What is Tor and the Darknet?

The hidden services on Tor are colloquially known as the Darknet. Designed for anonymity yet freely accessible, the darknet has become a haven for criminal activity.

Originally developed by the US government for secure communications, Tor is now run by a separate organisation; The Tor project. Tor is a network run on servers, contributed by volunteers and requires special software to access it, the Tor browser. The Tor project receives funding from charities, universities, individuals, and governments. It is argued that Tor allows freedom of speech and safe internet access for citizens of repressive regimes.

The anonymity that Tor provides to protect citizens and frustrate snooping technology makes policing of this space extremely difficult. The server providers don’t know what material they are hosting, site admins don’t know where their site is hosted or who is visiting it, and users don’t know who they are visiting or talking with.  Sites hosted within Tor keep complete anonymity making law enforcement and regulation extremely difficult.  These hidden services, or onions, are known as the darknet.  Onions are home to illegal markets, child abuse material, hacking forums and command and control servers for botnets. Onions use randomly generated URLs and are designed not to be discovered.  When combined with crypto currencies, it is possible to buy or sell anything without being traced.

An additional feature of Tor is that it can be used like a VPN to mask a user's real IP address when browsing the world wide web. Avoiding tracking, government firewalls and protecting identity.  This is used by normal people, political dissidents, and hackers alike.

The technology

Tor works on the concept of ‘onion routing’; relaying data across a circuit of nodes.  Traffic is routed in through a Guard node, through internal relays, and out through an Exit node.  Each relay knows the identity of only the previous and next node. The data being relayed is wrapped in encryption making it impossible to read. Sufficient nodes combined with the wrapping of a separate layer of encryption around each hop, means it's possible to keep the identity of the user anonymous.  An encryption layer is decrypted at each successive Tor relay, and the remaining data is forwarded to any random relay until it reaches its destination server.  Only the client using Tor and receiving server can read the data.

What is the darknet used for?

Searchlight Security has developed a suite of tools to enable it to index the darknet and monitor traffic.  Cerberus is a web-based tool that allows users to explore the darknet safely and comprehensively.  This oversight enables a high-level overview of the darknet alongside forensic analysis.  As a result is it possible to not only see what hidden services are being used for but also what users are searching for, where they are going, and what Tor is being used for on the clearnet.

65% of all searches on the darknet are explicitly for illegal content.  That's not to say that the number of searches for illicit content is restricted to that, just that some searches are ambiguous in nature.  Illegal content includes child abuse material and extreme pornography, drugs, cyber weapons and markets selling stolen credentials and fraudulent documents such as passports.

Tor and crypto currency are combined to facilitate the trading of illicit materials including drugs, weapons and stolen data on darknet markets. Notorious examples include Silk Road, Alphabay and Dream Market. It is thought that darknet markets turned over over $600million in bitcoin in 2018 alone.  Crime really does pay on the darknet.

Social media is used by all, including criminals.  Darknet forums build criminal communities specialising in a broad spectrum of topics including child exploitation, fraud, violent crime, money laundering, drug production, hacking and terrorism.

The darknet is increasingly being used by hackers as a layer of protection. Command and control servers for automated hacking tools and botnets are hosted on hidden services allowing the controllers to orchestrate their malware without the risk of being discovered.  Ransomware often directs victims to a hidden service to transfer cryptocurrency to the hacker's account. A recent high profile example of this is the WannaCry attack that disabled a huge number of systems including factories, government facilities and hospitals.

If you are an academic, journalist or have an interest in the darknet, please get in touch through the contact page.

Get in touch with Searchlight to discuss how we can enhance your intelligence capabilities.

Whoops, looks like something went wrong.

1/1 Swift_TransportException in AuthHandler.php line 181: Failed to authenticate on SMTP server with username "notifymcgoo@gmail.com" using 1 possible authenticators

  1. in AuthHandler.php line 181
  2. at Swift_Transport_Esmtp_AuthHandler->afterEhlo(object(Swift_Transport_EsmtpTransport)) in EsmtpTransport.php line 332
  3. at Swift_Transport_EsmtpTransport->_doHeloCommand() in AbstractSmtpTransport.php line 118
  4. at Swift_Transport_AbstractSmtpTransport->start() in FileSpool.php line 149
  5. at Swift_FileSpool->flushQueue(object(Swift_Transport_EsmtpTransport)) in SwiftmailerServiceProvider.php line 95
  6. at SwiftmailerServiceProvider->Silex\Provider\{closure}(object(Request), object(TemplateResponse), object(Application))
  7. at call_user_func(object(Closure), object(Request), object(TemplateResponse), object(Application)) in Application.php line 387
  8. at Application->Silex\{closure}(object(PostResponseEvent), 'kernel.terminate', object(TraceableEventDispatcher)) in WrappedListener.php line 61
  9. at WrappedListener->__invoke(object(PostResponseEvent), 'kernel.terminate', object(EventDispatcher)) in EventDispatcher.php line 184
  10. at EventDispatcher->doDispatch(array(object(WrappedListener), object(WrappedListener), object(WrappedListener)), 'kernel.terminate', object(PostResponseEvent)) in EventDispatcher.php line 46
  11. at EventDispatcher->dispatch('kernel.terminate', object(PostResponseEvent)) in TraceableEventDispatcher.php line 133
  12. at TraceableEventDispatcher->dispatch('kernel.terminate', object(PostResponseEvent)) in HttpKernel.php line 77
  13. at HttpKernel->terminate(object(Request), object(TemplateResponse)) in Application.php line 598
  14. at Application->terminate(object(Request), object(TemplateResponse)) in Application.php line 565
  15. at Application->run(object(Request)) in Application.php line 97
  16. at Application->run() in index.php line 12
Uncaught Exception: Swift_TransportException

Uncaught Exception: Swift_TransportException .

Swift_TransportException in AuthHandler.php line 181:
Failed to authenticate on SMTP server with username "notifymcgoo@gmail.com" using 1 possible authenticators

                    if ($authenticator->authenticate($agent, $this->_username, $this->_password)) {
                        return;
                    }
                }
            }
            throw new Swift_TransportException(
                'Failed to authenticate on SMTP server with username "'.
                $this->_username.'" using '.$count.' possible authenticators'
                );
        }
    }

Google this Exception

Stack trace

# 1 \Swift_Transport_Esmtp_AuthHandl …::afterEhlo(Swift_Transport_EsmtpTransport)
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/EsmtpTransport.php # line 332
# 2 \Swift_Transport_EsmtpTransport::_doHeloCommand()
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/AbstractSmtpTransport.php # line 118
# 3 \Swift_Transport_AbstractSmtpTra …::start()
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/FileSpool.php # line 149
# 4 \Swift_FileSpool::flushQueue(Swift_Transport_EsmtpTransport)
[root]/vendor/silex/silex/src/Silex/Provider/SwiftmailerServiceProvider.php # line 95
# 5 Silex\Provider\SwiftmailerServiceProvider::Silex\Provider\{closure}(Request, TemplateResponse, Application)
# 6 call_user_func(Closure, Request, TemplateResponse, Application)
[root]/vendor/silex/silex/src/Silex/Application.php # line 387
# 7 Silex\Application::Silex\{closure}(PostResponseEvent, "kernel.terminate", TraceableEventDispatcher)
[root]/vendor/symfony/event-dispatcher/Debug/WrappedListener.php # line 61
# 8 Symfony\Component\EventDispatcher\Debug\WrappedListener::__invoke(PostResponseEvent, "kernel.terminate", EventDispatcher)
[root]/vendor/symfony/event-dispatcher/EventDispatcher.php # line 184
# 9 Symfony\Component\EventDispatcher\EventDispatcher::doDispatch([array], "kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/event-dispatcher/EventDispatcher.php # line 46
# 10 Symfony\Component\EventDispatcher\EventDispatcher::dispatch("kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php # line 133
# 11 Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher::dispatch("kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/http-kernel/HttpKernel.php # line 77
# 12 Symfony\Component\HttpKernel\HttpKernel::terminate(Request, TemplateResponse)
[root]/vendor/silex/silex/src/Silex/Application.php # line 598
# 13 Silex\Application::terminate(Request, TemplateResponse)
[root]/vendor/silex/silex/src/Silex/Application.php # line 565
# 14 Silex\Application::run(Request)
[root]/vendor/bolt/bolt/src/Application.php # line 97
# 15 Bolt\Application::run()
[root]/public/index.php # line 12


Request data

content (empty)
languages en_US
en
charsets (empty)
encodings br
gzip
acceptableContentTypes text/html
application/xhtml+xml
application/xml
*/*
pathInfo /what-are-tor-and-the-darknet
requestUri /what-are-tor-and-the-darknet
baseUrl (empty)
basePath (empty)
method GET

Headers

host ["bolt"]
connection ["close"]
user-agent ["CCBot/2.0 (https://commoncrawl.org/faq/)"]
accept ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"]
accept-language ["en-US,en;q=0.5"]
accept-encoding ["br,gzip"]

Server

HTTP_HOST bolt
HTTP_CONNECTION close
HTTP_USER_AGENT CCBot/2.0 (https://commoncrawl.org/faq/)
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE en-US,en;q=0.5
HTTP_ACCEPT_ENCODING br,gzip
PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SERVER_SIGNATURE <address>Apache/2.4.25 (Debian) Server at bolt Port 80</address>
SERVER_SOFTWARE Apache/2.4.25 (Debian)
SERVER_NAME bolt
SERVER_ADDR 192.168.80.2
SERVER_PORT 80
REMOTE_ADDR 192.168.80.3
DOCUMENT_ROOT /var/www/html/public
REQUEST_SCHEME http
CONTEXT_PREFIX (empty)
CONTEXT_DOCUMENT_ROOT /var/www/html/public
SERVER_ADMIN [no address given]
SCRIPT_FILENAME /var/www/html/public/index.php
REMOTE_PORT 41696
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.0
REQUEST_METHOD GET
QUERY_STRING (empty)
REQUEST_URI /what-are-tor-and-the-darknet
SCRIPT_NAME /index.php
PHP_SELF /index.php
argv []
Arguments:
array:1 [
  0 => Swift_Transport_EsmtpTransport {
    -_handlers: array:1 [
      "AUTH" => Swift_Transport_Esmtp_AuthHandler {
        -_authenticators: array:3 [
          0 => Swift_Transport_Esmtp_Auth_CramMd5Authenticator {}
          1 => Swift_Transport_Esmtp_Auth_LoginAuthenticator {}
          2 => Swift_Transport_Esmtp_Auth_PlainAuthenticator {}
        ]
        -_username: "notifymcgoo@gmail.com"
        -_password: "6690823boyded"
        -_auth_mode: "login"
        -_esmtpParams: array:6 [
          0 => "LOGIN"
          1 => "PLAIN"
          2 => "XOAUTH2"
          3 => "PLAIN-CLIENTTOKEN"
          4 => "OAUTHBEARER"
          5 => "XOAUTH"
        ]
      }
    ]
    -_capabilities: array:7 [
      "SIZE" => array:1 [
        0 => "35882577"
      ]
      "8BITMIME" => []
      "AUTH" => array:6 [
        0 => "LOGIN"
        1 => "PLAIN"
        2 => "XOAUTH2"
        3 => "PLAIN-CLIENTTOKEN"
        4 => "OAUTHBEARER"
        5 => "XOAUTH"
      ]
      "ENHANCEDSTATUSCODES" => []
      "PIPELINING" => []
      "CHUNKING" => []
      "SMTPUTF8" => []
    ]
    -_params: array:8 [
      "protocol" => "tcp"
      "host" => "smtp.gmail.com"
      "port" => 587
      "timeout" => 30
      "blocking" => 1
      "tls" => true
      "type" => 1
      "stream_context_options" => []
    ]
    #_buffer: Swift_Transport_StreamBuffer {
      -_stream: &1 stream resource @1019
        crypto: array:4 [
          "protocol" => "TLSv1.2"
          "cipher_name" => "ECDHE-ECDSA-AES128-GCM-SHA256"
          "cipher_bits" => 128
          "cipher_version" => "TLSv1.2"
        ]
        timed_out: false
        blocked: true
        eof: false
        stream_type: "tcp_socket/ssl"
        mode: "r+"
        unread_bytes: 0
        seekable: false
        options: []
      }
      -_in: &1 stream resource @1019
      -_out: &1 stream resource @1019
      -_params: array:8 [
        "protocol" => "tcp"
        "host" => "smtp.gmail.com"
        "port" => 587
        "timeout" => 30
        "blocking" => 1
        "tls" => true
        "type" => 1
        "stream_context_options" => []
      ]
      -_replacementFactory: Swift_StreamFilters_StringReplacementFilterFactory {
        -_filters: []
      }
      -_translations: []
      #_sequence: 28
      -_filters: []
      -_writeBuffer: ""
      -_mirrors: []
    }
    #_started: false
    #_domain: "[192.168.80.2]"
    #_eventDispatcher: Swift_Events_SimpleEventDispatcher {
      -_eventMap: array:5 [
        "Swift_Events_CommandEvent" => "Swift_Events_CommandListener"
        "Swift_Events_ResponseEvent" => "Swift_Events_ResponseListener"
        "Swift_Events_SendEvent" => "Swift_Events_SendListener"
        "Swift_Events_TransportChangeEvent" => "Swift_Events_TransportChangeListener"
        "Swift_Events_TransportExceptionEvent" => "Swift_Events_TransportExceptionListener"
      ]
      -_listeners: []
      -_bubbleQueue: []
    }
    #_sourceIp: null
  }
]
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
Arguments:
array:1 [
  0 => Swift_Transport_EsmtpTransport {
    -_handlers: array:1 [
      "AUTH" => Swift_Transport_Esmtp_AuthHandler {
        -_authenticators: array:3 [
          0 => Swift_Transport_Esmtp_Auth_CramMd5Authenticator {}
          1 => Swift_Transport_Esmtp_Auth_LoginAuthenticator {}
          2 => Swift_Transport_Esmtp_Auth_PlainAuthenticator {}
        ]
        -_username: "notifymcgoo@gmail.com"
        -_password: "6690823boyded"
        -_auth_mode: "login"
        -_esmtpParams: array:6 [
          0 => "LOGIN"
          1 => "PLAIN"
          2 => "XOAUTH2"
          3 => "PLAIN-CLIENTTOKEN"
          4 => "OAUTHBEARER"
          5 => "XOAUTH"
        ]
      }
    ]
    -_capabilities: array:7 [
      "SIZE" => array:1 [
        0 => "35882577"
      ]
      "8BITMIME" => []
      "AUTH" => array:6 [
        0 => "LOGIN"
        1 => "PLAIN"
        2 => "XOAUTH2"
        3 => "PLAIN-CLIENTTOKEN"
        4 => "OAUTHBEARER"
        5 => "XOAUTH"
      ]
      "ENHANCEDSTATUSCODES" => []
      "PIPELINING" => []
      "CHUNKING" => []
      "SMTPUTF8" => []
    ]
    -_params: array:8 [
      "protocol" => "tcp"
      "host" => "smtp.gmail.com"
      "port" => 587
      "timeout" => 30
      "blocking" => 1
      "tls" => true
      "type" => 1
      "stream_context_options" => []
    ]
    #_buffer: Swift_Transport_StreamBuffer {
      -_stream: &1 stream resource @1019
        crypto: array:4 [
          "protocol" => "TLSv1.2"
          "cipher_name" => "ECDHE-ECDSA-AES128-GCM-SHA256"
          "cipher_bits" => 128
          "cipher_version" => "TLSv1.2"
        ]
        timed_out: false
        blocked: true
        eof: false
        stream_type: "tcp_socket/ssl"
        mode: "r+"
        unread_bytes: 0
        seekable: false
        options: []
      }
      -_in: &1 stream resource @1019
      -_out: &1 stream resource @1019
      -_params: array:8 [
        "protocol" => "tcp"
        "host" => "smtp.gmail.com"
        "port" => 587
        "timeout" => 30
        "blocking" => 1
        "tls" => true
        "type" => 1
        "stream_context_options" => []
      ]
      -_replacementFactory: Swift_StreamFilters_StringReplacementFilterFactory {
        -_filters: []
      }
      -_translations: []
      #_sequence: 28
      -_filters: []
      -_writeBuffer: ""
      -_mirrors: []
    }
    #_started: false
    #_domain: "[192.168.80.2]"
    #_eventDispatcher: Swift_Events_SimpleEventDispatcher {
      -_eventMap: array:5 [
        "Swift_Events_CommandEvent" => "Swift_Events_CommandListener"
        "Swift_Events_ResponseEvent" => "Swift_Events_ResponseListener"
        "Swift_Events_SendEvent" => "Swift_Events_SendListener"
        "Swift_Events_TransportChangeEvent" => "Swift_Events_TransportChangeListener"
        "Swift_Events_TransportExceptionEvent" => "Swift_Events_TransportExceptionListener"
      ]
      -_listeners: []
      -_bubbleQueue: []
    }
    #_sourceIp: null
  }
]
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)