Deanonymizing Tor hidden service users through Bitcoin transactions analysis

TL;DR

This paper demonstrates that Bitcoin transactions can be exploited to deanonymize Tor hidden service users by linking their online identities with blockchain data, revealing sensitive associations and compromising privacy.

Contribution

It introduces a practical method for deanonymizing Tor users by analyzing blockchain transactions and social media data, highlighting vulnerabilities in Bitcoin and Tor anonymity models.

Findings

125 users linked to 20 Tor services including sensitive ones

Crawled 1.5K hidden services and collected 88 Bitcoin addresses

Analyzed 5 billion tweets and 1 million forum pages for user identities

Abstract

With the rapid increase of threats on the Internet, people are continuously seeking privacy and anonymity. Services such as Bitcoin and Tor were introduced to provide anonymity for online transactions and Web browsing. Due to its pseudonymity model, Bitcoin lacks retroactive operational security, which means historical pieces of information could be used to identify a certain user. We investigate the feasibility of deanonymizing users of Tor hidden services who rely on Bitcoin as a payment method by exploiting public information leaked from online social networks, the Blockchain, and onion websites. This, for example, allows an adversary to link a user with @alice Twitter address to a Tor hidden service with private.onion address by finding at least one past transaction in the Blockchain that involves their publicly declared Bitcoin addresses. To demonstrate the feasibility of this deanonymization attack, we carried out a real-world experiment simulating a passive, limited adversary. We crawled 1.5K hidden services and collected 88 unique Bitcoin addresses. We then crawled 5B tweets and 1M BitcoinTalk forum pages and collected 4.2K and 41K unique Bitcoin addresses, respectively. Each user address was associated with an online identity along with its public profile information. By analyzing the transactions in the Blockchain, we were able to link 125 unique users to 20 Tor hidden services, including sensitive ones, such as The Pirate Bay and Silk Road. We also analyzed two case studies in detail to demonstrate the implications of the resulting information leakage on user anonymity. In particular, we confirm that Bitcoin addresses should always be considered exploitable, as they can be used to deanonymize users retroactively. This is especially important for Tor hidden service users who actively seek and expect privacy and anonymity.