February 6


Darknets: The Mysterious Technology Explained, Part I


I hope you enjoyed the first post in this series, “Darknets: What You Need To Know.” If you didn’t have a chance to read it, it provides some basic background that might help before you read this post.

Darknets work by either hiding your location, protecting your identity, or both. Even more security can be added by using encryption.

There are various ways darknets operate to accomplish these goals. Some darknets route transmissions through several computers, making it hard to trace a transmission from beginning to end.

Other darknets are being developed with peer-to-peer technology, where every device connected to the network uses special software to become a “node” on that network that can be used to either transmit or store data.

Some of these networks break every transmission into pieces that are individually encrypted before they are sent. Other darknets use this same method to store data.

The key concepts to understand about darknets include routing information through several computers, using encryption, and sending individually encrypted pieces of data by a different route each time.

How Darknets Help People to Hide

To begin, the first darknet we’ll address is The Onion Router Project, also known as Tor. Tor is perhaps the most well-known and popular platform, and you may have heard a little about it without really understanding why it was created and how it functions.

In the mid-1990s, several branches of the U.S. government recognized the need for a secured network for intelligence agents, law enforcement, or dissidents in oppressed countries with restricted access to the Internet.

In 2003, the United States Naval Research Laboratory created The Onion Router Project. Their solution was to transmit data through several computers, or “nodes,” using encryption to mask a user’s physical location as well as his identity.

Even today, the U.S. government continues to provide significant funding for the Tor network.

Most Internet users can be identified by the Internet Protocol address of the device they use when connected to the network. Normally, this IP address can show the geographic location of the user, and could be used to learn his identity. Because of the way Tor works, this IP address is hidden.

The Tor network is composed of over 7,000 nodes whose owners have volunteered to be part of Tor.

The easiest way to use Tor is to download the Tor browser, which is a modified version of the Mozilla Firefox browser that is configured to automatically connect to the Tor network and change important settings to protect the privacy of the user.

All traffic transmitted on Tor is encrypted, with the exception of the data transmitted from an “exit” node when the data leaves the encrypted protection of the network.

Here is a simplistic version of how Tor works.



Alice needs to communicate with Bob and wants to use Tor to protect her location and identity. Alice downloads and installs the Tor browser, and opens it on her computer. The Tor browser then contacts a volunteer node operated by “Dave” to obtain a list of all Tor servers that are currently running.

“Dave” returns the list to Alice’s browser, which then creates a random pathway of 3 Tor nodes to transmit her communication with Bob. Alice’s data is encrypted with a different layer of encryption for each node. Note that in the graphic below, the links shown in green are encrypted.



When Alice’s message is received by Tor node #1, the first layer of encryption is stripped away. The discarded data contains any information related to Alice or her IP address, while revealing the address for Tor node #2. The message is then sent to the next address in the path.

The message is received by Tor node #2, which strips off the next layer of encryption. This second layer contains information about Tor node #1, but nothing about Alice because the first node removed that data.

The only information known by node #2 is that someone is using the Tor network to communicate with someone else. No data related to either party is known at this point in the transmission.

After this layer is removed, the address for Tor node #3 is revealed, and the message is passed along.

At Tor node #3, which in this example is also the exit node, the final layer of encryption is removed revealing the address for Bob. This node only knows that the message came from Tor node #2 with Bob as the final destination.

Consider the analogy of sending a note through the regular mail. You insert the note in an envelope and address it to a friend named Jim.

You seal the envelope and then put that envelope into a second one, addressed to another friend, Barbara, requesting that she forward it on to Jim.

You then enclose these two envelopes into yet another one and address it to a third friend, Jerry. You ask Jerry to forward the enclosed envelopes to Barbara.

Finally, you enclose the group of three envelopes into another one, addressed to a friend, Jane. You ask Jane to forward the envelopes to Jerry.

Let’s assume that the content of the original note to Jim is encrypted with a code known only to you and Jim.

This is how the Tor network works, but using technology instead of envelopes.

Back to our original scenario. If Alice later wants to communicate with Jane, a different random path of Tor nodes is created for that message, as in the final graphic below.


Some people believe that Tor is completely anonymous, but that’s not necessarily true. A user’s Internet Service Provider (ISP) or the IT department of an organization can see when a person on their network is using Tor. They probably won’t be able to tell what the user is doing on Tor, but some organizations block users from accessing any IP address known to be associated with the Tor network.

The other way that a person using Tor might be identified is if the exit node on the Tor network is being monitored. Remember that data leaving the Tor network may not be encrypted.

Why Should Investigators Care?

Criminals and terrorists will use the technology if it benefits them…and the use of darknets helps them to hide their identity, their location, and their activities.

Are darknets like Tor inherently evil?

No, they’re not.

But there is criminal and terrorist activity happening on these darknets, and investigators and more people from the general public need to be aware of what they are and how they work.

If you don’t know enough, then you give them an advantage.

To me, that’s unacceptable.

Final Thoughts:

Many of you have never visited Tor, and may believe that it’s too dangerous to even explore to see what’s out there.

I value your time, so I’ll continue the discussion of Tor in my next post. I’ll show you some examples of merchandise and services available on Tor, and will talk about why they are important.

In future posts, I’ll show you examples of other types of darknets and explain how they are different from Tor.

Once again, let’s keep things in the proper perspective. There is crime in the real world, and there is crime in the darknet virtual world as well.

The real world is not completely evil, and neither are darknets.

Just as we do in the real world, our purpose as investigators should be to track down and eliminate crime, while recognizing and preserving the rights of those who use the technology for their personal privacy and security.

Here is a link to the final post in my series about darknets: “What Crooks Are Doing On Darknets.”

Please join our mailing list!

If you want to learn more about techno-crimes, cybersecurity tips and techniques, and threats to privacy, join our mailing list!


Cybercrime, Darknets, Investigations, Ransomware, Techno-Crime

You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}