Small-Time Hackers Can Be Deanonymized Even When Using Tor

How anonymizing tech won't always stop you from leaving digital footprints.

Apr 22 2015, 1:00pm

​Image: Brian Rink​er/Flickr

​The renowned anonymizing software Tor is used by millions of people everyday to protect their identities online, but even if you use it, you can still leave potentially sensitive information lying around the internet.

Tor is a great tool for whistleblowers or for dissidents in repressive regimes, who might get arrested—or worse—for doing certain things on the internet. Obviously, it's also great for cybercriminals, drug dealers, and hackers, who use it to hide their traces.

As cybercrime pros know very well, however, Tor alone is not a guarantee of complete anonymity or security. But many forget that. In fact, even small time hackers, also known as "script kiddi​es" in hacker lingo, can be busted thanks to the footprints they leave on the internet, despite the fact that they used Tor while leaving those footprints in the first place.

With some online sleuthing, Recorded Future, a web intelligence firm backed by Google and the CIA, was able to find a lot of information about four small time hackers, including their emails and passwords, and other aliases, as the firm explains in a new repo​rt published on Wednesday.

With that information, the hackers' real identities could have easily been exposed.

With that information, the hackers' real identities could have easily been exposed, according to Nick Espinoza, the author of the report.

"They gave me more than enough ammunition," he said. Espinoza added that he didn't try to dox them because that would have entailed using their passwords and poking their sites, which wouldn't be "ethical for me to do as a researcher."

These hackers are involved in the online community that uses and sells cyberattack services, along with automated software that allows pretty much anyone, regardless of their technical ability, to launch distributed denial of service (DDoS) attacks that can overload and take down websites. These services are sometimes referred to as DDoS-Fo​r-Hire tools, as well as "booters" or "stressers."

Perhaps the most famous of these groups is Lizard Squad, the group that knoc​ked Sony and Microsoft gaming networks offline late last year. But there are many more copycats around, and they even fight against each other, trying to hack each others' websites.

It was thanks to their online catfighting that Recorded Future was able to track down the hackers.

It was thanks to their online catfighting that Recorded Future was able to track down the hackers.

Armed only with a list of known IP addresses of Tor exit nodes, the last "hop" when someone uses Tor, Espinoza searched through the Recorded Future's database of internet big data to see what he could find.

"There was no real rhyme or reason," Espinoza told Motherboard. "We just thought Tor exit nodes activity is interesting."

What he found were a few databases containing usernames, passwords and IP addresses dumped on paste sites such as Pastebin, where hacking groups often post data or boast about their feats. These dumps, it turned out, came from five sites offering DDoS services which had been previously been breached, some by competing hackers.

In some of the examples highlighted by Recorded Future, the hackers who breached competing sites got their own usernames and passwords exposed in other dumps. In one case, a hacker named "suru" or "lollsuru" breached and dumped the database of DDoS tool Deathstresser and, somewhat bizarrely, exposed his own login information on the site, including email address and password.

Think of this as a hacker's skirmish where they mutually hacked each other.

Think of this as a hacker's skirmish where they mutually hacked each other.

"This is indicative of an increasingly small world of actors interested in these tools," Espinoza wrote in the report.

This hacking skirmish proves that "if malicious actors use Tor to access illegal sites and services, they are only as secure as those services are," according to Espinoza, and that sometimes, using Tor might be "more of a red flag than a safety blanket," given that it might attract the attention of an analyst like himself.

Roger Dingledine, the co-founder of the Tor Project, however, disagreed.

"It is a neat forensic approach to ask the internet what it remembers about traffic that came from Tor exit relays," Dingledine told Motherboard in an email. "But let's avoid leaping to the conclusion that these people could have been safer or lower profile if they'd come from different IP addresses."

After reading Recorded Future's report, Dingledine said that the Tor exit nodes IP addresses wasn't the key of the research. In fact, given that some of these hackers or script kiddies "left interesting traces of themselves all over the Internet," Recorded Future "could have learned this information in other ways by looking at the various data dumps," he added.

Regardless, this is a good reminder that technology itself—even if it's Tor—isn't a guarantee of bulletproof anonymity or protection. We still leave traces online, even using Tor. This is also a good reminder that script kiddies are just that, small time hackers who often don't know better.