Tor2Web Proxies Are Using Google Analytics to Secretly Track Users

Caleb
Caleb
Sep 30, 2018 · 8 min read

Tor2Web and similar hidden service reverse proxies are categorically awful. Almost every public Tor2Web server is giving your “Tor” browsing history to Google. Some don’t. Some exist only to steal cryptocurrency or facilitate fraud. All of them leave users open to detection.

This will likely be the first of many articles about Tor2Web and Web2Tor proxies. Once I finish investigating some of the more malicious ones, I will publish another drafted article about hidden service proxies and phishing. This primarily covers how common it is for these proxies to track users with analytics services. And it covers part of the most annoying proxy ever: onion.rent.

Image for post
Image for post
Bullshit loading alongside Dream Market when loaded through a Tor2Web proxy

Onion.rent

Malicious. Lazy. Somehow successful.

Onion.rent, the older sibling of “onion.top,” is more annoying than many other proxies combined. Unlike many of the other servers mentioned in this list, onion.rent is not particularly interested in tracking your every move. Instead, since the very inception of onion.rent, onion.top, and other members of the same family, the actors behind the proxies have relentlessly targeted users of the Dream darkweb marketplace. The owner(s) earn tens of thousands of dollars every month with one simple trick™.

Image for post
Image for post

They own so many of the DeepDotWeb clones that their numbers game has fully paid off. They are sitting on hundreds of darkweb related domain names. Probably half of their total domain collection is dedicated to domains that fit the “typosquatting” definition. For example, DeepDoWeb.com (notice the lack of a”t” between the “o” and the “w”) is actually used as one of the primary phishing clones and their other sites with similar typos just proxy content from DeepDoWeb.com.

When you visit the DeepDotWeb onion site (deepdot35wvmeyd5.onion) via onion.rent, you are fed a page that looks almost identical. Lately the clone has been a few articles behind. It does not take long for anyone with experience on both the real version and the onion.rent version to realize something is screwed up. And it is; on the real onion, when you access the market directory list, clicking on the title of a darkweb marketplace opens a page with links and site information. Clicking on the Dream darkweb market listing on the onion.rent version of the DeepDotWeb hidden service automatically redirects users to a Dream market address.

Image for post
Image for post
2pjwzzms2yqlrkhp.onion is surprisingly a real Dream Market address

Given the onion.rent operator’s history with Dream, one might expect that the redirected Dream address was not an official Dream link. Oddly enough, the link was (and still is) an official link that anyone can confirm against SpeedStepper’s public key. The address is the “2pjwzzms2yqlrkhp.onion” address (archive). Furthermore, Dream is completely accessible and usable though onion.rent.

On the surface, the proxied Dream Market works as it should. But it only almost works correctly. Dream Market provides customers with new Bitcoin addresses for making deposits on the market. Here is what that looks like to someone visiting the Bitcoin wallet settings panel on the market:

Image for post
Image for post

And, for the paranoid customers, Dream provides a method through which a Bitcoin addresses can be linked to the user’s account. Like the verification of Dream market onion addresses, Dream market provides a similar service for Bitcoin addresses. Here is what one looks like:

Image for post
Image for post
Wait… The two addresses don’t match…

The screenshots above were taken only 30 seconds apart yet something very important changed. The address (censored) in the signed PGP message does not match the address from the page only one click away. Fluke? Nope. I double checked it and then started monitoring the address changes over time. The operators of onion.rent and related proxies are making some serious money.


Back to injected analytics. To quickly test what type of nonsense each proxy did when visiting a Tor site, I created a basic hidden service with the text “Tor2Web Test” to easily see which proxies injected unwanted content. Here is the result of torsocks curl http://fenuqthznfkq5mry.onion without any proxies:

fenuqthznfkq5mry.onion is the address I set up for testing. I have since pulled it.

Onion.pet

Analytics. Share your darknet market experience with your friends!

Onion.pet makes no promises about privacy. They cannot be faulted for any violation of statements made regarding the privacy of their users. But not only do they track users via Google Analytics, they also thought adding AddToAny’s “Share Buttons” was a wise decision.

Google Analytics: UA-111355066–1

Image for post
Image for post

AddToAny supports integrated analytics, of course. Because every (darknet drug market user) innocent hidden service user wants to share a .onion link with their friends on Tumblr.

The Tor2Web Test Page with AddToAny Share Buttons

Here is the output of curl http://fenuqthznfkq5mry.onion.pet


Onion.ws

Deceptive. Loves analytics.

Their privacy policy does not claim that they don’t track user data, but it does claim to protect identities “by not logging user requests.”

Onion.ws does its best to protect users identities by using SSL encryption and not logging user requests, however, we cannot guarantee users anonymity as well as using the Tor Browser directly. FAQ

Google Tag Manager: UA-123404068–1

Yandex Webmaster: 32c083e5492f2f5a

I emailed the owner of the server and asked for clarification regarding the apparent discrepancy between the privacy policy and the injection of unwanted JavaScript sending precise analytics back to — at a minimum — Google. I have not yet received a reply.

Image for post
Image for post

And here is curl https://fenuqthznfkq5mry.onion.ws

Notice this as it is something that shows up often:

<!-- Global site tag (gtag.js) - Google Analytics --> 
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-123404068-1"></script>
<script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-123404068-1');
</script> </html>

Onion.nz

Analytics.

Generic example of a Tor2Web proxy with Google Analytics.

Google Tag Manager: UA-123404068-1

Image for post
Image for post

Here is the result of curl https://fenuqthznfkq5mry.onion.nz


Onion.link

Awful and straightforward about being awful. Analytics, ads, invasive cookies.

Image for post
Image for post

Onion.link makes zero attempts to stealthily collect identifying information on users of the service. Here is part of the privacy policy about tracking identifying information:

OnionLink also collects potentially personally-identifying information like Internet Protocol (IP) addresses for users. Personally personally-identifying information such as IP addresses are disclosed solely limited to cases were compelled to under United States, Singapore, or international law.

And then a casual mention of advertisements:

Ads appearing on our website are delivered by advertising partners, who often set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you. OnionLink itself does not use cookies.

Onion.link ads are currently served from ads.exosrv.com/ads.js. Onion.link was, at one point, a different Tor2Web proxy at the onion.city URL and was owned by the owners of the defunct onion.glass.

Also, one of the only recent examples of a Tor2Web proxy contributing to someone’s arrest involved onion.link. A NASA contractor used onion.link to access child abuse content and someone spotted the onion.link address in the DNS logs. This is far from a problem exclusive to onion.link, though. Your DNS server can see the onion sites you visit through Tor2Web proxies.

Image for post
Image for post

Sadly, the server timed out when I tried to access my Tor2Web Test site. So here are the contents of the returned 504 page received after running curl http://fenuqthznfkq5mry.onion.link

Even if a user had JS turned off, onion.link would still get some user data:

<noscript>
<a href=”https://main.exosrv.com/img-click.php?idzone=2935598" target=”_blank”>
<img src=”https://syndication.exosrv.com/ads-iframe-display.php?idzone=2935598&amp;output=img&amp;type=468x60" width=”468" height=”60"/></a>
</noscript>

Tor2Web.xyz

Analytics.

Image for post
Image for post

There’s nothing special here. Just another Tor2Web proxy that uses Google analytics. Serves as an example that not only onion.* proxies are tracking users. Tor2Web.link, an older proxy, now redirects to Tor2Web.xyz. Google Analytics: UA-122985376–1

And here is the output of curl http://fenuqthznfkq5mry.tor2web.xyz


Onion.to

Surprisingly, Tor2Web proxies can function without tracking.

Image for post
Image for post
Standard Tor2Web homepage.

Onion.to is one of the only Tor2Web proxies that I cannot complain about as far as bad Tor2Web proxies go. It is still a Tor2Web proxy and thus still poses a problem the anonymity of idiots.

Onion.to takes some neighborly precautions, though. They have an appropriate robots.txt page that disallows Googlebot-Image from crawling *onion.to sites and disallows any bot from crawling the /images/ directory. Onion.to also handles CheckTor properly, unlike the majority of the proxies in existence. It also properly warns users they are not anonymous.

Image for post
Image for post
This is what Tor2Web proxies /should/ be doing.

And the result of curl http://fenuqthznfkq5mry.onion.to


Darknet.to

Analytics.

Nothing special here. Just another example of a Tor2Web proxy that does not end in .onion.*. Google Analytics: UA-123792613–1


There are many more. I will leave some additional examples of the primarily boring hidden service/onion service proxies below. The more interesting ones will be covered in a future article.

Onion.nu

Google Analytics: UA-122936147–1

Tor2Web.ch

Currently down. Google Analytics: UA-77235902–1

Onion.moe

Weirdly safe as far as tracking goes. No weird phishing activity. Loads Dream market with /?daymode=turnLightsOff&globalUpdateToken=279372393 enabled by default though.

Onion.gg

Onion.gg, along with onion.gy; onion.je; onion.je; onion.vin; onion.wine; and onion.bio are owned by the Russian darkweb market “Hydra” or are used to scam Hydra users. The answers vary depending on who you ask.

Onion.sh

No tracking

tor2web.io

No tracking

onion.rip

Currently down. Horrible. Injects JS. Advertises VPNs.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store