30 Percent of the Dark Web Goes Dark – Who Turned Off The Lights?

I recently started spending time in the Dark Web, learning how to use a VPN and the TOR browser to navigate the hidden services to be found there.  I also have been presenting a “Tour of the Dark Web” to the public in a variety of business groups.  I find the Dark Web to be a fascinating place, and so far the response from people attending my seminar indicates that I am not the only one.  One of the problems with finding sites on the Dark Web is that there are no search engines that work there.  Information about hidden sites and services are kept in lists such as the Hidden Wiki.  These lists are often inaccurate and out of date, since sites go up without notice, and come down the same way.  Then there is the sudden loss of 6500 Dark Web sites when Daniel’s Hosting was breached on November 15.

Last week a popular Dark Web hosting service, Daniel’s Hosting, was breached by as of yet unknown attackers, and the entire contents of the hosting platform were stolen and/or erased.  This took down about 30% of the hidden services  across the TOR network, representing about 6500 sites, and over 6 million documents.  The carnage included:

  • All of the user account information, including the “root” account.
  • 5000 or more English language sites.
  • 54 Russian language sites
  • 450 hacking and malware development sites
  • 300 forums
  • 150 chat rooms
  • 135 drug markets
  • 109 counterfeit services
  • 50 sites dealing stolen credit cards
  • 20 sites dealing in weapons
  • 700 sites that were used for unknown purposes.

So far this is no one has taken credit for this attack, but speculation points to a couple of possibilities.  The first is a Russian hacker collective who recently published technical details of the PHP imap_open() vulnerability, which was apparently used in this attack.  The second possibility is that this server has taken down by a law enforcement agency.  There was a DDoS attack the precede the breach, similar to other law enforcement takedowns.  There were a few child pornography chat rooms using Daniel’s Hosting.  It is possible that Daniel Winzen, the owner, has been arrested, and his recent posts about the issue are really coming from law enforcement.

Supposedly the service will be back in December, once he has had a chance to secure his server.  By design, the site kept no backups, so restoring the lost sites will fall on the individual site owners.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.