Hidden Services Tor provide anonymity for web services that are resistant to identification and tracking. But a recent discovery has revealed a new way to expose the real IP address of these services using an HTTP header known as Etag.

Etag is a unique identifier generated by the server when a client requests a resource. The latter uses it to determine if the version of the resource is up to date. If the Etag does not change, the client switches to the cached version, saving traffic and speeding up downloads.

But Etag can also serve as a tracking tool. It may contain information about the server, including an IP address, time, or hash. This means that when requesting the same resource from different Tor hidden services belonging to the same server, the client may receive the same Etag, revealing the server’s real IP address.

IN article on Medium demonstrated how the author, using the curl and torsocks tools and the Etag comparison, was able to reveal the IP address of the anonymous Tor service owned by the RagnarLocker ransomware. All Etags turned out to be the same and contained a hash of the server’s IP address, which made it possible to determine its real address and location.

According to research, the notorious ransomware group Ragnar Locker attacked video game company Capcom , claiming to have stolen one terabyte of data. Capcom dropped Ragnar Locker’s claims and 67GB of the stolen files were released to the Dark Web.

The leak site only contained a link, not the files themselves. Instead, a special Onion address was provided for storing files such as leaked data, which appears to have been prepared by Ragnar Locker’s operator. The files have been split into several parts and placed at an Onion address starting with t2w….

Usually when looking for the source IP address of a site on the Dark Web, the site’s source code, SSL certificate, response headers, etc. are checked to obtain unique strings and fingerprint information, and then using scanning services such as Shodan, Censys and others, an IP address is searched. In this study, the response headers were checked. If the response header contains a unique string, it is possible to get the source IP address.

After checking the response headers and finding the same ETag, the researcher tried to upload a file with the same name on the Onion address and IP address, and confirmed that the file with the same name was located as shown in the image below. Thus, it can be said that the source IP address of the Onion address t2w5by….onion is 5.45.65.52.

Later, the IP address 5.45.65.52 was mentioned in FBI operational report . The report says that the address was used as a server to host compromised Capcom data.

This method can be used both by attackers to deanonymize users and providers of Tor hidden services, and by law enforcement agencies in the fight against illegal activity. However, there are ways to protect it, such as disabling the Etag on the server, or using a proxy to change the Etag in transit.