Operation Onymous, the international cooperation between the FBI, Europol and other law enforcement agencies that rocked the deep web earlier this month, knocked many sites selling drugs, guns, and credit card details offline. Among those was the second iteration of the infamous Silk Road.
But it appears a large number of sites shut down were actually fake or cloned versions, with some of the originals still up and running.
Nik Cubrilovic, a writer and researcher, crawled sites on the deep web along with two other researchers operating anonymously under the Twitter handles @secruedmh and @imposter. They recorded how many had been seized and which sites had been taken down—easily indicated by the "THIS HIDDEN SERVICE HAS BEEN SEIZED" announcement blazoned across the screen.
The original figures released by law enforcement claimed that more than 410 deep web sites had been seized. Then that went down to 400 URLs in a later comment, relating to around only 27 different sites. Owing to this confusion, and the fact the agencies didn't publish a full list of the sites that they did force offline, Cubrilvoc and the other researchers set out to clarify what exactly Operation Onymous had achieved.
In all, they found over 9,000 .onion sites, 267 of which had been seized. But they said 153 of the seized sites were actually fake, their URLs "belonging to either clone, scam or phishing sites."
According to Cubrilovic, of the 32 addresses in the Department of Justice seizure notice, three are scam sites and another nine are clones. Meanwhile, of the eight take-downs listed in the FBI press release, one is a scam site and another two are clones.
Scam sites are marketplaces or services that appear to be the real deal but are in fact run by people who have no intention of providing the promised product.
For example, phishers often set up a site that looks identical to the original in order to fool people into typing in their login details. With these details, the scammers could then take over the victim's account and drain any bitcoin stored in it. Twenty of the 153 fake seized sites uncovered by the researchers were scam or phishing sites. These included 'EuroGuns,' 'Bitcoin for Proxy,' and, funnily enough, a knock-off of Silk Road 2.0.
The other 133 of the "fake" seized sites the researchers found were clone sites, which Cubrilovic explained to me in an email constituted "any site where the content returned is the same as another Tor hidden service, but we know it was a clone because it appeared after the original hidden service."
The FBI listed 'Executive Outcomes' as a gun marketplace, but Cubrilovic wrote it is in fact a well-known scam site, and hasn't shipped anybody any weapons. Ironically, only a clone version of the site was seized, while the original—a scam—remains up and running.
Many of the fake sites that were shut down are obvious targets. Cannabis UK advertises what you'd expect, as does FakeID. One is a Jihad funding site, "Fund the Islamic Struggle without leaving a trace." A clone of that site was seized, while the actual website remains live, detailed by Cubrilovic in another blog post.
The researchers were in part motivated by trying to find out the method that the FBI and others used to take down the sites. "First we want to get more administrators of these sites or people involved at the hosting companies etc. to come forward and to help us understand how these sites were configured or hosted so we can test our theories on how they were taken down," Cubrilovic told me in an email.
In his post, Cubrilovic hypothesises about the method used by law enforcement to take down these sites. "That the FBI seized so many clone and fake websites suggests a broad, untargeted sweep of hidden services rather than a targeted campaign," he wrote. Some real sites, such as doxing forum Doxbin and the revenge porn site Pink Meth were also seized, but weren't mentioned in the official seizure documents. In that case, were these not specifically targeted, but simply got caught in the net?
He told me the group was making its research available so others could help. "It is important that we get an understanding of what vulnerabilities there are in Tor, if any (it looks like there aren't any—they just hammered a few hosting providers to produce every Tor site they hosted)," he said.
I reached out to the FBI, the European Cybercrime Centre and the UK's National Crime Agency (NCA) to ask what they thought of the findings. Only the NCA got back to me by the time of publication, and said that "this operation was a great success with a significant number of key sites being disrupted and a number of significant individuals arrested. The investigation is on-going and more arrests can be expected."