Tor browser on a display of PC with logo in a form of onion.
Image: sharafmaksumov/Adobe Stock

Cybercriminals generally need to use online servers, be it to collect stolen data, communicate with an infected machine via malware or host phishing pages. One of the common techniques used by these threat actors to try to add a strong layer of anonymity consists of using The Onion Router (Tor) network to hide the location of their servers.

Ransomware threat actors in particular, who know they attract a lot of attention and that their activities are tracked and investigated by both security researchers and law enforcement agencies, make a heavy use of the Tor network.

When used appropriately, Tor provides a fairly strong layer of anonymity, but it can also be badly configured and leak information that can be used against fraudsters.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

It is important to note that servers hosted on the Tor network are just typical servers hosted on the Internet — users are merely accessing them via a special network.

How to de-anonymize fraudulent Tor web servers

Cisco Talos published new research that exposes three different ways to get more information and de-anonymize domains hosted on the Tor network and used by ransomware threat actors.

First method: Certificate matching

Transport Layer Security is a protocol used for end-to-end encryption between computers on the Internet. Typically, it is the protocol used when establishing HTTPS communications. To do so, the web server the user accesses needs a TLS certificate, which is provided when communicating. Such a certificate contains some information that can be tracked and used to investigate.

Some ransomware threat actors actually use those certificates for their websites, making it possible to investigate and possibly find matches in the surface web (Figure A).

Figure A

Image: Cisco Talos. TLS certificate used by the Dark Angels ransomware threat actor.

If a TLS certificate from a threat actor is indexed on the surface web, it will lead to the web server that is using the Tor network so the hosting is fully de-anonymized. It might also lead to other content from the same threat actor, which is also valuable for further investigation.

With the help of something like the Shodan online service, which indexes information from the Internet, including TLS certificates, it becomes easier to investigate.

Second method: Favicon matching

The favicon is that tiny icon that users see in the browser’s URL bar when browsing a website or looking at their bookmarks list (Figure B).

Figure B

TechRepublics Favicon shown in the red box on a Firefox web browser.

Once again, using Shodan, it is possible to match favicons found on a fraudulent website hosted on the Tor network with favicons on the surface web.

The Quantum ransomware group is taken as an example by Talos researchers (Figure C).

Figure C

Image: Cisco Talos. Quantum ransomware group page on the Tor network – favicon visible on the left of the page title.

Using its favicon from the dark web, they found its equivalent on the surface web and could locate the threat actor’s web server (Figure D).

Figure D

Image: Cisco Talos. Shodan showing the real IP address of the Quantum ransomware web server.

Third method: Catastrophic OpSec failures

OpSec failures can lead even the most skilled actor to leak data from its infrastructure.

Talos notes that the Nokoyawa ransomware group did not secure some of its scripts properly, which allowed the researchers to exploit a directory traversal vulnerability. Basically, this consists of using a parameter sent in the URL of a HTTP request to gain access to a folder or file that should normally not be exposed on the Internet.

That failure, in addition to improper directory and files permissions, allowed the researchers to see through the anonymity of the threat actor by accessing /var/log/auth.log* directly on the Linux server hosting the web content. That file, once analyzed, revealed IP addresses used by the attackers to connect to the server via the SSH protocol.


Investigating and collecting threat intelligence on Tor-hosted networks is a difficult task, yet in many cases the Tor network does not provide 100% secure anonymity to its users. It needs a strong network and operating systems knowledge to use those services without making any mistakes.

By using different investigative techniques, including those exposed in this article, it is possible to de-anonymize some fraudulent servers and obtain information about the threat actor itself.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday