Updated: May 11
Part three of our dark net blog series is going to be all about the 'Others'. In this blog, we'll investigate what I2P, Freenet and Lokinet is and how they work, so we are better informed if we need to take our OSINT investigations to the lesser known dark nets.
As we know, the dark web refers to a portion of the internet that is more private. It generally requires a specific browser, or specific actions to access it and it favours anonymity. Criminal activities happen on the internet as a whole; however, the dark web is more focused on privacy and anonymity, thus attractive to particular crime themes and activity.
Firstly, let's get definitions out of the way, dark web versus dark net. Many people use the terms dark net and dark web interchangeably. We define dark nets as an encrypted network infrastructure on the internet, and the dark web refers to the sites hosted on the dark net.
Invisible Internet Project (I2P)
I2P is one of the more well-known non-Tor dark nets. I2P is defined as a privacy-focused peer-to-peer (P2P) communications system. Like Tor, traffic is bounced through a series of relays – but in the I2P network, these relays are known as routers. Each individual user using I2P acts as a router, whereas, Tor nodes are run by volunteers, and not everyone connecting to the network. What this means is that all I2P users act as network nodes and relay traffic for other users.
I2P is not as popular as Tor and this is likely due to the time it takes for 'tunnels' to be created in order to use this dark net. Tunnels are the one-way, temporary and unidirectional connection path through a sequence of routers.
I2P has some advantages over Tor – particularly when it comes to maintaining anonymity and evading censorship.
Pros (compared to Tor)
Due to the use of unidirectional tunnels, an attacker would need to compromise twice as many nodes in I2P as it would in Tor to get the same amount of information.
The nature of I2P’s distributed structure makes it difficult to attack.
I2P uses something called ‘garlic routing’, which means that packets are sent in bundles, which are encrypted together to make it more difficult for an attacker to analyse traffic.
Cons (compared to Tor)
Tor has a much larger user base, which helps to provide greater anonymity (hide in the noise).
The Tor project receives more funding, and may be more capable of overcoming challenges like Distributed Denial of Service Attacks (DDOS) and blocking.
Installing and Using I2P
I2P can be downloaded and installed on any operating systems (e.g., Windows, Mac and Linux) - note the latest version of java is required. There is an installation instructions page for each operating system. It’s particularly easy to install I2P in Ubuntu, as I2P exists as a package in Ubuntu source repositories.
Once downloaded, click through the initial setup instructions and bandwidth test. Once setup is complete, the I2P router console (home page: 127.0.0.1:7657) will appear.
I2P is not a standalone browser like Tor. There are a few more steps involved to get it up and running. Firstly, the I2P welcome page will suggest configuration changes to your browser (Firefox is recommended). Details can be found here, or see the settings as per the image below.
Additionally, type about:config into your URL, and set 'media.peerconnection.ice.proxy_only' to 'true'.
With I2P, you won’t connect to everything right away – the longer you’re connected, the more tunnels are established to peers, and therefore the more places you can explore. Don’t expect to be able to view all sites and services operating on this dark net as soon as you connect.
Once you have configured your browser (we used Firefox), and started I2P, you can access the I2P router console and other I2P services.
If this is the first time you've used I2P, you will be taken through some basic setup checks, including a bandwidth check. It can be useful to think about I2P in a similar way to torrenting – for proper use, you want to devote a significant portion of your bandwidth to seeding traffic, but I2P will estimate how much bandwidth to devote to seeding.
Using I2P means you need to be able to connect to other peers, and other peers need to be able to connect to you – so you want your seed ratio to be higher than your download ratio. You can check the number of peer connections on the I2P router console page – the higher the number of peers, the more services you will be able to visit (and the faster they will load).
This does raise some challenges such as you may not be able to reach I2P sites immediately if you have a low number of peer connections. But allocating more bandwidth to I2P helps forge more connections, which will enable more efficient browsing.
Finding I2P websites is similar to Tor, but instead of searching of hidden services with the URL finishing in .onion, we are searching for URLs ending in .I2P, and these are known as 'eepsites'. Eepsites are websites that are hosted anonymously within the I2P network.
As with Tor, I2P does have search engines and indexes. These include:
identiguy.i2p, legwork.i2p, and notbob.i2p (notbob.i2p contains list of search engines). I2PSearch is a dark net search engine with similar functionality to Tor's Ahmia.
Current Usage and Future Trends
It is estimated that there are around 50,000 users active on I2P and this number may be growing. While smaller than Tor, I2P contains mirrors of forums, discussion pages, and markets, some of which focus on, or promise to deliver, illegal goods and services.
Some online communities and users advocate moving from Tor to I2P for darknet markets. These users and online communities have argued that Tor continues to experience DDOS attacks, and can therefore be very unreliable. Some have also claimed that I2P affords users better security and/or privacy.
Although I2P may be more reliable, new users are unable to access as much content straight away, which deters some users from switching dark nets. There are also ethical and potentially even legal considerations when using I2P. By using this dark net, your computer system essentially becomes part of the I2P network. This means your computer system is potentially processing illegal data and transferring it to other users within the network. Using I2P data aggregators instead of the network itself can be a viable alternative.
Firstly, the network is similar to Tor, in that it routes traffic through a range of service nodes which provide anonymity to users, but there are some key differences which include:
Lokinet refers to the network itself and is not a browser like Tor.
Oxen is the technology stack that is leveraged by Loki (Oxen is also a cryptocurrency) for service nodes.
Lokinet hidden services, called SNApps are hosted on the Oxen blockchain. Users can host a site on any server, similar to hidden services in Tor.
While Lokinet is described as decentralised, it's not decentralised in the same way that I2P and Freenet are (in both I2P and Freenet, users themselves act as routers and store data). In Lokinet, like Tor, service nodes route traffic.
Users who operate Lokinet service nodes for routing traffic are paid with the Oxen cryptocurrency – this provides a financial incentive for service node operators.
Installing and Using Lokinet
There are several install guides for both Linux and Windows that already exist. These guides can be found on the Oxen Docs website - note, the Linux VM install is straightforward if you are using a Trace Labs VM. Lokinet will begin running after install. However, unlike Tor, Lokinet is not a browser. Loki services can be accessed through different browsers (e.g., Firefox), and unlike I2P and Freenet, users can surf the clear web using Lokinet. As a result, Lokinet users may be susceptible to browser fingerprinting. However, using a "high security" browser configuration can help to manage this risk.
As with Tor and I2P, canonical website addresses are difficult to remember – but when visited, will resolve to human-readable Uniform Resource Locator (URL). One such example is the Lokinet wiki SNApp:
This particular wiki page contains links to other Lokinet SNApps, which are mirrors of. onion and .I2P services. These mirrors can be used to maintain stability (especiallynode in the event of denial-of-service attacks).
Note: I2P (eepsites) are sites in the I2P dark net, which have .i2p as the pseudo top level domain.
SNApps listed on Lokinet's wiki are categorised. The sites listed generally work and load quickly. Illegal content appears to be less obvious and less accessible. Forums (message boards and/or imageboards) appear to have relatively low engagement and activity, in comparison to Tor and I2P. Reddit can be a great indicator of topical interest in a subject, especially if related to privacy or the dark web, and there is very limited discussion regarding the content of Lokinet. Most of the discussion surrounds the Oxen blockchain/cryptocurrency.
Current Usage and Future Trends
It isn't clear how many users are active on this dark net. Based on the observed lack of activity and services, it appears that Lokinet has not attracted as many users as I2P to date. However, Lokinet does appear to be more stable than I2P and Tor. This is perhaps due to the fact that service nodes routing traffic are paid in cryptocurrency to provide a reliable service. There could be a shift in dark web activity towards Lokinet particularly if there are major outages across Tor and I2P.
Freenet is a decentralized peer-to-peer network. It has plenty of similarities to other dark nets – it was created to provide secure, private, and anonymous services and communications. Commentary found on subject matter forums suggests Freenet is a legacy dark net. However, it is still used by some for data storage and sharing. In this regard Freenet functions as a distributed data store. Users can retrieve content even when the publisher is no longer online. It is therefore useful for accessing/retrieving static data, as the files uploaded to Freenet are hosted by all users (rather than individual servers).
Unlike Tor, Freenet does not interact with the surface web.
Installing and Using Freenet
There can be inconsistencies and difficulties when installing Freenet. Instructions can be found here. Like I2P, Freenet uses your computer system as a local server.
Once Freenet is launched, services can be accessed by navigating to localhost in any browser. Freenet also has indices of Freenet services, which can help locate sites of interest. Content and services available to users is generally confined to private communication and file-sharing.
Freenet has a 'high security mode' representing a true dark net connection, one that can be visible only between trusted peers.
Current Usage and Future Trends: Locutus
Like Lokinet, Freenet appears to have attracted a small number of users. However, developers have announced a dark net project called Locutus, which purports to have a focus on faster communication and scalability. It is possible that the arrival of Locutus may reinvigorate Freenet’s status and lead to user growth. The Locutus development page suggests it will support a variety of applications, including:
Decentralized email and microblogging services, along with message boards and forums
Instant messaging services
Online stores and marketplaces
Video and media discovery
Change throughout these dark net environments is a consistent theme. It is therefore important that we remain agile and informed to tackle the new challenges this change generates in its wake.
Light Up the Dark (Web)- Uncover More with NexusXplore NexusXplore is the world’s premier OSINT platform, delivering scale, efficiency, and speed to the modern analyst working in today's complex information landscape. NexusXplore contains a comprehensive dark web search and investigative functionality, allowing analysts to shine a light into the deepest and darkest recesses of the online environment.
NexusXplore’s dark web capability provides analysts with the following benefits:
Quickly and safely investigate the dark web environment with a single button-click. NexusXplore removes the need for dedicated laptops, misattribution infrastructure or configured virtual machines, which take time to establish and maintain.
Seamlessly pivot from dark to deep or surface web within the same pane of glass to identify information slippage and drag dark web actors into the light – for example, investigating linked Telegram channels, or identifying further online presence and biographical information tied to user handles.
Access historical dark web posts and pages, allowing for access to valuable information which may have since been taken down or altered.
Advanced filtering options, boolean-enabled search functionality, and translation capability allows rapid identification of actionable information.
A true dark web search functionality: explore the lesser-known dark nets such as i2p and FreeNet which are often overlooked in investigations due to the higher barrier to entry.
With NexusXplore, you have two different search options at your fingertips:
Text-only: cut through the noise and reduce your team’s exposure to vicarious trauma by retrieving sanitised, text-only results
Live Tor browsing: investigate dark web actors and networks in their native habitat safely and securely using our integrated, sandboxed, and anonymised Tor portal
Want to know more about how NexusXplore can build safety, scale and efficiency into your dark web investigations and research? Please contact us for a discussion and demonstration of our world-leading OSINT solution.
Alternatively, if you are interested in more detailed dark web training, please take a look at our online, self-paced OSINT Combine Academy at https://academy.osintcombine.com or contact us to learn about our bespoke training offerings.