As we all know, Tor is the best way to access the darknet because of its magnificent built-in privacy features. This means that your data is not tracked, your online identity automatically renews each time you open the browser, and you’ll never reveal your true IP address while using the Tor Browser… Or so we thought.
The FBI captured an ISIS member named Muhammed Momtaz Al-Azhari by tracking his IP address back to his grandmother’s house. According to the report, they linked his IP address to an ISIS propaganda Darknet website. How did the FBI do this? And what does this mean for you?
Linking Al-Azhari To Darknet Website
On May 24th, 2020, an Islamic terrorist by the name of Muhammed Momtaz Al-Azhari was arrested by the FBI. The team made the arrest after Al-Azhari took possession of multiple weapons with the intent to attack. This came after multiple months of investigating Al-Azhari. The FBI came to the conclusion that the suspect is an ISIS supporter who planned and attempted to carry out an attack on behalf of that terrorist organization.
The FBI gathered enough evidence to prove that the ISIS member was planning an attack that he stood in court just three days after his arrest. By December 20th, 2020, Al-Azhari was sentenced to 20 years in federal prison.
This wasn’t the first time that Al-Azhari medalled with prior terrorism charges in Saudi Arabia. While all this is interesting, it’s the events that led up to his investigation that interest us today. According to the report:
On May 14, 2019, 12 visits were made to a known TOR-based website that hosts unofficial propaganda and photographs related to ISIS. The website view originated from IP address 22.214.171.124, which resolved to an address in Riverside, California, that is registered with Charter Communications, and at which AL-AZHARI resided at his grandmother’s residence at the time before he returned to Tampa in June 2019.US Court Middle District Of Florida Tampa Division
Along with his IP the FBI traced the following activity on the TOR-based website:
- The ISIS Propaganda sites donation page (Accepting Bitcoin)
- A blog with information on military operations carried out by Caliphate fighters in Iraq, Syria, and Nigeria.
- A post made in memory of ISIL martyr Abu Wardah.
- Multiple posts of Islamic State media news relating to ISIS
- A blog regarding the West Africa State pictorial report. The report contained ” Partial results of the attack carried out by the Khalifate fighters against Nigerian army barracks in Brono.”
- A further 17 pages of blogs made by “Abu Jihad” with public information revealing ISIS’s media arms and media files. There were also links to the Al-Furquan and Al-l’atisam Establishment
After tracing this information and grabbing Al-Azhari’s IP through the Darknet Website, they traced the IP address 126.96.36.199, back to an address in Riverside, California. An Address belonging to his grandmother’s residence.
Once tracing these details to Al-Azhari, the FBI monitored his every movement. During the investigation, the terrorist expressed admiration for Pulse nightclub shooter Omar Mateen online. On other occasions, he spoke of his desire to carry out a similar mass casualty shooting.
Al-Azhari would regularly scout for potential targets and areas to carry out a terrorist attack, but there was not enough for the FBI to take action on. It wasn’t until he purchased an illegal firearm that the FBI arrested Al-Azhari. The report claims “[Al-Azhari] attempted to purchase multiple firearms over the course of the investigation, before acquiring a Glock pistol and a silencer”
How Did The FBI Track A Tor Users’ IP Address?
The FBI report downright admitted to grabbing the suspect’s IP address through a darknet TOR website… However, they are refusing to provide more information on how exactly this happened. In recent weeks, this sparked up some controversy and questions as to how the FBI managed their operations.
How the FBI managed to both track the IP and what the user did on the website seems to be a mystery that they are not willing to tell. This brings multiple theories to mind.
The first of which is that the FBI hacked the ISIS website. While the conventional method to accessing a backdoor on a darknet website is to grab information and take the website down… The FBI may be using the website as a honeypot instead. According to the report, the FBI was not investigating Al-Azhari prior to his usage of the Darknet ISIS websites. Without using a form of surveillance, or if Al-Azhari used an alternative method to access the darknet website, it’s supposed to be impossible to track the IP addresses.
To make matters more worrisome, when the DOJ received questions regarding this, they refused to provide information as to how they obtained the IP address. They’ve since blocked all discussions of the issue from entering the public docket.
On the 11th of January, defense attorney Samuel E. Landes (who worked on the case) published the following: “In discovery, the government has declined to provide any information related to its TOR operation,” The document provided by the FBI was redacted in multiple areas and marked “Top Secret.” under the Classified Information Procedures Act (CIPA),
As you may guess, this secrecy begs the question as to whether the FBI now has ways to track IP addresses through the TOR Browser. If the FBI can grab a terrorist’s IP from the darknet ISIS website, why can’t they do it from Darknet Markets?
How the Tor Browser Hides Your IP Address?
The Tor Browser, also known as the Onion Router, transmits user communications through multiple network nodes. There are more in-depth algorithms to make this happen, but these layers built on each website (hence the name onion) provide multiple IP addresses. With multiple layers of IP addresses, it becomes “impossible” to find the true IP address of the user.
When it comes to the clearnet, your IP is automatically visible unless you’ve taken additional methods to hide it.
In the case of Al-Azhari, the U.S Governments affidavit indicates the following
“The Government was able to bypass TOR’s protections to identify the IP address of the visitor to the ISIS website. In discovery, the Government has declined to provide any information related to its TOR operation”
How to Prevent Your IP From Being Traced.
Although Al-Azhari took the step to use Tor, this was likely the extent to his OpSec. It’s very likely he only used Tor as it was the only way to connect to the ISIS website. Hiding your IP address has been made relatively easy, and there’s a few tools to help you.
The most obvious tool you could utilise is a PAID VPN. Every half-decent VPN will include IP protection and allow you to connect to multiple layers before connecting to the website. We suggest a few good VPNs on our Start Here page. However, you will still need to take a few extra steps.
Using a proxy could be recommended, though they usually use the same IP hiding methods that the Tor Browser does on its own. If you have a NAT firewall on your router, this helps too. Though none of these tools is magic.
With any darknet activity, your general OpSec understanding plays a role.
If you want full confirmation that your online deeds can never be tracked, we recommend using Tails OS, a USB-based operating system. Tails OS an “Amnesia mechanism” through multiple IP configurations and additional security software. It’s said to be secure enough that you can walk into your library and do whatever it is you need to do, and there will be no trace of the PC even being used.
Even Roger Dingledine, the creator of the Tor Project, claims that.
Tails expands Tor’s protections to an entire operating system, and they do so with an unwavering commitment to their Social Contract. Tails is a favorite companion tool of Tor.Roger Dingledine
The US government has teams who spend their lives attempting to crack systems like the Tor Browser’s built-in safety features. This is but another example of their successful attempts. In the case of Al-Azhari, it helped the US put a potential terrorist attack abay. However, it may be a sign of the future use cases of Tor. From this alone, we suggest keeping your OpSec Up, your VPN active, and even moving over to I2P instead.