Two days after the WannaCry ransomware outbreak wreaked havoc across the world, French police seized a server running two Tor relays belonging to French activist Aeris, who said the server was confiscated in connection to the WannaCry attacks.
Aeris reported the incident on the Tor Project mailing list last month, on May 15, where he asked fellow operators to revoke trust in two of his relays, who were also Tor entry guard nodes, special servers trusted by Tor clients as the first hop when connecting to the Tor network.
The activist said police seized his server because a big French company was infected with WannaCry two days earlier, on May 12. The company logged all outgoing traffic during the attacks and provided the data to police.
WannaCry communicates with a command and control server hosted on the Dark Web, on a .onion address. Aeris suspects his servers were used as first hops in this connection, hence the reason police seized his property, hosted via French hosting provider Online SAS.
Most Tor servers are configured to log very few details, such as uptime and status metrics, so to safeguard the privacy of its users. Unless Aeris made customizations to default configs, French police have no chance of finding any useful information on the seized servers.
In the media storm caused by the wave of WannaCry attacks, this small incident went unreported outside of French media. Aeris also confirmed the seizing of his servers on Twitter.
The investigation is led by France’s cyber-crime investigation unit OCLCTIC (L'Office Central de Lutte contre la Criminalité liée aux Technologies de l'Information et de la Communication).
The activist pointed out that tens of other Tor nodes in France disappeared over the same weekend. In a private conversation with Bleeping Computer, the activist shared a list of 30 servers he is currently investigating regarding these mysterious disappearances.
"We have confirmation of 6 Tor nodes seizures [from 5 operators]," the privacy activist told Bleeping today. "A seized relay is not of this list because of hosted on another provider."
It is unclear how many of these are related to the WannaCry attacks. Overall, there is very little information about these incidents at the moment, as investigators have supressed the parties involved from sharing any info.
"There is currently a gag order arround this," said Aeris. "My provider refuses to communicate information about the seizure."
UPDATE: The article's title was updated after Aeris confirmed to Bleeping Computer that only one server running two Tor nodes was seized, and not three servers, as the first version of this article stated. Furthermore, the server was hosted at hosting company Online SAS, not OVH. Bleeping Computer regrets the error. The article was also updated with new information provided by Aeris.