in Uncategorized

Large Number of Tor Hidden Sites Seized by the FBI in Operation Onymous were Clone or Scam Sites

This post is the first in a series dealing with the takedown of Silk Road 2.0 and Operation Onymous. The data in this post was put together with @secruedmh and @imposter. A big thanks to Juha Nurmia and his Tor Hidden Service Index, and researchers who share their work or report on stories such as lamoustache, gwern, deepdotweb along with others who don’t wish to be named for helping us fill in our index and cache. For updates follow on twitter.

In the two weeks since Silk Road 2.0 and a large number of other Tor hosted hidden services were taken down as part of Operation Onymous, we have crawled and indexed onion sites to find out just how many sites were seized and what sites were seized. Initial reports said 410 sites were seized, then 400 and this number has continued to be revised down until Europol said only some two-dozen sites were seized. Our crawl of just over 9,000 onion sites has found 276 seized onion sites.

The full table of seized onion sites discovered is below, an overview of the data and some findings:

  1. Out of a total of 276 seized onion addresses found, we identified 153 of the addresses as belonging to either clone, scam or phishing sites.
  2. Of the 153 clone or scam sites, 133 were clones and 20 were scam or phishing sites.
  3. In a number of cases the FBI has seized the clone or scam version of a site while leaving up the real site.
  4. In May of 2014 a bot known as the “Onion Cloner” was discovered and became known to Tor hidden service operators. This bot would find Tor hidden sites and clone them on its own address in an effort to steal passwords or intercept Bitcoin transactions. Of the 133 clone sites that the FBI seized, a large number of them were clone sites produced by the Onion Cloner that were mistaken for the real copy.
  5. Of the 8 websites mentioned in the FBI press release, 2 are clones and 1 is a scam site.
  6. Of the 32 onion addresses mentioned in the DOJ seizure notice filed in US court, 3 are scam sites and 9 are clone websites.
  7. As far as our survey has revealed and based on prior data about the Onion Cloner, every single Onion Cloner clone site has been seized or is no longer available.
  8. For the following sites, the clone or fake version was seized while the real site remains live: Cannabis UK, CStore, Dedope, Executive Outcomes, FakeID, Fake Real Plastic, Hackintosh, Pablo Escobar Drug Store, Real Cards Team, Smokeables, Zero Squad. Some of these sites were mentioned in the FBI press release or court seizure notice as having been taken down when in fact the clones were seized.
  9. There are almost 200 sites that have been seized that are not mentioned in any seizure notice or press release. These include the (real) sites for Fish Squad, Exposed, Hack the Planet, Cash Machine, DOXBIN, Pink Meth, OnionSphere, Mr Ouid’s Forum. That list includes personal websites, forums or other sites that had no outward appearance of illegal activity, and they are also not mentioned in any court or press documents. These sites were seized with what appears to be no, or little legal justification.
  10. Scam or phishing versions of Silk Road 2.0, Agora, Real Cards Team, Evolution and many other sites were seized.
  11. For some of the onion addresses, being mentioned in the FBI press release or the seizure notice is the first and only ever public web mention of the address.
  12. The website “Executive Outcomes”, which the FBI claims in seizure notices and press releases was a retailer of firearms was a well known scam site – it never shipped any weapons but took users funds.
  13. A clone of a Jihad funding website called “Fund the Islamic Struggle without leaving a trace” was seized, while the real website remains live (and has accepted over 5 BTC in donations)

Indications of Method

That the FBI seized so many clone and fake websites suggests a broad, untargeted sweep of hidden services rather than a targeted campaign. The slapshot nature of how sites were seized suggests that rather than starting with an onion address and then discovering the host server to seize, this campaign simply vacuumed up a large number of onion websites by targeting specific hosting companies. We have tracked down the hosting companies affected and the details will be published in a follow-up.

On that note, if you were the administrator of a hidden site that was seized, be it a clone or a real site, please get in touch (PGP and email here). I’ve spoken to a number of admins and hosting companies and have put together what the seized sites had in common in order to deduce the method used to locate them. Information from admins and hosts is invaluable in working out what the weaknesses of the seized sites was, and what can be learned from the seizures. There is a high likelihood that none of the seizures will be tested or revealed in court, at least not in the short term, so getting this information is important.

Tor Onion Data

The database of hidden sites, which I believe is the largest that has been collated, will be posted to this GitHub repository sometime in the next couple of days. An earlier version of the crawler used is also available on GitHub. We are currently putting together an index of data from the seized sites, including the forums, and other Tor hidden services along with a search engine. If you’re interested in contributing or adding data to it get in touch.

Table key: Column S = Site mentioned in DOJ seizure notice. Column P = Site mentioned in FBI press release

Tor Bazaar Forum22iwhc2luicynjqy.onion
Fake ID23swqgocas65z7xz.onionClone**
Tor web developer:2hcruaawg3e55vfa.onionClone
The Dealer:2sr3d7kvco5iy6ws.onionClone
The Hidden Wiki (mirror):33lwkzt672innsj6.onionClone
Trava Pricelist34j2fiy32xwuxsku.onion
Sea Kitten Palace:3cvsdlyltwapggbf.onionClone
EU DRUGSTORE:3d635wnxku6h43eg.onionClone
FAQ :3e5rqv7542gxvwpk.onionClone
Tor Bazaar3p42y56a76g6okuv.onion*
Fund The Islamic Struggle Anonymouslybc3nbr42tdnqamvs.onion
Exposed – The Secret Web4dpc64mjcbu5kkyn.onionClone
AYPSELA news:4jdirmqv2o65dlum.onionClone
Cloud Nine4jt6iq3r3agaldg7.onion
EasyCoin Bitcoin Wallet & Mixer”4p7orzshxhif6cfz.onionClone
Jotunbane’s Reading Club:52frxf3nn43n6rt5.onionClone
1 Hour Laundry:5mkcloe3kuefrqvr.onionClone
Fast Cash!5oulvdsnka55buw6.onion**
GreenPaper Counterfeiters (Super Notes)67yjqewxrd2ewbtp.onionScam*
Onion Mail:6e44iwci5e6iodyw.onionClone
Green Machine6hstmidevw5dhkct.onion
The Green Machine6ijclyvilv53ll76.onion*
Doxbin / DeDope6odhiu7bke342ip5.onion*
Green Dragon Supplier6wlmeo5zdm5jzex5.onion
Evolution (Phishing)7bt3s7ikypzurhue.onionScam
Wall Street Tor:7ttedph3rjhoh24y.onionClone
Cash Flow7y6e3uutyvoi2myq.onion
Onion Identity Servicesabbujjh5vqtq77wg.onionScam
Lossless Audio Files:afismo35weljjdcv.onionClone
Agora (Phishing)agorazbdc4zq5oww.onionScam
Alpaca Marketplacealpaca7bcqv2rnu3.onion*
SOL’s Unified USD Counterfeit’saodaost3cbxnzgno.onionClone*
Cloud Nineaoyukbwlwxzcllet.onion
Onionweb filehosting:b3xbwcuuflw73r5u.onionClone
Tor Bazaarbazaar755zbjb121.onion*
Tor Bazaarbazaarlv2a7i3uyn.onion*
Onion Channelbcyh7mzfrekxobud.onionClone
Cloud Ninebg62ti72ckuo6rm2.onion
Blue Skyblueskyplzv4fsti.onion**
Lion Pharmabvhbasj4jxhwc7d7.onionClone
Cloud Nine (Main)bviaqyj6obc54vhn.onion
Cloud Ninec6x3fexjje4uaczd.onion
Buy Twitter Followers:c7kbn6qnsw6glp5c.onionClone
Cannabis Roadcannabiskofvl7pa.onion*
Hack The Planetchippyits5cqbd7p.onion
Cstore – Carded Storecstoreav7i44h2lr.onion
MAGIC MUSHROOMS STORE:cvy25jynw7g6tamj.onionClone
Cloud Ninecxhlovvocanzs7ka.onion
Cloud Ninecyeji6dcpvad5zsq.onion
Cloud Nineczl2oqmd3ovghwk5.onion
The Pot Shopd5jkxy5i6r3sddfw.onion
Data Bindatabinhwin4xuxx.onion
Steal This Wiki mirror:dejxz2tiz6f5nbrp.onionClone
Black Marketdgoega4kbhnp53o7.onionClone*
Black Market:dgoegaf7vnu3uowm.onionClone
Clean My Coins Fakedjyy6p2ohwkkmn2l.onionClone
Help Guydm4gtebssktdskxn.onionClone
Blackbank Market (Scam)do37y4wk2detgi6x.onionScam
Cannabis UKdokpyl6egokvejos.onionClone*
Pablo Escobar Drugstoredrugs6ayt3njhzha.onionScam*
The Armory clonedzc6ptsiaajb3mjj.onion
Silkroad 2.0:e5wvymnx6bx5euvy.onionClone
Outlaw Marketeaq2e77pmdvrepbq.onion
Cloud Nineeb3bbtsqywrdo5ae.onion
Real Cards Teamen74n7uqro3flkmz.onionClone*
Cloud Nineepj7nsddjr3jaorc.onion
Cloud Nineepvjwvjhqs74iq7l.onion
Sell your pictures for Bitcoinsf2x5eapxymahuf2t.onionClone
Cstore – Carded Storefd4qqglswwsv6fph.onionClone*
Deutschland im Deep Webfjgf5eo4zyntgbus.onionClone
Bitcoin For Proxyfogcoreohrvfeur5.onionScam
Cannabis Roadforumzxmoorof4ja.onion*
Welcome, We’ve been expecting you!:”foubiqu6uin2dv2n.onionClone
USA/EU Fake Documents store:ftkfjfsbsc3yebzw.onionClone
Laundry King:fvb7crr4hu7u57m6.onionClone
Apples 4 Bitcoinfvpibvo6tphexfvl.onionScam
Double Your Bitcoinsfwpplqylgbpjymrr.onionClone
konkret – das linke magazinegcymml5rdr6lhpto.onion
Словесный Богатырьgr4dszr5zd2k44qa.onionClone
Deep Web Radio:gzkqe6rodeexilic.onionClone
The Pirate Market:h5nfci2xgob2nheu.onionClone
Cloud Nineh5ry3wfk7md3vkfc.onion
Cash Machinehcutffvavocsh6nd.onion
The PaypalCenterhd74evbdzn6cl264.onionScam
Hydra Forumhydrafmchvpq5yc6.onion*
Hydra Russianhydraruehsdjjfud.onion
Executive Outcomesiczyaan7hzkyjown.onionClone**
Fake Real Plasticigvmwp3544wpnd6u.onion**
Cloud Nineitjsuhezvyyi7pjg.onion
Super Notes Counterj62alxawj7624ejg.onionClone
Site do Renan Jackson:jcfcrq76kdc4ghmo.onionClone
Cocaine Marketjd3gdrtmhm7vwudx.onion
Mr Quid’s Forumjfekrr6wghtmalpd.onion
Apple’s Torjff4wifbjuqmhubb.onionClone*
Cloud Ninejgpvu5d5fufwpqa7.onion
Cloud Nineji45q56enmtidgl5.onion
Cheap Eurosjmntdqtytkuhqlzu.onionClone
The House of Cards:jmobhake4txapqd7.onionClone
Cloud Ninejz3rmfugjt5eiyr5.onion
Onion Identity Servicesk5dvoeyiwakymez5.onionClone
Apple Palacekcan7d4ahhryu6gg.onionClone
The Hidden Wikikpvz7ki2v5agwt35.onion
The Tor Library:lgic2yjpimouvjnw.onionClone
Cloud Ninelhckzzv3qlvcwfg2.onion
Kamagra for Bitcoin:lnien5hngzlojppv.onionClone
The PayPal Centerlygnimwoedhioopl.onion
Hidden Betcoinmqaa6l5vb7rbpksf.onion
The PayPal Centermv5cb4hz3ecscshx.onion*
Cloud Ninemx7rzz5my2fq46wz.onion
Prepaid Bliss:n5qsqwl2y3qrr2jq.onionClone
Cloud Ninen7hwwwncx3bcx5vc.onion
Cloud Ninened32wtuel43cxbf.onion
The Secret Story Archive:oqgylsk6seo42gpk.onionClone
Tor Bazaar Betaorjidjtyniyzn5il.onion
Drug Marketoxr3dae6epxdc4pg.onionClone
The Secret Story Archive #1st:oxrxwesdxlnwsj3x.onionClone
USJUD Counterfeitsp4ecvpaclc44j3jz.onionClone
Cloud Ninep6qx55i5r64mxq7n.onion
Clone Sitepbq2zmsrh4cdxdxl.onionScam
UK Passports:pclb34gpalrdxj4u.onionClone
Green Dragon Supplierpg5epl6suareiqq6.onion
Old Man Fixer’s Fixing Servicesph22uxxxttai7v2n.onionClone
Pink Methpinkmethuylnenlz.onion
Mobile Storepptzzk2wye6rfeki.onionClone
Tor Carding Forumsqtr46f7bgf4kzt7q.onion
Cloud Ninergam2tqpqhelm4ow.onion
Cloud Ninerhmhjalcohuys4a5.onion
UK Guns and Ammorhqetwhda65zcakj.onionClone
Hidden Wiki:rmhpp6w3ncrvxiub.onionClone
Cloud Ninerndm56yv54aqe7pn.onion
Example rendezvous points page:rqjfolmb2h7iqdvq.onionClone
Thunder’s Place:s5yvlnz7qljsdmtc.onionClone
Cloud Ninesdjv72hp5x6pt5en.onion
Silk Road 2.0silkroad3og4b6bq.onionScam
Silk Road Forumssilkroad5v7dywlc.onion
Silk Roadsilkroad6midjsbr.onion*
Silk Roadsilkroad6ownowfk.onion
Brave Bunnysqxamnigeby5u37b.onionClone
Wikileaks New link:srozpqsnh2lgyewu.onionClone
Cloud Ninesrz5wvnyd7skt5uh.onion
Флибуста | Книжное братство”su74joxcacuafyq6.onionClone
[Forum PHISHING LINK]t6la6i24jkow5roh.onionScam
Cloud Ninetaifcjgrifyjiwey.onion
Apples 4 Bitcointfwdi3izigxllure.onionScam
USA Citizenshiptgielwnuv3xzfg7r.onion
â… TOR-SERV â…:torservsbt7rsbfg.onionClone
Cash Machinetpe3rm2w4fkbtciu.onionClone
Galaxy Social Networktvbkrvflzx2pmvpw.onionClone
The Hidden Marketuaq62zdqnjr4xo4q.onion
Assassination Market:ugq2p64trcyg3xgt.onionClone
Real Cards Teamujompjlrdgbhkmuj.onion
Dark Hosting:ul4kmrygtkhbb5vz.onionClone
keys open doors:uqbmgvisfz2wpj4v.onionClone
Creative Hack:urjlsqe373ismjwg.onionClone
Fake Real Plasticvc5apwufjoil3svw.onionClone
Green Star Station:vgfzmngu7dh5ye76.onionClone
Hack The Planet:vpkyqijluxa33ywp.onionClone
Rich Richard:vz3ofn5f2lous44c.onionClone
Golden Nuggetwyj4d4u237p3coca.onionScam
lol 20th Century Western Musicx4am6cpmndsqzbu2.onionClone
Cloud Ninex7ikq6a3qx5qjikf.onion
CC-Planet Fullzxadxysdnd3ug2dea.onion
Hydra Forumsxdbn2gsuk74nwd7f.onion
Clean My Coinsxgrsaj3wykpofseb.onion
RepAAA’s Hidden Empirexskus6q7olpdlrkb.onion*
Cloud Ninexvqrvtnn4pbcnxwt.onion**
Beneath VT:y4hzxepemtqcf4qh.onionClone
Onion Wallety6dyzauztb5u2ufa.onionClone
Cloud Nineye5n3ecw64utvmmh.onion
Onix Electronics:yhu73qfnjti3cmvf.onionClone
Zyprexa Kills:yifsrwkdvjiojr7w.onionClone
Peoples Drug Store:yrenuxvrrhmuvces.onionClone
USD Counterfeitsyrpavngfbhbc3tcc.onionClone
Zero Squadz5fvd3hwmtzkgaqy.onionScam*
The Intel Exchange:z7d7gx53ne7fouyf.onionClone
Cloud Ninez7rpuixjsncgomw7.onion
  1. Finnish drug site: silkkitiehdg5mug seems to be up (Login page at least, I dont have login id’s). Weird was that 1st of 11 the site stated ‘Maintenance etc’ ‘we rise again’
    I think m2lbhzmzmfv5a763.onion of it would be it’s clone.

    wouldn’t “Fund The Islamic Struggle Anonymously bc3nbr42tdnqamvs.onion ” be a clone, based on news…

  2. Not a single CP site? Weird.
    Perhaps cross-reference list was not complete as sites like “Ahmia” deletes such sites on their directory.

  3. I’m interested as to what “konkret – das linke magazine” is.
    If it’s anything to do with this website/publication (a german left-wing political magazine) then it looks like the FBI have taken down a totally legit site?!

  4. what is the strategic benefit of going after clones? I can imagine a couple solid reasons, but am not savy nor knowledgeable enough to say for sure.

  5. Weird. Me thought it would be as hard to find a clone than to find the original. If they’re able to find clones, why not the original websites? After all, both are onions…
    Unless… Unless these clones were created by the FBI themselves which is of cours impossible.

  6. Hi Nick,

    Thanks for your work on this. It’s an interesting investigation into an important topic. I am looking forward to reading the second installment. Do you have any idea when it will be published?

    • Thanks. The next two parts have been written – just waiting on some additional confirmation on some of the included info prior to publishing

Comments are closed.


  • Heart of Darkness: Mass of clone scam sites appear | January 21, 2015

    […] during Operation Ononymous, the exercise that took down Silk Road 2.0 in November of 2014, it emerged that most of the sites affected by this international law enforcement effort were, themselves, […]

  • ste williams – Heart of Darkness: Mass of clone scam sites appear January 21, 2015

    […] during Operation Ononymous, the exercise that took down Silk Road 2.0 in November of 2014, it emerged that most of the sites affected by this international law enforcement effort were, themselves, […]

  • Nik Cubrilovic – New Web Order » Large Number of Tor Hidden Sites Seized by the FBI in Operation Onymous were Clone or Scam Sites « The JC Organization January 21, 2015

    […] Nik Cubrilovic – New Web Order » Large Number of Tor Hidden Sites Seized by the FBI in Operat…. […]

  • Peeling the Onion: How the FBI Hacked TOR - WyzGuys Cybersecurity January 21, 2015

    […] puzzles over how the law shredded anonymity in Operation Onymous Wikipedia:  Operation Onymous New Web Order: Nik Cubrilovik I was going to link to the Europol site, but oddly enough there was a certificate error which made […]

  • reeD | Атака мировых спецслужб на сайты, торгующие наркотиками, привела к росту их продаж January 21, 2015

    […] хакер Ник Кубрилович, перепроверив данные, заявил что таких сайтов закрыто лишь 276, причём многие из […]

  • Report: A Bunch Of Illegal Websites Seized By The FBI Were Fakes | Gizmodo Australia January 21, 2015

    […] On the plus side, however, the FBI’s done a sterling job of cleansing the dark net of fake or scam sites, leaving only legitimate illegal operations running. [Nils Cubrilovic] […]