Tor2Web Proxies Are Using Google Analytics to Secretly Track Users
Tor2Web and similar hidden service reverse proxies are categorically awful. Almost every public Tor2Web server is giving your “Tor” browsing history to Google. Some don’t. Some exist only to steal cryptocurrency or facilitate fraud. All of them leave users open to detection.
This will likely be the first of many articles about Tor2Web and Web2Tor proxies. Once I finish investigating some of the more malicious ones, I will publish another drafted article about hidden service proxies and phishing. This primarily covers how common it is for these proxies to track users with analytics services. And it covers part of the most annoying proxy ever: onion.rent.
Onion.rent
Malicious. Lazy. Somehow successful.
Onion.rent, the older sibling of “onion.top,” is more annoying than many other proxies combined. Unlike many of the other servers mentioned in this list, onion.rent is not particularly interested in tracking your every move. Instead, since the very inception of onion.rent, onion.top, and other members of the same family, the actors behind the proxies have relentlessly targeted users of the Dream darkweb marketplace. The owner(s) earn tens of thousands of dollars every month with one simple trick™.
They own so many of the DeepDotWeb clones that their numbers game has fully paid off. They are sitting on hundreds of darkweb related domain names. Probably half of their total domain collection is dedicated to domains that fit the “typosquatting” definition. For example, DeepDoWeb.com (notice the lack of a”t” between the “o” and the “w”) is actually used as one of the primary phishing clones and their other sites with similar typos just proxy content from DeepDoWeb.com.
When you visit the DeepDotWeb onion site (deepdot35wvmeyd5.onion) via onion.rent, you are fed a page that looks almost identical. Lately the clone has been a few articles behind. It does not take long for anyone with experience on both the real version and the onion.rent version to realize something is screwed up. And it is; on the real onion, when you access the market directory list, clicking on the title of a darkweb marketplace opens a page with links and site information. Clicking on the Dream darkweb market listing on the onion.rent version of the DeepDotWeb hidden service automatically redirects users to a Dream market address.
Given the onion.rent operator’s history with Dream, one might expect that the redirected Dream address was not an official Dream link. Oddly enough, the link was (and still is) an official link that anyone can confirm against SpeedStepper’s public key. The address is the “2pjwzzms2yqlrkhp.onion” address (archive). Furthermore, Dream is completely accessible and usable though onion.rent.
On the surface, the proxied Dream Market works as it should. But it only almost works correctly. Dream Market provides customers with new Bitcoin addresses for making deposits on the market. Here is what that looks like to someone visiting the Bitcoin wallet settings panel on the market:
And, for the paranoid customers, Dream provides a method through which a Bitcoin addresses can be linked to the user’s account. Like the verification of Dream market onion addresses, Dream market provides a similar service for Bitcoin addresses. Here is what one looks like:
The screenshots above were taken only 30 seconds apart yet something very important changed. The address (censored) in the signed PGP message does not match the address from the page only one click away. Fluke? Nope. I double checked it and then started monitoring the address changes over time. The operators of onion.rent and related proxies are making some serious money.
Back to injected analytics. To quickly test what type of nonsense each proxy did when visiting a Tor site, I created a basic hidden service with the text “Tor2Web Test” to easily see which proxies injected unwanted content. Here is the result of torsocks curl http://fenuqthznfkq5mry.onion without any proxies:
fenuqthznfkq5mry.onion is the address I set up for testing. I have since pulled it.Onion.pet
Analytics. Share your darknet market experience with your friends!
Onion.pet makes no promises about privacy. They cannot be faulted for any violation of statements made regarding the privacy of their users. But not only do they track users via Google Analytics, they also thought adding AddToAny’s “Share Buttons” was a wise decision.
Google Analytics: UA-111355066–1
AddToAny supports integrated analytics, of course. Because every (darknet drug market user) innocent hidden service user wants to share a .onion link with their friends on Tumblr.
Here is the output of curl http://fenuqthznfkq5mry.onion.pet
Onion.ws
Deceptive. Loves analytics.
Their privacy policy does not claim that they don’t track user data, but it does claim to protect identities “by not logging user requests.”
Onion.ws does its best to protect users identities by using SSL encryption and not logging user requests, however, we cannot guarantee users anonymity as well as using the Tor Browser directly. FAQ
Google Tag Manager: UA-123404068–1
Yandex Webmaster: 32c083e5492f2f5a
I emailed the owner of the server and asked for clarification regarding the apparent discrepancy between the privacy policy and the injection of unwanted JavaScript sending precise analytics back to — at a minimum — Google. I have not yet received a reply.
And here is curl https://fenuqthznfkq5mry.onion.ws
Notice this as it is something that shows up often:
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-123404068-1"></script>
<script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-123404068-1');
</script> </html>Onion.nz
Analytics.
Generic example of a Tor2Web proxy with Google Analytics.
Google Tag Manager: UA-123404068-1
Here is the result of curl https://fenuqthznfkq5mry.onion.nz
Onion.link
Awful and straightforward about being awful. Analytics, ads, invasive cookies.
Onion.link makes zero attempts to stealthily collect identifying information on users of the service. Here is part of the privacy policy about tracking identifying information:
OnionLink also collects potentially personally-identifying information like Internet Protocol (IP) addresses for users. Personally personally-identifying information such as IP addresses are disclosed solely limited to cases were compelled to under United States, Singapore, or international law.
And then a casual mention of advertisements:
Ads appearing on our website are delivered by advertising partners, who often set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you. OnionLink itself does not use cookies.
Onion.link ads are currently served from ads.exosrv.com/ads.js. Onion.link was, at one point, a different Tor2Web proxy at the onion.city URL and was owned by the owners of the defunct onion.glass.
Also, one of the only recent examples of a Tor2Web proxy contributing to someone’s arrest involved onion.link. A NASA contractor used onion.link to access child abuse content and someone spotted the onion.link address in the DNS logs. This is far from a problem exclusive to onion.link, though. Your DNS server can see the onion sites you visit through Tor2Web proxies.
Sadly, the server timed out when I tried to access my Tor2Web Test site. So here are the contents of the returned 504 page received after running curl http://fenuqthznfkq5mry.onion.link
Even if a user had JS turned off, onion.link would still get some user data:
<noscript>
<a href=”https://main.exosrv.com/img-click.php?idzone=2935598" target=”_blank”>
<img src=”https://syndication.exosrv.com/ads-iframe-display.php?idzone=2935598&output=img&type=468x60" width=”468" height=”60"/></a>
</noscript>Tor2Web.xyz
Analytics.
There’s nothing special here. Just another Tor2Web proxy that uses Google analytics. Serves as an example that not only onion.* proxies are tracking users. Tor2Web.link, an older proxy, now redirects to Tor2Web.xyz. Google Analytics: UA-122985376–1
And here is the output of curl http://fenuqthznfkq5mry.tor2web.xyz
Onion.to
Surprisingly, Tor2Web proxies can function without tracking.
Onion.to is one of the only Tor2Web proxies that I cannot complain about as far as bad Tor2Web proxies go. It is still a Tor2Web proxy and thus still poses a problem the anonymity of idiots.
Onion.to takes some neighborly precautions, though. They have an appropriate robots.txt page that disallows Googlebot-Image from crawling *onion.to sites and disallows any bot from crawling the /images/ directory. Onion.to also handles CheckTor properly, unlike the majority of the proxies in existence. It also properly warns users they are not anonymous.
And the result of curl http://fenuqthznfkq5mry.onion.to
Darknet.to
Analytics.
Nothing special here. Just another example of a Tor2Web proxy that does not end in .onion.*. Google Analytics: UA-123792613–1
There are many more. I will leave some additional examples of the primarily boring hidden service/onion service proxies below. The more interesting ones will be covered in a future article.
Onion.nu
Google Analytics: UA-122936147–1
Tor2Web.ch
Currently down. Google Analytics: UA-77235902–1
Onion.moe
Weirdly safe as far as tracking goes. No weird phishing activity. Loads Dream market with /?daymode=turnLightsOff&globalUpdateToken=279372393 enabled by default though.
Onion.gg
Onion.gg, along with onion.gy; onion.je; onion.je; onion.vin; onion.wine; and onion.bio are owned by the Russian darkweb market “Hydra” or are used to scam Hydra users. The answers vary depending on who you ask.
Onion.sh
No tracking
tor2web.io
No tracking
onion.rip
Currently down. Horrible. Injects JS. Advertises VPNs.
