New article on Dutch Silk Road 2 servers(translation): Dutch national police had already imaged Silk Road 2.0 server in May

Translation of the article:

Dutch national police had already imaged Silk Road 2.0 server in May

Background - Dutch cybercops have copied the Silk Road 2.0 at an early stage, which sped up the investigation tremendously.

The notorious 'dark market' Silk Road 2 and various other hidden illegal markets were taken down in the beginning of November as part of operation Onymous. These sites were only accessible through Tor with a .onion address, their status as a hidden service didn't not help them, however. The FBI and Europol managed to take down the servers, and in some cases arrest the owners. Among them was Blake Benthall, the alleged administrator of Silk Road 2.

Silk Road 2 could continue operations

The justice department already made public that the Silk Road 2 server resided in the Netherlands for some time, research from Computerworld concluded that Team High Tech Crime (-dutch cybercrime division) imaged the server and let the market continue it's operations.

The copy was a huge asset for the police, FBI documents show they also seized the private key necessary to control the .onion domain.

Forensic copy

The 'Team High Tech Crime' police team started their own investigation end May 2014, after they had received information as part of a request for help by American authorities regarding the Silk Road 2.0 darknet market. At that time the server was hosted at a Dutch hosting provider. At that moment a forensic copy of the server was made by order of the public prosecutor. This is confirmed by the National Police unit.

This action was important for the Americn investigation as the THTC found that the server was rented by the suspect that was arrested by the American authorities. The exact timing of the downtime has been used by the FBI as additional evidence that they had indeed found the Tor darknet market. The Dutch police also connected the server's owner details acquired from the provider with the suspect in question.

Second offensive

The police won't say which provider hosted the server. The provider not only received a gag order, they were also forced to lie about the reason of the downtime.

The host sent 24 notifications that the server went offline to Benthall

Begin November Operation Onymous ended with other busts. On 5 and 6 november THTC did raids on 5 different places in the Dutch provinces North-Holland and Utrecht and seized servers related with 9 darknet markets. Among others, the Alpaca and Cannabis Road darknet markets were taken offline, Dutch police says.

Research found clear that the authorities took down many fake and clone websites while leaving up the originals, THTC didn't want to address this critique.

Exit nodes also taken offline

At the same time ten exit nodes of the German non-profit TorServers were taken offline. Four of those were running on one Dutch server.

The police doesn't want to confirm this takedown, but Dutch hostingprovider NForce, where the TorServers machine was located, confirmed to Computerworld that the police took down hardware at 6 november, they weren't allowed to give any more details.

THTC emphasizes that Operation Onymous wasn't meant to target the Tor network in general, ut was targeting criminal activities that took place on anonymous markets on the Tor network.

Tor compromised?

Confiscating these neutral Tor nodes(nothing was hosted on them) led to a lot of speculation on the methods used by law enforcement agencies to de-anonymize hidden services.

The police doesn't want to comment on how they de-anonymized these hidden services. The FBI alludes in another document that it can catch private keys through Tor network 'traffic servers', after which the IP address, host and location can be determined.

We know for a fact that these private keys cannot be extracted from the exit nodes, Moritz Bartl from TorServers ascertains. This suggests that a guard discovery attack has been used to de-anonymize hidden services. The physical server of a hidden service resides behind the a guard node.


Comments


[2 Points] lamoustache:

Original article in dutch: http://computerworld.nl/beveiliging/84556-klpd-had-silk-road-2-0-server-in-mei-al-in-handen


[1 Points] impost_r:

Some new information in this article. Who was the person that was arrested in May?

EDIT:

Argh "Deze actie was belangrijk voor het Amerikaanse onderzoek omdat het THTC vervolgens constateerde dat de server werd gehuurd door de thans aangehouden verdachte."

It's pretty ambiguous, don't know whether they mean ''in present time/now'' or ''at that time'' with the word 'thans'.

So it could mean either "They connected the details with the suspect that was apprehended at that time." or "They connected the details with the suspect who was apprehended now in november"<-Blake Benthall.


[1 Points] select1on:

Seems like people need to use full disk encryption on these servers. It's not that hard. Then they won't have anything.