In one blog posting today, Kaspersky Lab describes what Tor is and what it provides. "No network node knows either the source of the traffic or the destination or its content. This ensures a high level of anonymity making it impossible to determine who is behind the network activity, i.e. a real person," it explains. But, it adds, "as well as legitimate users, this technology also attracts the attention of cybercriminals. The Tor network has long been known for hosting a large number of resources carrying out illegal activity."
In a separate post by the same Kaspersky Lab researcher, Sergey Lozhkin outlines what he has found in Tor following months of investigation: and it "is immediately obvious is that the cybercriminal element is growing." He discusses four specific criminal growth areas: malware, criminal marketplaces, financial fraud, and money laundering – all found within around 900 hidden services.
Malware infrastructures are increasingly hosted within Tor. "We found Zeus with Tor capabilities, then we detected ChewBacca and finally we analyzed the first Tor Trojan for Android," he says. The reason is simple: "Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate."
Criminal marketplaces are also growing within Tor. "It all started from the notorious Silk Road market and evolved to dozens of specialist markets: drugs, arms and, of course, malware." Within and supported by those marketplaces, financial fraud is also growing – although it is still firmly rooted in the Darknet outside of Tor. "Stolen personal info is for sale with a wide variety of search attributes such as country, bank etc... Offers are not limited to credit cards – dumps, skimmers and carding equipment are for sale too."
The coin of choice within Tor is the bitcoin. "Almost everything on the Tor network is bought and sold using bitcoins," writes Lozhkin. But while it is almost impossible to associate a particular bitcoin wallet with a particular individual, the transactions themselves are transparent, public and trackable.
"That’s why money laundering services exist on Tor," notes Lozhkin. "Cybercriminals can create an account, deposit bitcoins and they will be broken up into various quantities, transferred through dozens of different wallets to make any investigation highly complicated."
His conclusions are simple: more and more cybercriminals are being attracted out of the traditional Darknet and into the anonymity of Tor. "Malware developers are using Tor more and more for a variety of malware-related tasks," and "financial fraud and money laundering are important aspects of the Tor network."