Detection and Analysis of Tor Onion Services

Keywords: Tor, Darknet, onion services, analysis


Tor onion services can be accessed and hosted anonymously on the Tor network.
We analyze the protocols, software types, popularity and uptime of
these services by collecting a large amount of .onion addresses. Websites are
crawled and clustered based on their respective language. In order to also
determine the amount of unique websites a de-duplication approach is implemented.
To achieve this, we introduce a modular system for the real-time
detection and analysis of onion services. The overall data reveals
that a large amount of permanent services provide no actual content for Tor
users. A significant part consists instead of bots, services offered via multiple
domains, or duplicated websites for phishing attacks. The total amount of
onion services is thus significantly smaller than current statistics suggest


Download data is not yet available.

Author Biographies

Martin Steinebach, Fraunhofer SIT, Germany

Martin Steinebach is the manager of the Media Security and IT Forensics division at Fraunhofer SIT. From 2003 to 2007 he was the manager of the Media Security in IT division at Fraunhofer IPSI. He studied computer science at the Technical University of Darmstadt and finished his diploma thesis on copyright protection for digital audio in 1999. In 2003 he received his PhD at the Technical University of Darmstadt for this work on digital audio watermarking. In 2016 he became honorary professor at the TU Darmstadt. He gives lectures on Multimedia Security as well as Civil Security. He is Principle Investigator at ATHENE and represents IT Forensics and AI security. Before he was Principle Investigator at CASED with the topics Multimedia Security and IT Forensics. In 2012 his work on robust image hashing for detection of child pornography reached the second rank “Deutscher IT Sicherheitspreis”, an award funded by Host Görtz.

Marcel Schäfer, Fraunhofer USA CESE

Marcel Schäfer serves as Senior Research Scientist for the Fraunhofer USA Center for Experimental Engineering CESE in Maryland since 2019. From 2009 to 2018 he was with Fraunhofer Institute for Secure Information Technologies SIT in Germany. With a Master’s degree in mathematics from the University of Wuppertal, Germany and a PhD in computer science from the Technical University of Darmstadt, Germany, he consults and teaches for topics on dark web, privacy networks and anonymous communication, and also serves as a subject matter expert for privacy, e.g. GDPR and data anonymization. As PI, Co-PI and researcher Dr. Schäfer has lead and worked in various projects that discover new challenges and opportunities broadly spread over the fields of cybersecurity and software engineering in both the public and private sector.

Katharina Brandl, Fraunhofer SIT, Germany

Katharina Brandl studied computer science in Marburg and finished her master degree in 2012. During her studies she was part of the programming languages research group of Prof. Ostermann where she also wrote her master thesis about a type system for parametric tree grammars. Since 2017 she is part of the PANDA project at the Fraunhofer SIT. The PANDA project is an interdisciplinary project researching the darknet and there she is responsible for the computer science part of the project.


The Pirate Bay. The pirate bay – about.,

[Online; As seen on 04 February 2019].

A. Biryukov and Weinmann R. Pustogarov, I. Trawling for tor hidden

services: Detection, measurement, deanonymization. 2013 IEEE

Symposium on Security and Privacy, 2013.

A. Biryukov, R. Weinmann, I. Pustogarov and F. Thill. Content and

popularity analysis of tor hidden services. 2013.

J. Buxton and T. Bingham. The rise and challenge of dark net drug

markets. 2015.

“Legislative Counsel California”. California consumer privacy act.

AB375, 2018. Assembly Bill No. 375.

U. K. National Cyber Security Centre. Advisory: Trickbot banking

trojan., 2018.

[Online; As seen on 03 February 2019].

N. Desai. Summer reruns: Threat actors are sticking with malware that


ware-works/, 2018. [Online; As seen on 03 February 2019]. Duckduckgo traffic.,

[Online; As seen on 01 February 2019].

C. Guarnieri and M. Schloesser. Skynet, a tor-powered botnet straight

from reddit.

straight-from-reddit/, 2012. [Online; As seen on 10 November


K. Hayashi. Backdoor.aimvision.

y-center/writeup/2002-061316-4604-99, 2002. [Online; As seen on

February 2019].

D. Knowles. Backdoor.ultor.

/writeup/2002-101713-3321-99, 2002. [Online; As seen on 01 February


B. Lesser, G. Guilizzoni, J. Lott, J. Reinhardt and R. Watkins. Programming

Flash Communication Server. O’Reilly Media; First Edition, P. xii,

A. J. Martin. Iranian web crackdown drives surge in privacy

technology. iranian-web-crackdown-drivessurge-

in-privacy-technology-11191740, 2019. [Online; As seen on

February 2019].

D. Moore and T. Rid. Cryptopolitik and the darknet. Global Politics and

Strategy Volume 58, 2016 – Issue 1, 2016. Nmap manual – chapter 14. understanding and customizing

nmap data files., 2019.

[Online; As seen on 03 January 2019]. Nmap manual – chapter 15. nmap reference guide. https:

//, 2019. [Online; As seen

on 03 January 2019].

“Office Journal of the European Union”. Regulation (eu) 2016/679 of

the european parliament and of the council of 27 april 2016. https://eurlex.,

G. Owen and N. Savage. Empirical analysis of tor hidden services. IET

Information Security (Volume: 10, Issue: 3 , 5 2016), 2015. Police shut down the wall street market, a top dark web site.

reet-market-a-top-dark-web-site, 2019. [Online; As seen on 03 May

. Secure drop – share documents securely with these

organizations., 2019. [Online; As seen on

February 2019]. Port 1111 details.

php?port=1111, 2019. [Online; As seen on 01 February 2019].

ProtACT Team and InTELL Team. Large botnet cause of recent tor

network overload.

of-recent-tor-network-overload/, 2013. [Online; As seen on

November 2018]. Metrics,

[Online; As seen on 16 November 2018]. Tor is released: We have a new stable series!

-series, 2018. Tor rendezvous protocol, version 2.

torproject/torspec/blob/master/rend-spec-v2.txt, 2018. [Online; As seen

on 09 November 2018]. Tor rendezvous protocol, version 3.

torproject/torspec/blob/master/rend-spec-v3.txt, 2018. [Online; As seen

on 09 November 2018]. Configuring onion services for tor. https://www.torpro, 2019. [Online; As seen on

January 2019]. Tor dev manual.

nual-dev.html.en, 2019. [Online; As seen on 03 January 2019]. User metrics.

ay-country.html, 2019. [Online; As seen on 01 February 2019].

Wikipedia. Support-vector machine.

ort-vector_machine. [Online; As seen on 28 November 2019].

W. Zamora. Trickbot takes over as top business threat. https://blog.mal, 2018.

[Online; As seen on 03 February 2019]. Roskomnadzor blocked the website “rospravosudie” on

complaint about the publication of personal data.

news/2018/07/18/rospravosudie, 2018. [Online; As seen on 05 February


ARES 2019 workshops