OnionScan Report: September 2016 - Uptime, Downtime and Freedom Hosting II
Welcome to the sixth OnionScan Report. The aim of these reports is to provide an accurate and up-to-date analysis of how anonymity networks are being used in the real world.
In this report we will examine how a single hosting provider has had a dramatic affect on the dark web.
Summary
It appears that Freedom Hosting II, a hosting provider which hosts a rather large number of hidden services is either having significant issues or has ceased operations entirely.
This has caused disruption and downtime to at least 1500 hidden services hosting a wide variety of content.
A Note on Numbers
The lifespan of an onion service can range from minutes to years. When providing generalised numbers, especially percentages, we report approximate figures based on multiple scans over a period of time, rather than a single snapshot.
Freedom Hosting II
Named after the original, and now defunct, Freedom Hosting, Freedom Hosting II (FHII) is one of the largest onion web hosting providers - offering free space and bandwidth to anyone who signs up for an account.
Since OnionScan started in April we have observed FHII hosting between 1500 and 2000 services or about 15-20% of the total number of active sites in our scanning lists.
Note: We are able to link sites back to FHII because all the sites shared a single SSH fingerprint
FHII hosts practically every kind of content available on the dark web from bitcoin scams and sales of counterfeit documents to personal blogs and web forums.
However, since June of this year FHII has been experiencing issues. Posters on Reddit have noted frequent connection issues to their site admin panels, and difficulty logging in and signing up. In addition we have noticed frequent downtime in many of the hosted sites.
During our mid-late September scans we were unable to scan any previously seen FHII sites despite multiple attempts on multiple different days across our scanning fleet.
While we have seen downtime on FHII we have never had issues accessing all FHII this consistently and for so long.
We are left to conclude that FHII is dead or dying, and along with it over a 1500 dark web sites including:
- Several Personal Blogs and Websites.
- Over 100 Double/Triple/100x/Ponzi Bitcoin Scams - in fact, as far as we can tell, nearly every single one of these sites is hosted by FHII.
- Over 1000 Carding and Counterfeit Sites.
- Multiple Bitcoin Escrow and Wallet sites.
- A handful of Forums relating to Hacking and other topics.
- At least 600 "Site Hosted by Freedom Hosting II" default instances.
Whether these sites find new homes, or their old one magically returns, is yet to be seen. But one thing is clear, the Dark Web is a little bit smaller this Autumn.
Other OnionScan News
- The OnionScan 0.2 Branch is now active and available for testing and issue reporting - new branch contains various updates to the core OnionScan application including new identifier correlations and a revamped web crawling algorithm.
- Thanks to pull requrests from Wladimir J. van der Laan the OnionScan 0.2 branch now features enhanced Bitcoin functionality including version / useragent detection and onion peer discovery.
Get Involved
If you would like to help please read Sarah's post OnionScan: What's New and What's Next for some great starting off points. You can also email Sarah (see her profile for contact information).
Goals for the OnionScan Project
- Increase the number of scanned onion services - We have so far only successfully scanned ~6500 (out of ~12,000 domains scanned).
- Increase the number of protocols scanned. OnionScan currently supports light analysis for HTTP(S), SSH, FTP & SMTP and detection for Bitcoin, IRC, XMPP and a few other protocols - we want to grow this list, as well as provide deeper analysis on all protocols.
- Develop a standard for classifying onion services that can be used for crime analysis as well as an expanded analysis of usage from political activism to instant messaging.