Skip to content
Naked Security Naked Security

Hackers erase 6,500 sites from the Dark Web in one attack

Dark Web hosting company Daniel's Hosting was wiped out, taking down about 30% of the Dark Web's operational and active hidden services.

One of the most popular Dark Web hosting services – Daniel’s Hosting – was slaughtered last week when attackers hosed it clean of about 6,500 hidden services. The admin says they’re gone for good: he hasn’t even figured out where the vulnerability is yet.
The administrator at Daniel’s Hosting is a German software developer named Daniel Winzen, who acknowledged the attack on the hosting provider’s portal. Winzen said that it happened on Thursday night, a day after a PHP zero-day exploit was leaked.
The service will likely be back in December, he said, but even the “root” account has been deleted, and all the data on those 6,500 sites are toast:

There is no way to recover from this breach, all data is gone. I will re-enable the service once the vulnerability has been found, but right now I first need to find it.

Backups? Forget it. This is the Dark Web. Winzen told ZDNet that there ain’t no such thing as backups on Daniel’s Hosting, by design:

Unfortunately, all data is lost and per design, there are no backups.

As of last week, Winzen said his priority was to do a full analysis of the log files. He had determined that the attacker(s) had gained administrative database rights, but it’s looking like they didn’t get full system access. Some accounts and files that weren’t part of the hosting setup were left “untouched,” he said.

Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in /home/ weren’t touched either. As of now there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs it is evident that both, adminer and phpmyadmin have been used to run queries on the database.

Who cares?

According to Dark Owl, when the attacker(s) took out Daniel’s Hosting, they erased over 30% of the operational and active hidden services across Tor and the Invisible Internet Project (I2P) – an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. ZDNet’s Catalin Cimpanu tweeted on Monday night that this pretty much matched his own calculations.
The attacker(s) also deleted over six million documents that DarkOwl – a provider of darknet content and tools, as well as cybersecurity defenses – had archived on the Dark Net.
This is what the world lost when Daniel’s Hosting went belly-up, Dark Owl says:

  • 657 of the hidden services had the title “Site Hosted by Daniel’s Hosting Service” and little else (but may have been used for something other than serving web content).
  • Most (over 4900) were in English, 54 were in Russian and two of the oldest were in Portuguese.
  • 457 of the hidden services contain content related to hacking and/or malware development.
  • 304 have been classified as forums.
  • 148 of them are chatrooms.
  • 136 include drug-specific keywords.
  • 109 contain counterfeit-related content.
  • 54 specifically mention carding-specific information.
  • Over 20 contain content including weapons and explosive-related keywords.

For better or worse, the takedown of Daniel’s Hosting means that a “pillar of the darknet community” that’s served up a chatroom and online-link list for years, free of charge, has been demolished, Dark Owl says.

For example, his online-link list is referenced by nearly 500 other hidden services, making it the second most commonly referred to directory listing (behind Fresh Onions) and providing a foundational starting point for new users navigating Tor.

Dark Owl has some theories about who could have been behind the attack. It could have been Russian hackers, who’ve recently outlined the technical details of exploiting PHP’s imap_open() function to extract password hashes for privileged accounts, as an alternative to brute-force mining.
Then again, it could have been anybody who’s against easy posting and sharing of child abuse images. Dark Owl reports that Winzen, back in 2016, made life easier for people to share such images on Tor without potentially exposing their identities:

As a result, Daniel’s LE-Chat code became a popular platform for the darknet pedophilia community, and the home for many well-known Child Pornography sharing chatrooms such as Tabooless, Camp Fire, and Child Priori.

There are also theories about the portal being taken down by law enforcement. For one thing, a chatroom, Daniel’s Chat, quietly resurfaced on Saturday, but it lacked the member database and credentials that had enabled users to verify chat participants’ identities.
Or perhaps Daniel had been arrested, and it’s not even really him who’s posting on the site and sending email to news outlets? As it is, the providers’ hidden services experienced what Dark Owl said was “extreme” distributed denial of service (DDoS) attacks leading up to the attack, “similar to other law enforcement-led darknet seizure operations.”
Those are just some of the theories.
The attack shows how surprisingly centralised the Dark Web really is, and that there are no ironclad promises that its potent anonymity features will shield you.
Whether it’s law enforcement catching drug dealers with a fake Bitcoin exchange or simple misconfigurations that expose server IP addresses, you have to take heed: just because you’re using Tor doesn’t necessarily mean you’re safe, whether you’re a criminal or somebody seeking anonymity for noncriminal reasons.
There are many ways to get busted on the dark web.


A couple of questions, if hosting those sites is illegal, how is the hoster so publicly known? If it isn’t illegal, why would he be arrested? Also, how exactly do you delete the root account of a system without actually having system access?


Hosting Dark Web sites isn’t illegal, but the Dark Web is popular with people who want to run illegal websites.
The Dark Web (Tor) prevents users from seeing the IP address of the website they’re visiting, so if you visited a Dark Web site doing something illegal you’d have no way of knowing if it was hosted by Daniel’s Hosting, or any other web host.


You know what is even more popular with people who want to run illegal websites? The Internet.
About that Daniels host part, it is mostly true, but there are exceptions where you would be able to host it.


Sometimes I think it’s safer to conduct illegal activities on the open net, like back in the days LE is so busy looking at the darknet they probably don’t pay much attention to the open net anymore


You people who say “good riddance” should move to a dictatorship, because that’s what you’re asking for.
Basically you are saying anyone who allows people to speak in private or exchange information freely should be arrested, and that all opinions and information should be under the strict control of the government.
I wish you could live in North Korea or something so you would see how that plays out. It’s already doing damage here, it’s just that the people being attacked are the most vulnerable minorities in society. And the control is so totalitarian and absolute that these people have nobody to defend them. That doesn’t mean they are bad, it could just mean that they are persecuted for having exposed government wrongdoings, for who they feel love for, or for making their own life better through personal drug use.


Taking down a website that hosts child pornography makes the EU into North Korea?
That concept is totally amoral.
The bad guys are the heinous monsters that rape children and those that watch such appalling content.
A working civilization requires that society tries very hard to protect those that can’t protect themselves.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!