Soon after posting of the message by Thomas, tech and underground forums were agog with the rumours of raids by authorities. Tor has been in news for some time now since the revelation that FBI had exposed Tor users IP addresses to catch a criminal. However, at 23:54:32 UTC, Thomas posted another message to assuage the fears of Tor users of a possible raid by authorities and stop the rumour mongering going on in the forums and chats. The second message is given below : Many of you by now are probably aware than I run a large exit node cluster for the Tor network and run a collection of mirrors (also ones available over hidden services). Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers. Until I have had the time and information available to review the situation, I am strongly recommending my mirrors are not used under any circumstances. If they come back online without a PGP signed message from myself to further explain the situation, exercise extreme caution and treat even any items delivered over TLS to be potentially hostile. The mirrors in concern are: https://globe.thecthulhu.com https://atlas.thecthulhu.com https://compass.thecthulhu.com https://onionoo.thecthulhu.com https://globe223ezvh6bps.onion https://atlas777hhh7mcs7.onion https://compass6vpxj32p3.onion 77.95.229.11 77.95.229.12 77.95.229.14 77.95.229.16 77.95.229.17 77.95.229.18 77.95.229.19 77.95.229.20 77.95.229.21 77.95.229.22 77.95.229.23 77.95.224.187 89.207.128.241 5.104.224.15 128.204.207.215 I will do my best to keep this list updated on the situation as it develops. If any of the mirrors or IPs do come back online, I would welcome anyone who is capable of doing so checking for any malicious code to ensure they are not used to deploy any kind of state malware/attacks against users should my theory prove to be the case. At this moment in time I am under no gagging orders or influence from external parties/agencies. If no update is provided within 48 hours you may draw your own conclusions. Regards, T From these two messages by Thomas, one thing is clear that Thomas’s servers were under the control of a third party for a brief period.  The third party had deleted the logs which would have given Thomas clues to who had the control of the servers during this period. Another thing that Thomas mentions is that he is not sure if this was a raid by the authorities.  However he has not excluded the idea of a large scale raid by FBI on Tor exit nodes.  The servers mentioned in the first message have been blacklisted by Thomas and will be put up only after proper vetting.  He is in contact with the ISP providers for finding out the exact reasons behind this ‘unusual activity.

  1. The likelihood of this being the work of law enforcement seems to be lower than originally anticipated. This is good in many ways but asks more questions than it solves right now. I am not going to completely exclude the possibility of law enforcement involvement though as there simply isn’t enough information.
  2. A large portion of our logs seem to be non-existent right now, I am not sure how or why they have been cleared as this has not happened before. When a bit of time has passed and I can be sure of no imminent raid on my property I will look into the logs in more detail and share them with people more qualified than myself to judge on the matter. If appropriate we will then also look to make them public assuming there are no consequences for doing so. Furthermore as the time & date of some of the servers seem to have been skewed, what remaining info there is may be unreliable.
  3. The servers have been blacklisted and pose no danger to the Tor network or the users of it. I will refrain from putting these servers back online until a proper vetting and analysis of events has happened.
  4. Support staff at the ISP have not yet commented on whether a warrant has been executed for the servers. At this stage it isn’t possible to distinguish whether the person I talked to genuinely doesn’t know or they are being told to refrain from commenting at this moment in time. Therefore I won’t be drawing conclusions from that.
  5. Support staff at the ISP have confirmed to me there has been unauthorised access to my account. This could be down to the fact I access the control panel often via Tor (yes, using TLS before anybody asks), however it does raise the prospect of a non-LE person(s) being behind this but does not explain why a chassis intrusion was detected for example or anything else to do with on-board sensors.
  6. No information was kept on the server in relation to users. We follow the best practice guidelines on running a Tor server to reduce any information stored on our hardware about the users of Tor. These events in no way put users at risk who may have used our nodes in the past or at the time the servers went offline.
  7. Again, at this moment in time I am under no gagging orders or unreasonably withholding information under orders.
  8. Tor isn’t broken. Stop panicking. The strength of Tor is that no single party has the power to critically damage the network or to put users at risk. If I believe I come across any such vulnerability, this will be forwarded to the core developers immediately and patched.
  9. One or two media groups/reps have contacted me. I appreciate your interest in Tor and these recent events but I am not a representative of Tor and I don’t want to draw a conclusion right now as it would be no more than mere speculation really. If anything significant develops I am sure Tor Project will release the information in due course. Regards, T In the meantime Thomas as asked all Tor users to be patient and reiterated that Tor is stronger to be broken by outage in few exit nodes. Resource : 1. Gmane
  10. Tor Projects.