The Daniel's Hosting Hack and Darkweb Security
Daniel’s Hosting was one of the most popular services to host contents on the darkweb, operated by a German man named Daniel Winzen. The fact that the operator of a service which was used for all kinds of illegal activities, along with dissident and politically-charged websites is publicly known may appear strange. However, Germany has laws providing a relatively strong legal shield that protects hosting and service providers from the legal consequences of the actions of their customers as long as certain steps are taken. Subsequently, many services operating in the darkweb ecosystem are run or developed by German individuals.
On November 15th, the hosting service was hacked by an unknown individual who subsequently deleted all of the sites hosted on it. Due to the anonymous nature of the service, there were no official backups of the hosted contents. We know this because the operator of the service itself states as much.
How did the hack happen?
The exact mechanism through which the service was hacked are unknown at this point. Mr. Winzen is keeping a public log of suspected vulnerabilities, incident alerts and steps taken in his investigation on his private website. This by itself is a stark departure from standard corporate incident response. While cultural factors may play a role in this as well, the absence of a regulator or an overseeing agency such as a government or police mean that complete transparency is the only way for operators of darkweb services to restore trust in their product.
Mr. Winzen also took the unusual step of explicitly requesting that the attacker contact him. Regular businesses would not and could not take such measures since it would further erode customer trust and potentially expose them to litigation risks. However since neither of these risks can realistically be applied to a darkweb service, obtaining information on how the service was breached directly from the attacker is a surprisingly reasonable way to mitigate the attack and restore customer trust. We do however consider it unlikely that the attacker will comply with the request.
A further factor in the incident is that the source-code used for the service was made publicly available by Mr. Winzen. The availability of source-code allows attackers to replicate environments and perform attacks with much more precision than would normally be possible.
Who performed the attack?
Usually, we can create at least a rough profile of attackers based on their actions. For example, if a company is breached and payment data is stolen or private information is auctioned off, we can assume to be dealing with criminals interested in monetary gain. If a high-tech company is breached and production secrets are stolen but not sold, we can assume that competitors or government actors were behind the attack.
However, since Daniel’s Hosting was used for anything from cyber crime to dissident blogs to black markets, virtually all common attackers have a motive.
For example, a government actor taking down an irksome blog, a competing hosting service eliminating the competition, a criminal organization eliminating evidence and activists making a statement are all realistic scenarios.
Security is a trade-off between the cost to hack something and the amount individuals are willing to spend on hacking something. This puts all darkweb services into a risky situation. Due to their semi-legal or outright illegal nature, most of them cannot rely on extended infrastructure to create highly secure environments. While individuals can dubiously write secure code, the complexity of modern technology requires at least some constant monitoring, which is hard for individuals to perform.
At the same time, darkweb services represent targets that many different entities are willing to spend significant resources to hack.
We therefore expect breaches of darkweb services to continue for the foreseeable future.