atechdad make it so

Deanonymizing Darknet Data

Hey all,this is a pretty simple post, so I’ll keep it quick. Yesterday, someone released a dump containing several archives of Darknet black-market sites for research purposes. This looked interesting, so I took them and did a little research.

One of the suggested uses by gwern was:

“deanonymization and information leaks (eg GPS coordinates in metadata, usernames reused on the clearnet, valid emails in PGP public keys)”

Sounds like a good start to me.

Assumptions:

  • Some of these sites and forums were probably custom coded so they may not have sanitized exif data.
  • Some people who posted images probably used their mobile devices.
  • Some people were not aware that some devices record your location when taking a picture by default.

What I did:

For my target, I chose a random archive with a decent amount of data. I wanted something that had potential. I also decided to only look at .jpg images. I did this so I could standardize on the method in which I collected the data.

I then hacked together a script that would extract all of the files I wanted from the tar.gz. The script would then get each file’s latitude and longitude if it existed within the metadata of each image.

Results:

After parsing hundreds of thousands of images, I came across about 37 unique images that were not properly sanitized. This means that the files contained exif data which may identify the latitude and longitude where the pictures were taken. (Keep in mind, this data could also be spoofed). Overall, it appears as if these images came from just a handfull of individuals.

Map:

Map of images

For the curious, this is a sanitized montage of the images:

Montage of images

sigh.

Lessons Learned:

  1. You cannot depend on TOR alone to render yourself truly anonymous. If you don’t understand, it’s probably better if you don’t use it.
  2. Don’t do illegal things. You’ll get caught eventually.

So that’s it. Have a good weekend!

-julian (@techdad)