Home » Articles » Doxbin’s Nachash On Operation Onymous (P.1)
Click Here To Hide Tor

Doxbin’s Nachash On Operation Onymous (P.1)

Second part avilable at – #Nashcash Tag (After publishing) – Read the other posts related to Operation Onymous Here

Among of Friday night chatter regarding Operation Onymous I noticed that doxbin was among the sites that had gone missing. If doxbin is new to you, this was a site just for dox, but it’s closely associated with Encyclopedia Dramatica. After checking to make sure that wasn’t a troll I decided to track down the particulars, because nachash is basically the Richard B. Riddick of the internet. I figured if anyone had some insight into what actually happened, it would be him – a couple of years ago nachash shared that his motivation for taking the site over from the original operator was so he could hone his methods of protecting onions in the most difficult environment imaginable.

@loldoxbin and @ioerror, Jacob Applebaum, were publicly talking about logs Friday night. This later popped up as a long post on the tor-dev list – a 1,300 word writeup with an onion address containing the logs, the source of the site, and the details on the work nachash did to secure the system.

yes hello, internet super villain here

While he was writing that I caught up with him on IRC. He was pretty adamant that doxbin will not be coming back again. About a year ago nachash publicly retired and turned operation of the site over to another hacker named Intangir, but he got it back last July.

(11:38:13 PM) nachash: tl;dr I guess we’ll see if they can do anything @ me as a human
(11:38:23 PM) nachash: but I have no plans of reviving doxbin
(11:38:41 PM) nachash: I could move boxes and tighten it up some more
(11:38:51 PM) nachash: and publish the hidden service descriptors again
(11:38:54 PM) nachash: pull in some of the traffic
(11:38:57 PM) nachash: and rebuild that way
(11:38:58 PM) nachash: but honestly
(11:39:06 PM) nachash: it’s a fucking 12 year old skid shit show
(11:39:10 PM) nachash: not worth my time

After the tor-dev post went up there was a lot of chatter theorizing about how the takedown was accomplished. There was talk of SQL injection being how the markets were had, but that made no sense for doxbin, as the site didn’t even have a SQL database – its done with flat files. There are a lot of theories being floated but it seems that there is a stealth DoS that loads up Tor, and this is being used to trigger admin visits to servers and otherwise work at deanonymizing them. This tweet was fairly interesting for those who want the gritty details and there are many more like it in @loldoxbin’s timeline.

There were a couple of questions posed on tor-dev, and nachash returned with further clarifications in this post:

yes hello, internet supervillain (follow up)

The Tor Project posted their Thoughts and Concerns about Operation Onymous about thirty six hours later . The eye opening paragraph has to do with the seizure of relays:

“We are also interested in learning why the authorities seized Tor relays even though their operation was targeting hidden services. Were these two events related?”

Nothing is certain at this point, but the analysis contained speculation as to how these takedowns were accomplished. The theories include:

1.) OPSEC troubles, which were clearly the issue for Silk Road 2.0
2.) SQL injection, but this was clearly not how doxbin was taken
3.) Bitcoin de-anonymization, but again not an issue for doxbin
4.) Direct attacks on the Tor network itself

As far as doxbin itself, I think they missed one – it’s quite possible that the site merely had the bad luck to be quartered in a facility that had a serious player in it, and they were a target of opportunity.

The Tor Project blog post closed with advice to concerned hidden service operators. The attacks being used were based on resource exhaustion, with the implicit advice being more ram and more cores are a cheap insurance policy. The other notable suggestion was the manual selection of the guard node for your hidden service. This is another box to register and fund with the same stealth as a server hosting a hidden service.

Taking a step back from the technical details, Tor is not a cloak of invisibility, it’s a piece of software with network and cryptographic features. Both of these offer an attack surface for a motivated intruder. The lesson for site operators is simple: What happens when a fault in Tor exposes your server? If your answer is a deer in headlights look you need to leave this work to others.


  1. You want my opinion? There’s only 3 main servers in the world which all traffic is routed through. There are only a few companies which provide the ‘highway’for us to travel (e.g. akamai technologies, etc). I believe that all Tor nodes/relays where isolated in one sector of one of these servers. I then believe that the ‘global adversary’apporach was employed. I think that Prism like technology, coupled with some seriously hardcore math programme, was used in order to decrypt and decipher as much information as possible. I also believe that the mixers where a priority target – I think that DDoSíng them is easier, and then they are able to follow the breadcrumb trail along with information collated.

    In turn, they’re slowly painting a picture of the network, the hidden net is not as hidden as you think. It may be ‘safer’ than clear net, but it’s by no means more or less secure. The cracking of data encryption is the hard part, but if you have a box with all the pieces of the jiggsaw puzzle in it (no matter how many pieces there are) sooner or later you’re going to complete your puzzle. And this is on the same basis as to how Tor may have been attacked. (remember – all you need is hundreds of man-in-the-middle nodes, and before you know it, you may have the middle and exit node for your attack to be highly rewarding.

    In total – Tor is data encryption, how it’s encrypted is not the issue. The issue is how the enryption can be cracked. And this is always possible, no code is flawless and neither is the system it operates in.

  2. Neal Rauhauser you are such a hypocrite, you use to hang out gossiping on ED IRC every single night and write attack articles about people all the time. If you are going to be a 5hitbag at least be consistent.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *