This Is (Probably) How the FBI Took Down Blake Benthall Last Week

Nov 12, 2014 at 7:16 AM ET

Law enforcement agencies from around the world descended last week on a part of the Internet where you’re supposed to be able to browse anonymously and arrested 17 people who thought no one was watching them.

Among those nabbed was a big fish: Blake Benthall, a 26-year-old San Francisco techie who allegedly operated the biggest drug retailer on the Internet, Silk Road 2.0, and who used his bitcoin loot to buy a Tesla. During the raid, agents shut down hundreds of illegal websites and several dozen active drug marketplaces.

All of these sites were hosted on Tor, which reroutes your IP address and lets you browse the Internet anonymously. In the age of NSA surveillance, it’s become the place to go for people who don’t want to be snooped on.

But if Tor is anonymous, how did the FBI and other law enforcement agencies manage to track down these site owners? For its part, the FBI was exceedingly vague about how it found the Silk Road 2.0 server in what was known as Operation Onymous: “In or about May 2014, the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website,” they wrote in their indictment against Benthall. Even the Tor foundation itself, a loose collective of developers and security experts, was stumped: “So we are left asking: ‘How did they locate the hidden services?'” Tor developers wrote on its blog on Sunday. “We don’t know.”

By strange coincidence, on the same day the raid happened, a little-known 28-year-old Tor expert by the name of Ivan Pustogarov published an online lecture called “Deanonymization Techniques for Tor and Bitcoin.” In it, Pustogarov, a computer security expert pursuing his PhD at the University of Luxembourg, lays out a method of attacking Tor to expose the identities of its users.

“There are indications that this attack was used,” Pustogarov tells me, speaking by phone yesterday.

To understand how such an attack works—and how the FBI may have uncovered the names and addresses of these people—you first need to understand a bit about how Tor works. On the regular web, your computer is tied to a specific IP address, which offers information about your specific location. But when a user accesses the web via Tor, his or her IP address is routed through at least three “relays”—a middle relay, a bridge relay and an exit relay. This masks the user’s identity.

But theoretically, if you own enough of these relays, you can see who owns the IP addresses. “If you control all three relays, it’s like you control the proxy server,” Pustogarov says. “If you can control the first node and third node, you can also learn who they are and where they go using traffic analysis.”

Renting these servers to host all of these Tor relays costs money. In his research, Pustogarov found that for about $12,000 per month over a 12-month period, an attack could offer a “99% probability to locate a specific hidden service.” That means the FBI may have been flooding the Tor network with relays it controls and monitoring the traffic flowing through it.

Right now there are about 6,000 Tor relays and about 4,000 bridges. They’re operated by volunteers, and they’re pretty easy to set up.

This wasn’t the first such attack. Tor operators believe there was another one back in July. Tor has proven vulnerable to attacks on other occasions, too. It makes you wonder: Are Tor’s days numbered? If Tor can be penetrated by law enforcement, will dark net drug dealers, assassins and other criminals begin to rethink the network they operate on?

“Tor is not broken,” says Pustogarov. “People just don’t understand what level of anonymity it provides. It doesn’t protect them automatically.”