down?

If you can get your current hoster to work with you or you own your network space you can deploy a set of tools to monitor BGP routes and essentially at very least detect RAPTOR like attacks. Any good hoster should be going it by default.

You can also get some extra servers from the outside, write some basic scripts to test route selection in and out and compare with the market servers while observing AS changes whom you can query in real time.

Tor relay operators should run BGP monitoring tools for reactive defense as well. Trust the entry guard algorithm too on your client is best bet.

The long answer

(short answer shown in italics)

but they can't hide anymore with this Shit operations.

There are things which can be done to evade for sure it isn't a lost cause. The situation isn't looking pretty though. I have my own suspicions fucking with ASes (pun intended) and BGP is one of the preferred techniques to LE as they can too amplify DoS attacks or conceal their own by merging a lot of traffic lanes lets call them.

Most admins aren't concerned or know of the dangerous beyond what they can see from their servers. I doubt any markets currently have control over their own network spaces making them vulnerable to BGP hijacks, BGP interceptions, RAPTOR attacks and the likes. Dread could be one if /u/HugBunter or /u/Paris has foreseen such issues as he does like to play with those entry guards. But that would require more resources and less movement neither of whom I think they have/do.

Changing servers constantly is the simplest and most effective solution. But as changing Tor entry guards such technique has its own set of risks. Correctly updated and locked down server with quality firmware isn't easy to find as most hosters are too lazy or don't care enough to do it. There's actually a range of tricks adversaries can use to deploy bootkits or inject backdoors in firmware of servers and just wait along for the next client of the server. If you don't own the server you need to be putting a lot of trust in your hoster they won't alter firmware in transit if you do update it on the server, some have it even locked down not to have people play with it. Locked down with known vulnerabilities good for skilled attackers bad for defenders who want to protect it just a bit.

Tor relays themselves have been BGP hijacked in the past there are recorded incidents. BGP Hijacks have also been used to steal cryptocurrencies from exchanges.

Overall it does take someone who is a routing expert to monitor issues on such level. Still today outside of Tor itself, BGP security is a large problem. You can check if your ISP or hoster has implemented some protections at

isbgpsafeyet com

Now for those interested check out how many of these are RPKI enabled signed and filtered then compare it to how many relays from Tor network use those unsecured providers like OVH or DigitalOcean. Quite scary. To also think every other tutorial goes like yeah put the relay in any cloud provider doesn't matter... but it does when not placing it rightfully results in pretty much helping attackers. Tor relay operators in majority don't have control over the AS or IP space of their own relays, what does that tell you?

i mean isn't there any sign for them to find out that they are being chasing down?

If you can get your current hoster to work with you or you own your network space you can deploy a set of tools to monitor BGP routes and essentially at very least detect RAPTOR like attacks. Any good hoster should be going it by default. The bad news about it are false positives can be dime a dozen. The other bad part is if you've chosen ISP or transit provider who subscribes to RPKI it doesn't guarantee that would save you as Tier 1 ASes have essentially unchecked power to announce false routes to their peers (other Tier 1s).

You can also get some extra servers from the outside, write some basic scripts to test route selection in and out and compare with the market servers while observing AS changes whom you can query in real time. Market admins who actually have some more control over their network spaces can deploy BGPStream to detect anomaly prefix announcements. Some other tools like ExaBGP can be used in addition to help to monitor in real time.

Self-configuring BGP monitoring tool, which allows you to monitor in real-time if:
any of your prefixes loses visibility;
any of your prefixes is hijacked;
your AS is announcing RPKI invalid prefixes (e.g., not matching prefix length);
your AS is announcing prefixes not covered by ROAs;
any of your ROAs is expiring;
ROAs covering your prefixes are no longer reachable;
RPKI Trust Anchors malfunctions;
a ROA involving any of your prefixes or ASes was deleted/added/edited;
your AS is announcing a new prefix that was never announced before;
an unexpected upstream (left-side) AS appears in an AS path;
an unexpected downstream (right-side) AS appears in an AS path;
one of the AS paths used to reach your prefix matches a specific condition defined by you.

Tor relay operators should run BGP monitoring tools for reactive defense as well. Trust the entry guard algorithm too on your client is best bet. However unless the ISP or provider does monitoring of BGP updates there isn't much to prevent attacker in your network to route or intercept requests. BGP is a weak protocol like a whore instead of a bodyguard protecting the door. Won't let you through but as soon as you slip a couple of dollars you can do anything you wish.

BGP data should be available specifically of the Tor network for the community to run research and perhaps build a real time tool for alerts. I find this a worthy cause for Dread to get behind and fund for the Tor project.

Speaking of BGP alerts. Many have tried to create false positive free BGP monitoring tools but no one has a definitive open source solution (ThousandEyes commercial product exists for the purpose). You can detect errors in the advertising of routes or count the changes in hops but interception detection doesn't happen much less in real time. MOAS and IP conflict are interesting characteristics of prefix hijacking whom can be used to attempt to detect such attacks in real time.

Very suspiciously though once people organize to protect and detect such Internet core essentials somehow the discussion and efforts always get hijacked (pun intended). Kind of gives you hints of why the powers that be don't want BGP fixed.

/u/Draven777

1 points

1 month ago

https://www.lavoixdunord.fr/1588669/article/2025-05-23/vague-d-arrestations-de-vendeurs-et-acheteurs-sur-le-dark-web-270-personnes

Sad

/u/devilish P ⛧ The Devil Wears Prada ⛧

1 points

1 month ago

And this is why I advocate for DAITA, with Quantum Secure encryption, multi-hop WireGuard VPN, scattered jurisdictions, pre-Tor. It's no longer enough to just use Tor. Use every layer of security at your disposal. Don't log in from your home connection.

/u/asfaleia ⚔️ασφάλεια⚔️

1 points

1 month ago

This what we tell you guys for years here - Tor is not a silver bullet, the Tor connection gets occasionally compromised and the original IP is revealed. And yes, it is powerless against the global adversaries like cooperating states or operators of the internet backbone. If one ignores the warnings and reality.... We also tell you for years how to fight it and prevent the compromise, right? ;)