Securing the Digital World

The Role of Tor in Cybercrime

Feb 05, 2016 | by RSA |

In a previous blog, we explored the layers of the deep web, and briefly explained how anonymity technologies (such as Tor) facilitate illegal, underground commerce. This post aims to explain the underlying concept of how Tor functions, thus, how anonymity on the Internet is accomplished.

An Overview of Tor and Internet Anonymity

To understand how to become anonymous on the internet, we first must understand that in typical internet activity, the IP address is the route to revealing identity. When connecting to a website (for example), we send a request for content to a server that hosts the site along with our IP address. It's the return address that the server then uses for sending content back to us. That address likely reveals some information about us, including geographic location and the ISP providing the connection. The ISP also maintains logs of what IP addresses are assigned to whom at all times. Thus, those who monitor internet traffic (most notably government agencies) can easily identify the parties responsible for most internet traffic. Typical web surfing is not anonymous.

So how do we become anonymous?

Encryption is one means to achieve anonymity. Many sites now employ encryption protocols, SSL (Secure Sockets Layer) the most common among them, to protect user data or other content as it traverses the internet. An indicator that you are connected via SSL may be that the URL begins with "https://". This is well established for activities such as online shopping because we want our credit card numbers and other personally identifiable information protected. Encryption hides the content that is transmitted, but does not obstruct any record of the communication or the parties involved. In other words, it's known whom you communicated with and when, but not what you said.

To hide the occurrence of internet communication between two parties, one can use a computer "in the middle", i.e. a proxy server.

Let's say Ashley wants to go to, and wants to hide the fact that she did this. She can set her computer to direct the request (to get content) to a proxy server rather than having it sent directly to the CNN server. The proxy server receives the request and redirects it to a CNN server to obtain the site content, then sends the content back to Ashley. In this way, others (such as her employer, her ISP, or whoever happens to be monitoring the network traffic) may see that she connected to the proxy server, but not CNN. If the proxy server's traffic were monitored, it would reveal lots of requests to websites from different users, but not specifically what each user was doing. However, if an investigator had access to the proxy server's logs, Ashley's IP address and the IP address of the site she requested could be ascertained. So in this case, there's some degree of anonymity, but it is not absolute.

This is where Tor comes in and the question: What is it and how does it preserve online anonymity?

Tor, an acronym for The Onion Router, is a free platform that facilitates web anonymity. Tor anonymity is applied both to senders and receivers of web traffic and incorporates two unique capabilities:

  1. Anonymous access to all websites, making it impossible to find out who surfs which website.
  2. Access to websites ("hidden services") that are blocked to those who try to access them without Tor.

Tor achieves anonymity for its users by use of so-called Onion Routing, which encrypts and then randomly forwards traffic through a network of relays. Each relay uses it's own layer of encryption (hence the 'onion' metaphor'), ensuring anonymity.

To begin to explain how the system works, let's for a few moments substitute the onion metaphor with nested envelopes.

Consider David, a student in a classroom, wants to send a secret note to James. He tries to think of a way that nobody, including James, will be able to know who sent the note. So how does he do this? Let's break his idea into steps:

  1. David takes an envelope, puts his secret note for James inside, then puts that envelope inside a series of three additional envelopes:
  • On the inner-most envelope which holds the note, he writes, "for James".
  • On the next envelope, which contains the first, he writes, "For Richard".
  • On the next envelope, which contains the second and first, he writes, "For Mary".
  • On the outer-most envelope, he writes, "For Claudia".

These are names of students in David's class, whom he chose completely at random.

  1. David then approaches Claudia and misleadingly says to her that he got an envelope from Tanya (another student in the class) which has "For David" written on it, and after opening it he saw it was addressed to Claudia, so he's passing it to her. Claudia opens her envelope and sees that it's addressed to Mary, so she brings it to Mary, who in turn passes to Richard, who passes the final envelope to James. James then opens his envelope and sees the note.
  2. This way, no one except David knows that he's the one who sent the letter. He's completely anonymous. Even Claudia doesn't know who the sender is since David told her he got it from Tanya; nor is anyone sure how many envelopes were originally included or already opened when they got their envelope. Each one knows only who they received and envelope from and who they gave an envelope to.

Now let's apply this same analogy to how Tor operates.

  • The note represents an end-user request to get the content of a website. To remain anonymous while surfing via Tor, this request should be hidden from anyone including the server that hosts the website to which the request was sent (namely James).
  • The students represent the computers in the Tor network. Each computer that uses Tor also serves as a stop for the transfer of others' messages (like the students who pass David's onion to one another).
  • Each envelope represents a layer of encryption. Each layer of encryption can only be decrypted by a specific computer (if an envelope has "For Claudia" written on it, then only Claudia is able to read it, which means that at each stage only a specific computer can decrypt the message intended for it).
  • The website server which receives the request returns the website content using the opposite route. At the end it will reach David, the one who requested the website content.
  • Note that each computer knows only where it got the message, and where it then sent it. This is essentially how anonymity is maintained.
  • Any computer on the route meets the definition of a proxy server ("intermediary"), except the first and the last stop (the sender and the receiver of the request).

The difference between using one single proxy and using a route of several proxies (as in Tor) is that if only one proxy server is the mediator, it has all the pertinent information and therefore anonymity is compromised.

Additionally, Tor also provides anonymity for web servers. Any Tor user may anonymously host a hidden website which is given a random sequence of letters and numbers plus the .onion extension, e.g. http://s36gxb6xjm662juk.onion.

Looking back at our initial "typical" example, when we request the website, our computer actually checks with a DNS server that directs it to's actual IP address, so it can send the request directly (but also revealing, ultimately, where the site is hosted and who is hosting it).

In contrast, Tor-hosted websites will not be accessed through their IP address so as to not reveal the location. Instead, access comes through the anonymous onion address (using the same system outlined above).

Note that .onion sites cannot be accessed without using Tor.

Top Tor Use Cases (and They Aren't Good)

Tor is used by anyone who wants to remain anonymous on the Internet. The price of anonymity is performance (since the browsing speed is dependent on the other computers on the route as described above). There is also increased risk of malicious content.

And while Tor can be used to conduct both legal and illegal activities, the predominant use cases for those using Tor include:

  • Trade of stolen financial data (credit cards)
  • Financial fraud
  • Illegal sexual content
  • Bypassing censorship: banned political activity, surfing to blocked sites (for example in countries like Russia and China)
  • Drug trafficking and weapons trading
  • Gambling
  • The sale of stolen goods
  • Anonymous instant messaging

RSA's fraud analysts continuously monitor dark web activity to gather information on threats to organizations and consumers and actively shares that information with affected parties. RSA is also dedicated to working with law enforcement and providing consumers with information on how they can stay safe online.

Follow us on Twitter at @RSAFraud.

This blog was contributed by Idan R., a senior intelligence analyst with FraudAction Research Labs.