I2P makes up a part of the Dark Web ecosystem. While this particular network has stayed relatively clear of criminal and malicious activity, it nonetheless is an important data source that security professionals and investigators should be aware of. As the criminal landscape shifts, with DDoS attacks happening quite regularly on Tor, and with increased scrutiny and success by law enforcement, I2P has the potential and anonymous privacy required to make it a viable alternative to Tor.
What is I2P?
Self-organizing overlay networks, which are distributed on IP networks, are called P2P networks. The Invisible Internet Project (I2P) is an anonymous network that allows for communication free of censorship. Anonymity is achieved by encrypting traffic and sending it through a network of volunteer computers distributed around the world.
I2P is actually very similar to the Surface Web, or Clearnet. It can be used in a range of ways
- File sharing
- Instant messaging
How I2P Works
Websites hosted on the I2P network are referred to as Eepsites, which end in .i2p. I2P software is required to access eepsites. For .i2p names to work, they are only valid within the I2P network. Requests are submitted to a proxy server, the EepProxy, which locates the site by resolving an I2P peer key. Each computer within the network shares the routing and forwarding of encrypted packets. Every ten minutes, a new connection is established between the user’s machine and another peer through tunnels. Data to and from users, along with data from other peers, pass through these tunnels and are forwarded to their final destination. This ensures anonymity and security on an ongoing basis. It would be nearly impossible to trace the source of data and traffic under these circumstances.
Due to its hidden and anonymous nature, The Invisible Internet Project (I2P) is a viable and possibly more secure alternative to the Tor network. Nonetheless, it has not received as much attention as other similar networks but this is changing. Marketplace administrators and users across the Tor network must deal with almost non-stop DDoS attacks. They are also fearful of the success of law enforcement operations over the past few years in their crackdown on Dark Web marketplaces on the Tor network.
Shifting Criminal Landscape
It is not unusual for Dark Web markets to appear in many forms across different networks and platforms to expand their reach. More recently, however, markets are leaving the Tor network entirely and relaunching their illicit businesses in places like Discord, Telegram, and some are even considering I2P. The Libertas Market, for example, permanently abandoned the Tor network for I2P.
According to Libertas administrators:
“The Tor network is not suitable for hidden services due to flaws in the network which allow denial of service attacks… These flaws allow law enforcement to determine which hidden services are allowed to operate, whether they are legitimate services or sting operations.”
According to site admins, there exists a Tor vulnerability that allows law enforcement to determine a Tor site’s real-world IP address. This is unconfirmed, of course, but they are not the only ones to hold this belief. In fact, there have been pleas for other marketplaces to make the move to I2P as well. If this is the case, then why do site owners remain on Tor? Simply put, it is a business decision.
Public perception is generally that I2P is one of the most secure options, more secure than Tor. The same features that make I2P difficult to intercept therefore make I2P an attractive solution for cybercriminals to safely operate their business. The problem: I2P is difficult to install and get running correctly. Tor is considered much more user-friendly, and within reach for a much larger base of users. By making the move to I2P, cybercriminals would miss out on revenue from users incapable of accessing them on the I2P network.
The Future of I2P
Portraying I2P as the new Dark Web is inaccurate, but as the current landscape continues to take form, it is important for security professionals and law enforcement to stay informed. New networks, tools, and techniques, which are misused by P2P/I2P users, contribute to and enable illegal activities online. Being mindful of the way the wind is blowing will help ensure we don’t fall behind again, and that investigators are equipped to understand the challenges of I2P.
The I2P domain name registrars are anonymous; they have no governing body and do not face any consequences for ignoring rules, regulations, and requests from law enforcement agencies.
The lack of access to Eepsites makes them invisible to search engines, such as Google Search cache. Forensic analysts frequently rely on these to prove the content of the suspect website at a certain point in time. Eepsites, therefore, are less consistent as evidence compared to normal websites because there is no backup copy stored that can be located if it is shut down by its owner.
That said, don’t expect I2P to be teeming with users and illicit marketplaces anytime soon. Only a few markets reside there, and of those that do, users are dubious and some view them as scam sites. That can change quickly, however. Media Sonar works hard to ensure that security professionals will always have access to the right data, responding quickly to shifts in the landscape. By providing visibility across the Dark Web, investigators and analysts are better equipped to respond to new climates.