Agora dark market suspends operations after finding “suspicious activity.”
A dark market website that relies on the Tor privacy network to keep its operators anonymous is temporarily shutting down amid concerns attackers are exploiting a newly reported weakness that can identify server locations.
As Ars reported last month, the technique requires the adversary to control the Tor entry point for the server hosting the hidden service. It also requires the attacker to have previously collected unique network characteristics that can serve as a fingerprint for that particular service. Still, once that bar is met, the attack has an 88-percent accuracy rate. Hidden services are sites that are accessible only from within the Tor, which conceals IP addresses of servers and users.
“We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again,” operators of Agora, a hidden service that markets everything from illicit drugs to unlicensed firearms, wrote in various online forums, including this post on Pastebin. “However, this is only a temporary solution.”
The message said operators were working on a solution to block the attacks and planned to bring Agora back online once it was ready. In the meantime, they said, it would be unsafe to continue conducting business as usual.
The suspension comes as a surprise, since Tor Project officials have downplayed the novelty of the new attack method and the likelihood it could be carried out in practice. The Agora operators didn’t describe precisely what evidence they had that the weakness in the Tor protocol was being actively exploited. Still, their warning is worth considering since the suspension will presumably cost them money while the site is out of operation.