Updated: May 11
Tor is the most popular ‘dark net’ used today. It is well known for its association with illegal activity, such as forums and vendors selling drugs and weapons, and the ever-increasing media surrounding cybercrime. However, there are legitimate uses for Tor, such as avoiding state-based censorship or communicating anonymously in contested environments.
In this blog, we are going to look at the other side and understand how the network works. We’ll also explore network attribution considerations and look at methods to correlate network activity with geopolitical events.
Most people who use Tor simply access it with a standard Tor browser and use search engines (see our previous blog), index sites, or navigate directly to known destination .onion addresses. However, we can learn more about what is happening around the world by taking a step back and looking at the network itself. Luckily, Tor's network details are publicly available for us to view and analyse.
The Tor Network to the Surface Web
Let's begin with a quick overview of how the Tor network works. It is made up of a series of volunteer-hosted relays which route traffic through to a destination and back. A client will connect to what is called an ‘entry guard’, pass through a ‘middle relay’ and then exit through an ‘exit node’. The terminology may differ; however, the structure of the network resembles the layers of an onion (hence the name).
We can use Tor network to connect to the surface web (using the Tor browser and network as a proxy to ‘normal websites’). When this occurs, are connection will look like this:
The Tor Network to the Dark Web
When we visit the dark web, or hidden services (URLs that end in .onion), our connection is a little different, and a little more anonymous. Tor doesn’t use HTTPS, as the communication stays within the Tor network, and by its very nature, it is encrypted. It looks like this:
Tor over VPN
There is much discussion online about whether or not to use a Virtual Private Network (VPN), which essentially adds another hop in the network.
So, what’s the answer? Well, it depends.
Using a VPN allows you to mask your IP address. When you connect to a VPN, you are assigned a new IP, which does not reveal your original IP, ISP, or location. When choosing a VPN, you should always thoroughly research the provider. Free-to-use VPNs may log your data (including your originating IP) and may work poorly. Reputable VPN providers - which will often require a subscription fee - will provide policies and information about the data that they record.
Connecting to a VPN first, then Tor, sometimes called ‘Tor over VPN’, provides added protection that prevents the entry guard from seeing your true IP address. The Tor Project website, however, doesn’t recommend using a VPN with Tor. We must understand who we are hiding from first and foremost, and what risks we are seeking to mitigate:
Avoiding Traffic Correlation Attacks - Use a VPN
Worried that a Tor Node is watching your activity - Use a VPN
Hackers - Use a VPN
Well-resourced state actor - In this instance, a VPN may enlarge your attack surface (How did you pay for the VPN? Does the VPN keep a log of your activity?) but use a VPN if you have a good online persona.
Remember - always use a reputable VPN provider (which likely means avoiding free VPN services!) both on and off the dark web.
Bridge Relays – Avoiding Censorship
Tor relays are publicly listed, so an ISP (Internet Service Provider) or restrictive state actors can block or detect their use. However, bridges are not listed in the public Tor directory. That means that an ISP or government trying to block access to the Tor network have a harder time doing so.
If you decide to use Tor without a VPN, or without a bride relay, an Internet Service Provider (ISP) can see the connection to Tor, however; cannot see the content. Bridge relays are easy to establish by configuring your connection when you open up the Tor Browser.
Now that we have a basic understanding of traffic flow, and some more information around our attribution, let's look at macro network activity.
Network Activity and Metrics
The Tor Project enables the public to research the metrics of the network, including user activity, servers, and relays. This is useful for understanding peaks and troughs in network activity, and we can correlate changes in activity with geopolitical events. It is common to see a spike in Tor connections during periods of civil unrest or conflict – we can’t see what people are using Tor for with macro network analysis, but the inference is still useful for assessments.
Tor Metrics (https://metrics.torproject.org/)
The first metric that is useful for correlating a spike in activity to events around the world is how many users are accessing services. Clicking the ‘Users’ option lets us look at how many people are connecting to Tor and from which country. Consider this when there are geopolitical events unfolding around the world. It can help us infer how well-known discrete internet communication and access is within a country, and if there are channels or opportunities that may exist for communicating with a population in a contested environment.
Filter options for Tor Users (https://metrics.torproject.org/userstats-relay-country.html)
Afghanistan 2021 - We analysed user activity on Tor from Jan 2020 - Sep 2021 to see shifts in Tor activity over time within Afghanistan. The IP locations are derived from the relays resolving client IPs as they pass through, which provides a geo-database. VPN-connected clients could potentially obfuscate this, but unlikely at scale, so we can lean on these metrics for analysis.
If we narrow down further and analysing activity within 2021, we can identify key spikes in activity.
What happened in April 2021?
We can use advanced Google searching to correlate events. Using the search query "Afghanistan" after:2021/04/01 before:2021/05/01 we can bracket our search and find events of interest.
The sharp increase in connections corresponds to the formal announcement of US troop withdrawal and the plan forward with Afghanistan. Whilst there may have been other underlying reasons for the spike in Tor activity, this serves as an example of how we can analyse Tor user activity in a geopolitical context.
Servers pass our connection through the Tor network. The Tor Project provides information about how many of these relays are online and any associated information such as speed. Investigating this, we can see that Germany and the U.S. host the most Tor relays. An interesting metric to investigate is the total available bandwidth of all the relays. We can correlate this to geopolitical events, where additional relays or nodes that are established during these times. Additionally, we can use it as a troubleshooting mechanism if Tor was running unexpectedly slow or unable to connect.
Specific Relay Search
We can also search for specific relays on the Tor network. If you are investigating IPs and looking at routing activity for hosts, you can use the relay search as an investigative enquiry, or as a pivot point.
Consider a scenario where you wanted to find relays that may be associated with an investigation. If you have an email address, nickname, or alias, you can use a relay search as a new pivot point to find other markers during your OSINT workflow. Below, we searched for relays specifically in Australia who are using an @gmail.com as a contact email, which provides an avenue of enquiry. As always, we need to assess the relevance, reliability, credibility of information, and corroborate any data found.
We can then go into relays of interest and get more specific details, such as the fingerprint. This identifier can be used in the client configuration, to allow us to direct our traffic to a specific node.
Tor Exit Nodes
The range of exit nodes are publicly available. If you want to integrate a list of all the Tor exit nodes into a project you are building, you can view them here: https://check.torproject.org/exit-addresses.
You can also use tools like Bulk IP lookup (limited to 1000 nodes) to map the list of nodes by simply copy and pasting the IPs you want to map into tools such as https://app.ipapi.co/bulk or build your own tool with IP lookup services and APIs.
Maximizing OSINT Capabilities Through Understanding Tor Networks
There is a lot we can learn from and utilise as part of OSINT workflows by understanding Tor networks. From profiling the number of relays per country or understanding a relay when investigating an IP address, the Tor network is worth investigating from both macro and micro perspectives.
Light Up the Dark (Web)- Uncover More with NexusXplore NexusXplore is the world’s premier OSINT platform, delivering scale, efficiency, and speed to the modern analyst working in today's complex information landscape. NexusXplore contains a comprehensive dark web search and investigative functionality, allowing analysts to shine a light into the deepest and darkest recesses of the online environment.
NexusXplore’s dark web capability provides analysts with the following benefits:
Quickly and safely investigate the dark web environment with a single button-click. NexusXplore removes the need for dedicated laptops, misattribution infrastructure or configured virtual machines, which take time to establish and maintain.
Seamlessly pivot from dark to deep or surface web within the same pane of glass to identify information slippage and drag dark web actors into the light – for example, investigating linked Telegram channels, or identifying further online presence and biographical information tied to user handles.
Access historical dark web posts and pages, allowing for access to valuable information which may have since been taken down or altered.
Advanced filtering options, boolean-enabled search functionality, and translation capability allows rapid identification of actionable information.
A true dark web search functionality: explore the lesser-known dark nets such as i2p and FreeNet which are often overlooked in investigations due to the higher barrier to entry.
With NexusXplore, you have two different search options at your fingertips:
Text-only: cut through the noise and reduce your team’s exposure to vicarious trauma by retrieving sanitised, text-only results
Live Tor browsing: investigate dark web actors and networks in their native habitat safely and securely using our integrated, sandboxed, and anonymised Tor portal
Want to know more about how NexusXplore can build safety, scale and efficiency into your dark web investigations and research? Please contact us for a discussion and demonstration of our world-leading OSINT solution.
Alternatively, if you are interested in more detailed dark web training, we have an in-depth course titled “Illuminating the Dark Web” available as a one-day in-person course or via on-demand course on our OSINT Academy.