New theories have emerged about how German authorities cracked the anonymity of a darknet criminal website admin in 2021, exposing a major vulnerability in Tor’s privacy network.

While authorities haven’t released their secrets on how this was conducted, a September 2024 report speculates that they used timing analysis and compromised servers to successfully trace the IP of “Andres G,” the alleged operator of “Boystown,” a darknet site for child pornography.

Tor itself admits that it is unaware of the exact method but suspects the German authorities’ operation leveraged an outdated chat messenger called Ricochet that the arrested criminal was using.

In a response to German media reports, Tor said in a blog post that users can continue using their browser to access the web “securely and anonymously.”

“In addition to adding relays and bandwidth, the Tor network team also recently deployed critical new features to improve the Tor network’s defense mechanisms, speed, and performance,” Pavel Zoneff, Tor’s strategic communications director, told Cointelegraph.

Tor’s fortifications have certainly been strengthened, but calling it completely impenetrable is more complex.

“If you can monitor data flows at their source, their destination, and/or useful places in the middle where you reasonably can correlate the traffic to either endpoint, timing analysis attacks are always possible,” Michal Pospieszalski, CEO of security infrastructure firm MatterFi told Cointelegraph.

“That said it appears that Tor’s upgrades have made this extraordinarily difficult but it can't be said that it's impossible.”

Penetration of Tor’s outdated defense line

Media outlet Panorama and investigative YouTube channel STRG_F claim to have reviewed documents related to the case but didn’t disclose specifics on how the timing analysis worked. However, they mentioned that it targeted “entry servers,” also known as guard nodes, from the Ricochet instant messaging service, allegedly used by Andreas G.

“From the limited information The Tor Project has, we believe that one user of the long-retired application Ricochet was fully de-anonymized through a guard discovery attack,” Zoneff said.

When using Tor to browse websites, the traffic typically passes through three sets of nodes: entry (or guard) nodes, middle relays and finally, exit nodes. The guard node is the only node in this circuit that knows the user’s IP address.

For Tor hidden services, such as Ricochet, there is no exit node. Instead, the connection is made through a rendezvous point within the Tor network itself, meaning traffic doesn’t “exit” to the internet at all. The rendezvous point allows two parties (such as Ricochet users) to communicate anonymously.

This is how an outdated Ricochet circuit would connect to a rendezvous point. Source: Tor

In a hypothetical attack on this older version of Ricochet, authorities could try to control multiple middle nodes within the Tor network, increasing their chances of intercepting traffic.

“This is a form of Sybil attack,” Or Weinberger, CEO of wallet recovery firm Brute Brothers, told Cointelegraph, adding that such attacks demand extensive resources.

To do this, they could send many requests or packets to the user’s Ricochet address, forcing them to establish new Tor circuits. Since Tor selects a new middle node for each circuit, the goal would be to eventually connect through a malicious middle node controlled by the authorities. The more middle nodes the authorities control, the higher their chances of success.

Once a connection is made to a malicious middle node, authorities can’t immediately identify the user’s IP address. However, they can use timing analysis to correlate traffic passing through the compromised middle node with traffic patterns observed at the entry (guard) node.

Timing analysis involves carefully measuring the timing of data packets as they move between nodes. By comparing this timing data, they may be able to identify which guard node was used by the suspect.

Related: How to recover a crypto wallet with or without a seed phrase

Once the guard node is identified, the authorities can request an Internet Service Provider (ISP) associated with that guard node to reveal the IP address of the user.

This would effectively de-anonymize the target.

Cointelegraph is not claiming that this is the exact method used by German authorities but presents it as a hypothetical example of how authorities could have found their suspect.

Tor says suspected attack vector may be outdated

Recent updates to Tor’s structure make such Sybil attacks much harder to conduct.

“It’s not uncommon for certain clients to have their own set of issues or vulnerabilities,” Lisa Loud, executive director of Secret Foundation, an encrypted Web3 development tool, told Cointelegraph.

“Vulnerabilities will always be found and they’ll be patched by responsible teams as fast as they are able.”

The old version of Ricochet was discontinued in 2019 and later replaced by Ricochet-Refresh, which implements the “vanguard” system, which is designed as a counter to such attacks.

A Sybil attack vector takes advantage of the random sampling of middle nodes.

So, in the newer Vanguard model, a circuit is instead assigned to a set of relays with randomized rotation times.

This means all hops within a circuit are pinned to a group of nodes.

The new vanguard system eliminates the infinite random selection game. Source: Tor

So, if authorities set up malicious nodes and try spamming interactions to a Ricochet-Refresh user, the messages still won’t connect to their node traps.

“Any security measure that takes place, there’s a countermeasure that takes place,” Weinberger said.

Related: Germany seizes 47 crypto exchanges tied to ‘underground economy’

“Although they mitigated this specific risk, it’s still not 100% protected,” he said, adding that nation-states have a higher chance of successfully de-anonymizing users due to their resources.

Tor node-rich Germany

Tor’s privacy features become stronger if its nodes are decentralized around the world.

“We encourage those who can to volunteer and contribute bandwidth and relays to grow and diversify the Tor network. By ensuring hardware, software, and geographic diversity of the Tor network, we can continue to improve the Tor network’s stability and security,” Zoneff said.

Currently, a big chunk of Tor’s relays are in Germany.

Germany leads all nations in the number of relays. Source: Tor Metrics

As of Oct. 18, Germany had 1,861 of the 8,085 of Tor’s relays, according to Tor Metrics. On top of that, it also leads the world in consensus weight, which also factors in other considerations like bandwidth and capacity.

Collectively, relays in Germany account for about 36.73% of the overall selection weight in the network.

When a user connects to a jurisdiction, they’re not geographically restricted to select a node closer to them, according to Weinberger.

“Your Tor client is more likely to choose a high-performing guard node over a low-performing one, so I’m guessing nation-states would be using long-running guard nodes with great bandwidth capabilities to attract as many Tor clients to connect to them,” he said.

The United States has the second highest number of relays with 1,778, but Netherlands takes second spot in consensus weight despite having 784 relays.

“To do timing analysis attacks, if you are a government, you need to be able to inject your own nodes into the existing network. It’s obviously easier for a government to do this in its own jurisdiction,” Pospieszalski said.

“If the Tor network had an even number of nodes in, say. every country, then it would take a significant amount of cross-border investigative work to get timing analysis done.”

Safe for users, but criminals should be on edge

Tor’s expanded defense system makes it more difficult for nation-states or any entity with significant resources to conduct timing analysis against users, but it doesn’t make it impossible.

Also, technological advancements are providing more weapons to de-anonymize users.

“Ultimately an AI that has a lot of monitoring data points and a lot of processing power will be very good at timing analysis. I wouldn’t be surprised if secretly such a project already exists somewhere,” Pospieszalski said.

The big question is whether Tor is still safe and can provide anonymity to users seeking elevated privacy guarantees.

Experts speaking to Cointelegraph agreed that it is still safe for general users, but advances in technology are keeping darknet criminals on their toes.

“Privacy is such an interesting topic [and] we have advocates for it in mainstream industry and government, and then detractors who see privacy in Web3 as uniquely designed for bad actors,” Loud said.

“Will anonymous browsing survive? Maybe. It’s a race, and anything can happen in the next few years to influence the ultimate outcome.”