TorMoil Bug Exposes Tor Browser Users’ Real IP Address

command lines on a monitor
A critical vulnerability that leaks IP addresses on Linux and Mac devices has been found in the Tor browser. It stems from an unpatched Firefox bug.

Recently, the number of exploits associated with the Tor anonymity browser has been on the rise.

Among these vulnerabilities is the newly discovered “TorMoil” bug that exposes real-world Internet Protocol (IP) addresses of those using Tor for encrypted browsing.

An Italian security firm called We Are Segment first spotted the flaw.

In a write-up explaining their findings, they say the bug originates from how Firefox handles local file-based addresses (file:// URLs).

Since Tor is built on a modified Firefox Extended Support Release, the flaw carries over to the Tor browser as well.

Aside from publishing a short press release, We Are Segment CEO Filippo Cavallarin did not reveal any significant details about this vulnerability to the public.

Instead, the team reported the issue directly to the Tor Project, a non-profit group that maintains the anonymity-centered Tor browser platform.

We Are Segment provided a record of this advisory on its website.

According to We Are Segment security experts, the bug resides on Firefox and eventually affects Tor users who click on local addresses such as file:// rather than HTTP://.

The TorMoil flaw then compromises users’ anonymity and can potentially leak their IP address to attackers upon visiting malicious web pages.

However, the flaw does not affect Windows users.

Upon receiving a notification about this vulnerability, The Tor Project’s developer team worked up a temporary fix—Tor version 7.0.9 for Linux and Mac users.

The release accompanied a few paragraphs containing details of the TorMoil flaw, along with some notes on why Linux and Mac users should update their Tor browsers for security reasons.

In We are Segment’s disclosure report, the team pointed out that the TorMoil vulnerability is harmless in Firefox but catastrophic in the Tor anonymity browser.

For example, once a user on the affected systems (MacOS or Linux) navigates to a peculiarly crafted web page with the file:// address, the underlying operating system directly connects to the remote host or server, thereby bypassing the Tor browser.

By connecting to the page directly, the Tor browser does not go through its relay network. In this process, this can ultimately end up exposing users’ real-time IP address.

screen with Microsoft Windows
Windows users are not affected

In the response that accompanied the security fix, Tor developers further acknowledged the critical flaw on Linux and Mac systems, and confirmed it does not affect Windows users.

The team also stated that users running Tor on the Tails OS and the sandboxed (still alpha-stage) version of the Tor browser are not affected.

Although no harm has been caused at the time of writing, they say an attacker can perform reverse engineering on the Tor browser to detect the patched code.

They noted that well-versed programmers could easily understand how the TorMoil bug occurs, and they could potentially create an exploit for it as well.

That’s why Tor rolled out a partial emergency fix for this particular security vulnerability.

Although Tor developers said there is no evidence that the TorMoil flaw is being exploited in the wild, researchers choose to keep details of the flaw classified over concerns of the security and privacy of Tor browser users.

The exact bug details will only be revealed when a permanent fix has been released to effectively stop the potential leak of IP addresses.

However, Tor advises users to assume that their real IP addresses may have been exposed or might leak in the future, and they should upgrade to the latest versions as soon as possible.

While users on the stable version of the browser for Linux and MacOS have been updated to Tor version 7.0.9, Mac and Linux users on the alpha channels should upgrade to Tor version 7.5a7.

In a bid to keep users’ anonymity and privacy protected, Tor Project announced their plans to release a series of new security features including new cutting-edge encryption system, advanced client authorization, offline service keys and a control port interface.

Other features include secure naming systems, improved guard algorithms, statistics, blockchain support, mixed-latency routing, virtual reality interface and artificial intelligence logic.

These features are set to build on the Tor version release that was rolled out in September. This version supports next-generation onion services, following four years of development.

The new releases are all part of the larger 0.3.2.x series. The series will, by default, replace the legacy onion system that has been in existence for over ten years.

Still, users should know that Tor vulnerabilities are continuing to arise over time. Despite this, you can still protect your security by using a VPN (Virtual Private Network) alongside the Tor browser.

This provides double protection and keeps you safe from any privacy and security-related threats that may find your device.

Newly Launched Hacking Forum Hacked By Hackers

A hacking site, dubbed as a “Darkode wannabe,” was hacked by unidentified hackers shortly following its launch.

In what is possibly the most ironic incident so far this year, a hacking forum was hacked by other hackers shortly after its launch.

Intended to be a copycat version of Darkode, a hacking and malware marketplace that was shut down by the FBI in 2015, it did not take long before the new hacking forum was torn apart by hackers who made away with vital user login credentials and account information.

In addition to causing blushes to the administrators of the forum, this could expose the identities of hacking professionals who had already created accounts on the site.

Hackers Targeted Former Darkode Users Information

A copy of the data, provided by the breach notification site LeakBase, revealed that the hackers made away with a database full of Darkode users’ hashed passwords and usernames.

In addition to passwords and usernames, the hacking also produced email addresses and, worryingly, the IP addresses of its users.

This last bit is cause for concern for more than a few users who signed onto the hacking forum, especially if any of them have been involved in any recent criminal activity.

Understandably, most users of the hacking forum are worried about having their real locations attached to their internet identities.

Hacked Hacking Forum Logged User IP Addresses

The hackers made away with a database full of Darkode users’ hashed passwords and usernames.

A point of contention in this ironic turn of events is the fact that the forum logged user IP addresses.

This was something that one a perpetrator of the hacking, “FuckInterpol,” was quick to point out and express concern about.

As is typical of many hackers, this particular group left a strong message in which they told the users of the hacking forum that their forum had been “owned.” They were also quick to point out the lacking operational security of the forum’s administrators, particularly when it came to data security and management.

They followed up their message with the deletion of all the other threads on the forum.

Staff Member Admits He Could Have Played an Important Role in Hacking

Going by the moniker “Bullets,” the hacking forum staff member admitted that he could have unwittingly helped the hackers to get in by using a password from a site that was previously hacked.

Nevertheless, he was ready for any repercussions seeing that he used it knowing the worst case scenario could take place.

He revealed that he was only interested in seeing what went on in the hacking forums and as such, did not leave as much compromising information.

Using a common password was therefore not a move that was thought out to completion, as he did not think he would remain with the site.

Hacked Hacking Forum Had Poor Opsec

The site administrators have come under fire due to their less than acceptable opsec, which has undoubtedly put the hacking site’s users in more trouble than they had originally thought they would be in.

We can only wait and see whether the federal government will swoop in to pick up the criminals whose identities and locations have been revealed.

The Dangers In The Dark Web

In its annual research report published last month, Flashpoint, a global leader in Deep and Dark Web intelligence, pointed out the increasing complexities of the illicit communities as well as how cybercrime became more industrialized in the darknet markets in the year that just passed. The report details the top high-risk threats for organizations and their assets and is based on the growing cybercrime trends in Asia, Europe and the Middle East. The CEO of Flashpoint, Josh Lefkowitz, touched upon the maturing of the French and Chinese illicit communities in the darknet markets. The company believes that operational and strategic intelligence gained from the darknet markets will help to reduce the costs of the fraud or data loss that may occur, reduce the damage of reputation and also provide an insight into the working of the criminal activities that would affect an organization, its employees, clients and partners.

Darknet Markets – Top Threats They Pose

The range of criminal activities that take place in the darknet markets includes theft of intellectual property, financial fraud, hacking, and terrorism. Intelligence and timely information about such activities will help organizations to be prepared before they are planned and executed. Corporate companies need to be well informed about these darknet markets and criminal innovations to combat and overcome any potential threats. The Flashpoint report serves to monitor such activities of the darknet markets that are almost invisible to the others. The following top threats have been identified by Flashpoint in the year 2015:


Threat #1: Free entry for any cybercriminal

Anyone can choose to enter the darknet markets as a cybercriminal. There is no bar and this has been made largely possible with the expanding malware toolsets now available for the newbie.

Threat #2: Drugs are available in plenty

It is estimated that over 50 percent of the darknet markets that function using Tor offer narcotics for sale. These are easily accessible and are sure to incite interest among the ones that are ready to enter the world of drugs and cybercrime.

Threat #3: No legislature in place for use of hidden services

There is no clear legislation in place as regards the use and governance of hidden service. As long as this does not change, cybercriminals will effectively use Tor and other hidden services for conduct of criminal and illicit activities.

Threat #4: Cybercrime – Claim to fame

Though it is a fact that the financially and politically motivated are still a threat to a system (governments, organizations and individuals) that is against their agenda, it has been pointed out in the report that the more dangerous among all of these are cybercriminals motivated by chaos and fame. Their actions are more challenging and they are harder to control.

Threat #5: Seamless terrorism and cybercrime

The spread of cybercrime is inevitable and is, of course, hastened by the facilities provided by hidden services. The year 2015 saw the globalization of crime. With Chinese cybercriminals taking business to Russian forums, it is evident that cybercrime has matured, is internationalized and is growing at an alarming rate. Jihadists have managed to make the most out of what the darknet markets have to offer, thanks to their new crop of young and tech savvy recruits. They have offered greater support to ISIS and extended the global reach of the terrorist group.


About Flashpoint

Flashpoint provides relevant tools, reports, studies and data about the Deep and Dark Web. These are aimed at providing access to organizational, tactical and strategic intelligence to experts. The data is curated by subject-matter experts and presented using a state-of-the art platform. Flashpoint’s products are designed to throw light on the actors, their behaviors and relationships that exist in the deep and dark web. Many organizations have come to realize the potential of this intelligence report and the value of staying ahead of emerging cyber threats. Many government departments and Fortune 500 companies use Flashpoint data, tools and reports to reduce the costs of financial fraud, data loss and reputational damage that are caused to them. Flashpoint is backed by companies such as Bloomberg Beta, Greycroft Partners, Cisco Investments, TechOperators, and K2 Intelligence.

“Underground Economy Forums” Seized By European Authorities

Ever since the arrest of Ross Ulbricht, the creator as well as operator of the illegal darknet market Silk Road, and the subsequent shutdown of the website, the anonymity provided by the Tor network to darknet markets has been the subject of many discussions and debates. A lot has also been discussed about how dark web users do not get the anonymity they want. This has been made clear once again by the law enforcement authorities in the wake of a recent international investigation by European authorities that helped to pull down five darknet markets. These online black marketplaces have been purportedly referred to by the law enforcement agencies as “Underground Economy Forums.”

Underground Economy Forums

Investigation and Arrests in the Darknet Markets

The Underground Economy Forums constitute darknet markets or online black markets that sell or conduct transactions involving drugs, dangerous weapons, stolen credit card details, and fake identifications, among many others. Other websites related to the cyber world include illegal streaming, malware, and DDoS attacks. The recent investigations targeted operators of such services. During the investigations, it was also found out by the authorities that these darknet markets made use of bitcoins for executing their transactions.

Together with different arms of law enforcement agencies at international levels, the Center of Cybercrime Control and the Frankfurt Prosecutor General’s Office conducted raids on five operators of the Underground Economy websites. It is suspected that a 27-year-old Bosnian is the main operator of as many as three of these websites. He is believed to have been operating the sites since the year 2012. In addition to this, two Germans have also been arrested in this connection. The Germans aged 22 and 27 were also caught, and one is suspected to have been playing in the darknet markets for three years. The searches yielded 250,000 euros worth of drugs. A Syrian national has also been arrested on charges of synthesizing the amphetamines range of drugs. Further, several other searches resulted in the apprehension of three more German nationals, one of whom was arrested in Netherlands. Of these, a 21-year-old has been accused of running an illegal data streaming platform. The German arrested in Netherlands has been charged with dealing dangerous drugs such as amphetamine, cocaine and ecstasy through the online platforms.

In the wake of these investigations and arrests, the law enforcement agencies have been sending firm messages to young Internet users that it is easy for them to track down darknet markets and their perpetrators and prosecute them as per the existing laws. This is being done with the hope of keeping the youngsters away from their possible tryst with these darknet markets.

However, others see the shutdown of the Silk Road as responsible for facilitating the evolution of other darknet markets. Even when Silk Road is no longer present, other online black markets have sprung up in its place and continued to sell things that were banned in Silk Road. This includes guns as well as stolen data. Traders sell zero-day exploits to those who are ready to pay exorbitant amounts of money for them. These anonymous marketplaces continue to hog the limelight and are at the center of many controversies and investigations.

shutdown of the Silk Road

According to Giulio Prisco of CCN.LA, legal crackdown on the darknet markets is not the ultimate solution. This action would only push the activity into deeper morass and into the hands of other criminals. The shutdown of the more-principled operators may throw the doors open to the less-principled ones who would know only too well how to trick the law. Moreover, the darknet markets would become more open to selling even more dangerous things than just drugs.

In this context it is interesting to note that the dark web has also allowed a host of useful applications to thrive on the dark web that the IETF and IANA assigned a formal .onion domain last year.

Tor and I2P – What’s The Difference?

I2P and Tor are both anonymizing networks, enabling people to tunnel out of their non-secure and open environments. Nonetheless, they achieve this in somewhat different ways. This article explains the benefits of each, breaking down their similarities, pitfalls, and things you must know to be safe.


Tor has been around for quite some time now than I2P. As such, Tor has much more been studied in depth by both the black hat and white hat communities. It was much better designed to serve as an out-proxy compared to I2P. This is due to the fact that Tor comes with numerous exit nodes than those on I2P. Moreover, Tor has the ability to use bridges and TLS, and performs highly better when it comes to evading state-level firewalls.

The Tor network has the advantages in that it’s able to hold a huge number of talented developers, some of whom are even funded. As a matter of fact, the network receives a superb amount of money for its development and maintenance, and this shows in the form of its white papers and excellent documentation. Tor uses a simple SOCKS proxy; therefore, your only choice is to be an exit, client node, or relay node.

On that note, as opposed to Java on I2P, Tor is written in C. This means that a Tor client typically runs with a smaller memory footprint and much faster. The network also uses the directory-based technique, offering a centralized focal point to manage the overall network “view,” as well as report and gather statistics, contrasted with the distributed network model on I2P. This centralization can efficiently handle Sybil attacks and reduce complexity at each level.


The I2P network was excellently designed by developers who had the internal network in their minds. Measures have been taken to create a better environment for hosting services rather than providing out-proxies. Indeed, this is the fundamental difference between Tor and the I2P network.


I2P was optimized and designed for hidden services, which are very faster than in Tor, because the network is self-organizing and fully distributed. To help with this, peers are chosen by continuously ranking and profiling performance, as opposed to trusting claimed capacity.

I2P is packet-switched, instead of circuit-switched, like Tor network. This means there is a transparent load-balancing of messages across multiple paths, rather than a single one. Essentially, all peers take part in routing for other. Unlike Tor’s SOCKS created for functionality, I2P’s API was designed for anonymity.

Tor seems to have an upper edge over I2P as far as offering better security is concerned because of its SOCKS proxy. However, it’s important to have in mind that most individuals won’t have a threat model where security would be of great concern because attacks tend to be very complex.

Finally, I2P tunnels are short-lived, reducing the number of samples that attackers can use in order to mount a serious attack with, unlike Tor’s circuits, which are typically long-lived.

Tor Vs. I2P: Which Is Better?

That is a very open-ended question and falls to technical choice at times. An example being peer-to-peer file sharing over I2P, in which case Tor doesn’t support nor encourage it. Other times it will depend on individual choices. You’ll find the content on the I2P and Tor networks to vary. However, this is not to say mean that you shouldn’t host services on the Tor network, or shouldn’t out-proxy with I2P. The networks are designed and developed with various strengths in mind.

i2p vs tor anonymous networks
Generally, if you are searching for an efficient out-proxy, Tor is an excellent choice. The network still has more to offer, granted that several exit nodes have already been blacklisted in order to prevent abuse.

If you are looking for a great onion routing network, then I2P would be an ideal choice, since you are afforded higher speeds and added protection to go along with it.

Rise And Fall Of Darknet Markets

Three years and a similar number of months after the FBI seized the Silk Road, the darknet markets’ equivalent of Amazon, and other new entities are coming up and even booming in the very same niche. You may be wondering how this is possible considering that law enforcement agencies have improved scrutiny to stem the growth of such sites.

Silk Road and other versions of its incarnation as well as Agora, Evolution and Abraxas have risen to dominate the dark web before falling only to find replacement in other, probably better-coded websites. The story behind their rise, and eventual fall, vary though and this is probably the reason even their lifespans vary.

The Silk Road

To everyone who knew him, Ross Ulbricht was an ideal kid. University of Texas even accepted him on a full scholarship. He did not pass for a person who would orchestrate and run a US$1.2 billion illicit drugs marketplace; yet he did!

While in college, Ross developed a strong disinclination for government inference. He started growing a strain of hallucinogenic fungi, which he hoped to peddle using the ever-extending distribution channels of darknet market. While his mushrooms were growing, he decided to try a hand in computer programing. He roped in his pal, Richard Bates, who was already a programmer with eBay.

Silkroad Ross Ulbricht
Using Bate’s assistance, Ulbricht was able to code successfully, the script for Silk Road including hiding it on Tor browser to evade banking and government oversight and intrusion. The website went live in February 2011 and within a few short months, had thousands of enlisted vendors and buyers.
Silk Road’s ranking system, that graded vendors based on feedback, made it a favorite with many customers. This steady traffic, flawless distribution aided by encrypted communication and the website’s 10 to 12% commission soon made Ulbricht rich. The website managed a whopping 1.2 million transactions during its lifespan with total revenue amounting to about 9.5 million bitcoins.

The fall of Silk Road started almost immediately it went live. Senator Charles Schumer made requests to have Drug Enforcement Administration (DEA) and the Department of Justice shut it down. After this request, all communication to and from the website came under scrutiny and in October 2013, the FBI seized the website arresting and charging Ulbricht with computer hacking, money laundering and conspiracy to traffic narcotics.


Following the demise of Silk Road, many online entities rose to fill the gap left. One of these entities, Evolution, also called Evo by darknet markets customers came alive in January 2014. The site’s creator, Verto, also founded Tor Carding Forum, an identity theft and stolen cards forum on Tor.

Evolution’s rapid growth came about because it went alive at a time when law enforcement agencies were seizing its competitors. The weird blend of both cyber security as well as lax rules on the use of stolen cards also propelled Evo to the top of darknet markets. Despite this laxity, it still disallowed prostitution, child pornography, murder, terrorism and assassination related services and Ponzi schemes.

darknet markets
Unlike other darknet markets, Evolution shut down in March 2015, apparently due to exit fraud by the administrators in order to steal users’ cash in their escrow accounts.

Agora and Abraxas

Agora went live in 2013 and soon became a major darknet markets destination. Following the closure of Evolution in an apparent exit fraud, Agora became the leading darknet website. Unlike many of its counterparts, it did not suffer the wrath of Operation Onymous, the international law enforcement agencies’ operation that targeted hidden services and darknet markets hosted on the Tor network. The website’s administrators took it down in what they termed as protection from potential attacks meant to de-anonymize server locations.

Soon after Agora went down, Abraxas emerged and claimed the darknet markets’ top place. Like others before it, it also went down in what is possibly an exit fraud.

Thriving Darknet Markets

The legion of online users averse to government inference keeps growing each day. This breed of consumers helps spur the growth of darknet markets. Since the emergence of the Silk Road, a shutdown of a darknet market usually precedes an emergence of a replacement. Soon after Agora and Abraxas’ demise from the scene, new darknet markets have risen to fill whatever gap existed.

AlphaBay and Dream Market now occupy the pinnacle of darknet markets. Though they operate in the same Tor network that hosted the other dark net websites, they are perfecting the art and science of concealing their tracks. Their survival in this rather unstable niche is however, only a matter of time.

The Deep Web, Dark Web, And The Darknet Marketplaces

There’s been a lot of confusion in the media about two similar terms – Dark Web and Deep Web. What journalists usually refer to as the Deep Web is basically the opposite of it, the Dark Web and vice versa. Dark Web usually has a negative connotation due to a number of Darknet Markets that occupy a significant part of the Internet.

Deep Web
Deep Web
But, before we dive into semantic of the terms in question, namely Deep Web, Dark Web, and Darknet Markets, allow us to bring in yet another one – Surface Web (believe it or not, we’re introducing this new term to try and unscramble all the others).

Surface Web represents everything that can be indexed and accessed by standard search engines, such as Google, Bing, Yahoo, etc. Because the data are so readily accessible, this layer is considered to be the surface of a huge ocean of information, ocean we like to call – the Internet.

On the other hand, beneath that surface, there is a vast ocean of non-indexed data – hence the term Deep Web. So, a very simplified view is that Deep Web represents everything that cannot be indexed by search engines.

Namely, in order to index pages and websites, search engines only use links. Everything beyond that is considered Deep Web. However, certain parts of websites can be accessed only by using search boxes which is the case with universities’ and government’s websites and these are also in the Deep Web realm!

The term was coined by Mike Bergman, a computer scientist, back in 2000 and has been used ever since.

Dark Web

Finally, the most notorious of the terms, Dark Web. According to Brightplanet, Dark Web is considered just a small part of Deep Web. It’s been deliberately hidden and can be accessed only by using special web browsers, such as Tor browser. It is the place where all the nasty takes place, booooo!

As mentioned so many times, a way to access Dark Web is through Tor Network, which has its own, specialized browser simply called Tor Browser. Tor renders its users, both website owners and visitors, with high degree of anonymity; their IP addresses are hidden and encrypted inside a multilayer router network and it is almost impossible to track anyone down by using the conventional methods.

However, not all Darknet Markets are located on Tor Network; for example, Silk Road Reloaded uses I2P, an alternative to Tor network. I2P stands for the Invisible Internet Project, and the cryptocurrencies that support I2P at the moment are, surprisingly not bitcoin, but Anoncoin and Monero.

Despite its notorious reputation, Dark Web offers a number of good things to its users. Lots of bloggers and journalists, for example, use it for communication with whistleblowers and trusted sources who often come from the countries with very limited freedom of speech.

Darknet Markets

Emerging of the Dark Web has opened possibilities for new, internet-based businesses. And as it often happens, people will always find a way to misuse something good; the Dark Web is not an exception to the rule. It’s full of illegal markets, where you can buy drugs, weapons, child pornography, counterfeit IDs and all sorts of illegal services like hacking, and even order a murder.

Goods and services on the Darknet Markets can be purchased with bitcoins, which is the first and the most widely used cryptocurrency. The same way you can’t be traced while browsing the Dark Web, you also cannot be traced while making transactions using bitcoins. The only trouble with bitcoin is its instable exchange rate – one day it can be worth more than $1,000, and the other its value can dramatically drop to $200. Currently, one bitcoin is valued nearly $400.

History of Darknet Markets

The Deep WebThe first and the most celebrated market was definitely Silk Road. It was founded by a 31-year-old libertarian, Ross Ulbricht. Launched in January 2011, its development had begun six months earlier. The idea behind the Silk Road project was allegedly to clean up the streets from crime by transferring drug dealers from dark alleys to Darknet Markets, thus creating a safer environment for vendors and users. This obviously sounded like a great and well-intended idea in Ulbricht’s mind and perhaps he really believed he was doing something for the good of the world; however, the judge who ultimately sentenced him to 2 life sentences didn’t seem to share his enthusiasm.

Ulbricht was arrested in October 2013 by the FBI who caught him red-handed while he was logged in on Silk Road admin page. It is estimated that the total revenue generated from the sales on the Silk Road was around 9,519,664 bitcoins (roughly $3.6 billion at the current bitcoin exchange rate). Ross Ulbricht, the pioneer of the Darknet Markets, is considered the most responsible for making Deep Web and Dark Web subjects of the mainstream media.

After the fall of Silk Road, many new Darknet Markets tried to find their place under the sun; Silk Road 2.0 among others. It looked more or less the same as its older brother and even employed the original staff members of the previous Silk Road. However, Silk Road 2.0, together with 26 other Darknet Markets, was seized by the Law Enforcements in the Operation Onymous in 2014.

As expected and despite this massive arrest operation, new Darknet Markets continue to emerge. Some of today’s best known Darknet Markets are definitely AlphaBay and Dream Market (Darknet Markets Agora and Abraxas being out of the game). Agora was one of the most respected Darknet Markets, but they retreated allegedly due to some security glitches in the Tor Network. AlphaBay has recently announced that they have the largest community on the Dark Web, while Dream Market being founded in 2013 is considered the oldest existing market on the Dark Web. Many Darknet Markets have performed exit scams taking for themselves the bitcoins trapped in escrows, while others continue to work diligently on securing the community’s trust.

All of them still use escrow and review systems developed by Ross Ulbricht; and while some Darknet Markets are successful in that, many have failed – they have been either seized by the FBI or taken down by competition.