Last week, we saw an interesting uptick in the number of domains collected by the OWL Vision platform. Our analysts leveraged DARKINT to find a surge of new domains, increasing the number crawled by our platform by nearly 36%. In the time since, this trend has continued in the same upward manner. With the number of domains our tool crawls increasing by over 123% since February 26, our team decided to begin digging for an explanation, and found a correlation with the Hidden Wiki.
So, how does the Hidden Wiki tie into the increase in domains? Almost 94% of the new domains seen by our analysts contain the landing page for The Hidden Wiki and merely serve as a mirror back to the original, well-known Hidden Wiki site. A mirror site is essentially a site with the same content as another but a different domain.
Why would those behind the Hidden Wiki have over 30,000 sites mirroring theirs?
The Wikis of the darknet
The Hidden Wiki is a darknet site which provides wikis operating as Tor hidden services. For those unfamiliar, a wiki, like the surface net site Wikipedia, is a website that allows registered users to collaboratively write and edit content directly from their browser.
Just like the Wikipedia that we're familiar with, just about anyone can anonymously edit the Hidden Wiki. The Hidden Wiki landing page provides a comprehensive directory of links to other .onion sites on Tor and advice on how to safely use Tor. The Hidden Wiki is believed to have come online in 2011, and interestingly, was a top client of the Freedom Hosting service taken down by Anonymous last month.
In the world of the darknet wikis, there is also an "uncensored” version of the original site called The Uncensored Hidden Wiki. This wiki offers the same layout and feel as the Hidden Wiki but focuses on more adult and illicit topics but does also cover announcements and other general Tor-related information. The most recent change to its main page discusses the recent SIGAINT secure email service outage. The Uncensored Hidden Wiki first appeared on the darknet in mid-2016.
As with the majority of sites on Tor, all of the darknet wiki-like sites should be used with caution. You cannot know for certain that the lists of .onion links they contain have been verified; many can contain malicious software and/or links to illicit material without warning.
the big question: why the Hidden Wiki Mirror domain up-tick?
As we mentioned, about 94% of the new domains seen by our analysts are mirrors of the well-known Hidden Wiki site.
Perhaps this is merely a glitch in the Hidden Wiki's torify wget bash code, as there is no rationale behind that many hidden service domains. Or, could this be related to yesterday’s news report of WikiLeaks Vault-7 release of almost 9,000 documents detailing the cyber capabilities of the CIA's covert Center for Cyber Intelligence (CCI) division?
Our analysts will continue to investigate and keep you updated as more information becomes available via DARKINT.
Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.