Dark Web

The number of Dark web services has gone down significantly following the Freedom Hosting II hack that took place at the start of February, and is only around 4,400 services, according to a recently published OnionScan report.

Previous research published in April 2016 by threat intelligence firm Deep Light had the total number of Dark Web services at around 30,000.

Comparing the two numbers, the report shows a decrease of almost 85% in the overall size of Dark Web in the last year alone.

Freedom Hosting II hack had unexpected consequences

According to Sarah Jamie Lewis, the main researcher behind the OnionScan report, at the heart of this dramatic drop in numbers is the downfall of Freedom Hosting II, a Dark Web hosting service.

A previous report from October 2016, also by Lewis, estimated that Freedom Hosting II hosted around a fifth of the entire Dark Web.

"We believe that the Freedom Hosting II takedown not only removed many thousands of active sites but also may have affected other hosting providers who were hosting some infrastructure on top of Freedom Hosting II," Lewis explained.

Anonymous hacked Freedom Hosting II at the start of February this year. Hacktivists decided to take down the service and destroy or leak much of its data after they discovered the provider was knowingly providing service to many websites hosting images of sexually abused children.

Only 4,400 Dark Web services left

According to the recent OnionScan statistics, the Dark Web is laughably small, with around 4,000 HTTP websites, 250 TLS (HTTPS) endpoints, 100 SMTP services, and only 10 FTP nodes.

  •     HTTP Detected - ~4000
  •     TLS Detected - ~250 (In line with previous counts - seemingly unaffected by FHII)
  •     SSH Detected - ~270 (much lower, mostly due to the FHII hack)
  •     FTP Detected - < 10 (much lower, again expected to be related to FHII)
  •     SMTP Detected - < 100
  •     VNC Detected - < 10
  •     Bitcoin Nodes Detected - ~220 (much higher, likely because of better bitcoin capability in OnionScan)

Lewis also notes that despite previous reports of improperly configured of Dark Web servers, the number of installations leaking details about the underlying server has remained at the same levels.

"We were able to extract nearly a thousand unique IP addresses from our data set belonging to both services and clearnet clients accessing misconfigured hidden services," Lewis said.

The types of misconfigurations the OnionScan looked at included Apache mod_status exposures, open directories, EXIF metadata left intact in image headers, and host header co-hosting leaks.

Overall, despite its allure, the Dark Web has shrunk tremendously during the past year and is riddled with misconfigured servers. It is no surprise that Sigaint, a very popular email provider operating from the Dark Web, went down ten days after the Freedom Hosting II hack, and has yet to return.