Tor and Anonymity Networks

When a user opens the Tor Browser, the client software fetches a list of available relays from Tor directory servers and builds a three-hop circuit: a guard node (also called an entry node), a middle relay, and an exit node. The client encrypts the outbound data three times, once with the exit node's key, then with the middle relay's key, then with the guard node's key. Each relay strips one layer of encryption, forwards the result to the next hop, and cannot read the remaining layers.

The guard node knows the user's real IP address but not the destination. The exit node knows the destination but not the user's IP address. The middle relay knows neither. This design means that compromising any single relay reveals only a partial picture. The destination server sees the exit node's IP address in the connection log, not the user's.

Onion services (hidden services) extend the model further. The server generates a public/private key pair, and its .onion address is a hash of the public key. To connect, the client and server each build partial Tor circuits toward a shared rendezvous point. The server's real IP address is never in the circuit. This two-sided routing means .onion sites are harder to locate than regular Tor exits because there is no exit node whose address can be traced back.

The dark web is not a separate network but a layer on top of Tor: websites that configure themselves as onion services and publish their .onion addresses. These sites are reachable only by Tor users who know the address. The content ranges from legitimate privacy services (SecureDrop for whistleblowers, BBC Tor mirror, Facebook's .onion site) to criminal marketplaces. The criminal segment is dominated by narcotics sales, followed by fraud and stolen financial data, counterfeit documents, and malware.

Major dark web marketplaces operate on a model borrowed from legitimate e-commerce platforms: seller ratings, buyer feedback, escrow payments in cryptocurrency, dispute resolution, and vendor trust tiers. Silk Road, operational from 2011 to 2013, was the first large marketplace of this kind. Its seizure by the FBI established the template for dark web investigations: combine financial tracing, undercover purchasing, and operational security (OPSEC) failures to identify administrators and vendors. The same pattern recurred in the takedowns of AlphaBay (2017), Dream Market (2019), and Wall Street Market (2019).

Ransomware groups use Tor-hosted sites for two purposes: command-and-control communication with infected machines, and leak sites where they publish stolen data to pressure victims into paying. Because these sites are onion services, taking them offline requires either locating the server's real IP address (through deanonymisation) or obtaining cooperation from the hosting infrastructure. In 2021, US law enforcement recovered $2.3 million of the Colonial Pipeline ransom by tracing Bitcoin payments; the recovery did not require breaking Tor but instead used blockchain tracing to find a wallet whose private key the investigators obtained.

Tor's security model protects against a local observer (an ISP, a network administrator) and against a compromised relay. It does not protect against a global passive adversary who can observe traffic patterns across the network simultaneously. Law enforcement and intelligence agencies have exploited this in real operations, though the exact methods used in specific cases are often classified or under appeal.

Traffic correlation attacks work by observing the timing and volume of packets entering the Tor network at the guard node and leaving toward the destination at the exit node. If the same pattern appears at both ends within a short window, the user and the destination can be linked statistically without breaking any encryption. The attack requires visibility at both ends simultaneously. Researchers have shown that even a modest fraction of Tor relays, controlled by a single entity, can achieve this visibility over time because Tor clients periodically rebuild their circuits.

Operational security failures account for a large proportion of successful identifications. The Silk Road administrator Ross Ulbricht was identified not through traffic analysis but because he posted on a public forum using a username linked to his personal email address, years before the marketplace launched. Dark web vendors have been identified by writing style analysis, by shipping packages with real return addresses, by reusing usernames across platforms, and by logging into accounts without Tor. Investigators treat OPSEC failures as the most productive investigative avenue.

Server location techniques include monitoring for DNS leaks (applications that bypass Tor for DNS queries), exploiting misconfigured server software that includes real IP addresses in headers or error messages, and using side-channel timing attacks against .onion services. Academic research has demonstrated that a sufficiently resourced adversary can measure response-time variations to locate a hidden service's hosting region within hours. In practice, investigators often find the server by obtaining cooperation from a marketplace insider or by tracking cryptocurrency payments to an identifiable cash-out point.

Most dark web marketplaces have required payment in Bitcoin or privacy-focused alternatives such as Monero. Bitcoin's pseudonymity, not true anonymity, is the critical investigative feature: every transaction is recorded permanently on a public ledger, and the entire history of every coin can be traced. Address clusters, groups of addresses controlled by the same entity identified through common-input-ownership heuristics, allow investigators to build a picture of a marketplace's financial flows even without knowing who controls each address.

The investigative chain typically runs from marketplace to exchange. A vendor receives Bitcoin on a marketplace address, consolidates the funds, sends them through one or more hops, and eventually cashes out at a cryptocurrency exchange. Regulated exchanges in most jurisdictions are required to collect identity documents for accounts above certain transaction thresholds (know-your-customer rules). A legal process demand to the exchange returns the account holder's identity. Commercial blockchain analytics platforms including Chainalysis and Elliptic automate the clustering and tracing steps; investigators then direct legal process at the identified exchange accounts.

Mixing services (also called tumblers) attempt to break the tracing chain by pooling funds from multiple users and redistributing them in a way that obscures the origin. Investigators have successfully traced through mixers by identifying the structural patterns mixers leave, by subpoenaing mixer operators for logs (when the mixer is in a reachable jurisdiction), and by tracing the pre-mixing and post-mixing flows separately and identifying the same cash-out entity. Monero presents a harder tracing challenge because its protocol uses ring signatures and stealth addresses to obscure transaction graphs by design.

Investigations involving Tor and dark web infrastructure raise legal questions at three levels: the authority to intercept or collect data, the rules for cross-border data requests, and the admissibility of evidence gathered through technical means. These questions are answered differently in different jurisdictions, and an investigator working a dark web case will almost always be dealing with infrastructure and suspects in multiple countries.

In India, the Information Technology Act 2000 (amended 2008) provides authority for lawful interception under Section 69. The Bharatiya Nagarik Suraksha Sanhita 2023 (which replaced the Code of Criminal Procedure) governs search, seizure, and production orders. The Digital Personal Data Protection Act 2023 imposes obligations on data processors but also includes a national security exemption under which government agencies can access data for specified purposes. Cryptocurrency exchanges operating in India are required to register with the Financial Intelligence Unit and comply with anti-money-laundering rules introduced in 2023 under the PMLA amendment.

In the US, the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act govern demands to service providers. Rule 41 of the Federal Rules of Criminal Procedure governs search warrants, including the NIT warrants used in dark web operations. The legal debate over extraterritorial warrant scope, raised by the NIT cases, led Congress to amend Rule 41 in 2016 to allow single-district warrants for remote access to computers whose locations are concealed by anonymisation tools. In the EU, the European Investigation Order framework allows member states to request evidence from each other. The proposed e-Evidence Regulation would allow direct orders to service providers in other member states, bypassing the requesting-state's authority's need to go through the provider's home government first.

Mutual Legal Assistance Treaties (MLATs) are the formal mechanism for cross-border evidence requests, but MLAT requests are slow, often taking months, and dark web servers may be moved or wiped before a response arrives. In urgent cases, investigators use informal law enforcement channels such as Interpol notices or direct liaison with foreign counterparts to obtain preservation orders while the formal MLAT proceeds. The Budapest Convention on Cybercrime, ratified by more than 60 states, obligates parties to preserve electronic evidence promptly upon request and to assist foreign investigations, providing a faster mechanism than bilateral MLATs alone.

A practical dark web investigation typically combines multiple evidence streams: open-source intelligence (OSINT) on marketplace activity and vendor profiles, undercover purchasing operations, financial tracing of cryptocurrency payments, and technical collection targeting the hosting infrastructure. These streams must be coordinated carefully because an error in one (for example, a premature arrest that tips off co-conspirators) can compromise the others.

Evidence from dark web platforms must be preserved in a forensically sound manner before the platform is seized or goes offline. Screenshots are insufficient for court purposes. Investigators use specialised tools to capture full HTTP response headers, page source, file metadata, and server response timing. Where possible, a hash of the captured page is computed and stored contemporaneously so that the integrity of the evidence can be verified later. Chain of custody documentation for digital evidence follows the same principles as physical evidence, with the added requirement of documenting the technical capture method and the software tools used.

When a hidden service server is physically seized, the forensic analysis follows standard digital forensics procedure: bit-for-bit imaging before any examination, write-blocking, hash verification, and documented examination. The server's configuration files may reveal the Tor private key for the .onion address (confirming control of that site), database files containing user accounts and transaction records, and server logs that, if logging was not disabled, record circuit activity. In several major takedowns, including Hansa Market in 2017, law enforcement seized servers covertly and continued operating the marketplace for weeks to collect evidence on vendors and buyers before making arrests.