Threat Intelligence

Law Enforcement and the Dark Web: A Never-Ending Battle

Pierluigi Paganini
July 19, 2016 by
Pierluigi Paganini

Illegal activities in the Dark Web continue to grow

The Dark web is a privileged place for cyber criminals that, under specific conditions, could operate in anonymity.

The United Nation's Office on Drugs and Crime (UNODC) has published its annual report that contains a specific mention to the illicit trade of goods and drugs in this hidden part of the web.

The crooks seem to be one step ahead many countries' law enforcement agencies that in many cases are not able to target black markets in the dark web.

Illegal activities in the Dark Web are growing, an increasing number of criminals is abusing anonymizing networks such as the Tor Network and I2P.

"Drug supply via the Internet, including via the anonymous online marketplace, the "dark net," may have increased in recent years. This raises concerns in terms of the potential of the "dark net" to attract new populations of users by facilitating access to drugs in both developed and developing countries." states the report.

The Europol made a similar call in a 2014 report when addressing the shortcoming in its capabilities of dealing with online drug dealing.

"law enforcement should build technical capabilities in order to support technical investigations into subjects using Darknets, in accordance with relevant legislation," states the law enforcement agency.

When dealing with the growth of illegal activities in the Dark Web, legislation, technical abilities and capacity building are essential components of a strategy that must be shared by law enforcement agencies worldwide.

Law enforcement bodies in many countries are still not in a position to deal effectively with the illegal activities that leverage infrastructures in the Dark Web.  The anonymity of the actors and jurisdictional issues are the most common issues that obstacle their activity.

In many cases, technical difficulties requested the involvement of undercover agents to infiltrate black marketplaces to identify its operators.

The purchasing of drugs via the "dark net" raises concerns regarding the potential of the "dark net" to attract the ordinary crime; black markets are crucial facilitators for multiple illegal activities. At the same time, we are assisting to a significant increment in the number of transactions related the payment of illegal goods, bitcoins and other crypto-currencies are becoming the norm in many black markets.

The United Nation's Office on Drugs and Crime (UNODC) report also cites a global survey of more than 100,000 Internet users (75 percent of whom had purchased illegal drugs) in 50 countries in late 2014.

The survey confirms an increase in the number of users purchasing drugs via the Internet; the percentage had increased from 1.2 percent in 2000 to 4.9 percent in 2009, 16.4 percent in 2013 and 25.3 per cent in 2014. It is interesting to note that the number of Internet users that purchased drugs via the "dark net" is also increased.

Below are reported the key findings of The Global Drug Survey 2016 report published this year.

"More people shopping on the dark net, more people using MDMA & experiencing harm, synthetic cannabinoids the most dangerous drugs in the world. "

  • Globally almost in 1 in 10 participants (9.3%) reported ever buying drugs off the darknet with those reporting last year dark-net purchase rising from 4.5% to 6.7%.
  • MDMA, cannabis, new or novel substances (including 2C-B and DMT) and LSD are the drugs most commonly bought
  • 5% of respondents stated that they did not consume drugs before accessing them through darknet markets

Analyzing data related to English-speaking countries, it is possible to observe an increase between 2015 and 2016 in UK, Ireland, US, Canada. The situation is quite stable in Australia and New Zealand.

Figure 1 -: respondents reporting use of illicit/NPS/prescription drugs in the last 12 months (The Global Drug Survey 2016 report)

The intelligence agencies that appear to be the most aggressive when dealing drugs and other illegal activities on the Dark Web are the FBI and the NCA, let's see their activity in detail.

The National Crime Agency in the Dark Web

The dark web is a dark zone for law enforcement agencies worldwide, in this hidden portion of the web crooks can buy and sell drugs, weapons, stolen data, it is also considered a facilitator for the child pornography. At the end of 2015, the British law enforcement and intelligence agencies, including the GCHQ and the National Crime Agency (NCA), have created a new unit, the Joint Operations Cell (JOC), that will specifically address the cybercrime.

The mission of the new unit will be initially focused on tackling online child sexual exploitation as explained in the official statement issued by the NSA.

"An NCA and GCHQ co-located Joint Operations Cell (JOC) opens officially today. The unit brings together officers from the two agencies to focus initially on tackling online child sexual exploitation," states the press release published by the NSA.

The British Government is always at the forefront in the fight against online child sexual exploitation, in December 2014 the UK Prime Minister David Cameron announced the plan for the creation of a unit of cyber experts that will be involved in the investigation of crimes exploiting the dark web.

Cameron revealed that national intelligence agencies would join the efforts to track and arrest online abusers and pedophiles, he also added that the UK Government would have greater powers for online monitoring of suspects. According to UK authorities, up to 1,300 children are exposed to online abuse from pedophiles, and it is the tip of the iceberg, for this reason, it is a moral and social obligation to fight this illegal practice.

Cameron explained the strategy of the British Government at the #WeProtectChildren online global summit in London, announcing the creation of a new unit composed of members from the GCHQ and the National Crime Agency (NCA).

Figure 2 - Cameron explained the strategy of the British Government at the #WeProtectChildren online global summit 2015

One of the greatest challenges of law enforcement that operates against online pedophiles is to track them even online even if they make large use of anonymizing networks like Tor.

"The so-called 'dark-net' is increasingly used by pedophiles to view sickening images. I want them to hear loud and clear: we are shining a light on the web's darkest corners; if you are thinking of offending, there will be nowhere for you to hide." Cameron said.

The JOC will have the ambitious plan to fight any kind of online criminal activity.

"The Joint Operations Cell will increase our ability to identify and stop serious criminals, as well as those involved in child sexual exploitation and abuse online. This is a challenging task as we must detect them while they attempt to hide in the mass of data. We are committed to ensuring no part of the internet, including the dark web, can be used with impunity by criminals to conduct their illegal acts." explained the GCHQ Director Robert Hannigan.

The FBI and the Dark Web … the never ending story

In July 2015, two individuals from New York had been charged with online child pornography crimes after visiting a hidden service on the Tor network.

The Federal Bureau of Investigation (FBI) identified them by using a hacking tool that allowed law enforcement to de-anonymize the suspects while surfing on the Tor network.

After months of speculations and hypotheses on the mysterious tool, court documents reviewed by Motherboard provided more information on the hacking technique exploited by the FBI to identify the suspects.

The document confirmed that it was the first time that the FBI conducted such an extended operation against Tor users, according to the court documents, the FBI agents monitored a bulletin board hidden service launched in August 2014, named Playpen. Playpen was a hidden service used for in the dark web for "the advertisement and distribution of child pornography," it reached in just one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The FBI agents were able to discover nearly 1300 IP addresses belonging to the visitors.

Figure 3 - Court documents related to the PlayPen case

The FBI seized the server where the Playpen service was hosted belonging to a web host located in North Carolina and used it is a sort of watering hole attack to track its visitors. The FBI operation leveraged on the network investigative technique (NIT) to obtain the IP addresses of the Playpen users.

The technique was not new; the FBI used the NIT to de-anonymize Tor users also in previous operations. On December 22th, 2014 Mr. Joseph Gross retained the assistance of Dr. Ashley Podhradsky, Dr. Matt Miller, and Mr. Josh Stroschein to provide the testimony as the expert in the process against pedos on Tor.

The suspects were accused in federal court in Omaha of viewing and possessing child pornography.

To better understand what the NIT is, let me share the explanation provided by the cyber security expert H.D.Moore, who developed it.

"The NIT was a Flash-based application that was developed by H.D.Moore and was released as part of Metasploit. The NIT, or more formally, Metasploit Decloaking Engine was designed to provide the real IP address of web users, regardless of proxy settings." stated the forensic report.

Figure 4 - NIT code

According to the court documents, the investigators were informed that there were three servers containing contraband images that the FBI found and took offline in November of 2012.

Authorities used the server as bait for online pedos, the FBI placed the NIT on the servers and used them to de-anonymize TOR users accessing the illegal content. With this technique, the FBI identified the IP addresses of visitors.

The NIT technique was also used in 2011 by agents running the "Operation Torpedo," when agents deployed the script on seized servers to track visitors.

According to court documents related to the Playpen, the version of NIT currently used by the FBI is different from the one used in the past during the Operation Torpedo.

Colin Fieman that is defending Jay Michaud, a Vancouver public schools administration worker arrested by the FBI right after the FBI closed "Playpen," believe that many other users of the illegal service will be arrested due to the use of the network investigative technique (NIT).

"Fifteen-hundred or so of these cases are going to end up getting filed out of the same, underlying investigation," Colin Fieman, told Motherboard in a phone interview. Fieman, who is representing Jay Michaud, a Vancouver teacher arrested in July 2015, said his estimate comes from what "we've seen in terms of the discovery." "There will probably be an escalating stream of these [cases] in the next six months or so."

When dealing with hacking tools like the NIT to de-anonymize Tor users, it is important to consider that law enforcement agencies like the FBI used only one warrant to hack computers of unknown suspects all over the world.

This is considered not legal by privacy advocates, including the defense of the suspects in the Playpen case that speculates the US government was running a dragnet surveillance not allowed by national law.

Earlier 2016, a judge ruled that the FBI's actions did not constitute "outrageous conduct," but now a new order got out and obligated the FBI to disclose all the entire source code of the NIT investigative component.

Michaud's lawyers requested to get access to the NIT code used by the FBI since September, but they hadn't obtained it until January when the expert defense Tsyrklevitch received the code.

Tsyrklevitch argues that the provided code was incomplete, the parts related to the exploited were not included in the NIT component he analyzed.

"This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud's computer, beyond the one payload that the Government has provided," Michaud's lawyers wrote.


Darknet and covert channels will continue to be abused by crooks making hard law enforcement investigations. Tools like the NIT could support Government activities, but represent a potential threat to users' privacy.

Although the FBI and other law enforcement agencies have been lauded for their efforts in the fight against the threat actors in the dark web, preventing the abuses of anonymizing networks is still a great challenge.

For this reason, governments and police bodies are training a new generation of agents that is mastering new technology, including anonymizing network.

The fight against crooks in the Dark Web needs a deep technological knowledge and the adoption of HUMINT.


Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.