Because of the sophisticated methods cyber criminals use, it is extremely difficult for law enforcement agencies to catch them. Hackers do not use real names, IP address and behind various anonymization networks. However, we may often find news about hackers being caught. This happens because crooks make mistakes. There several ways the police can find out their real names and location. Here are some of them:

De-anonymization using administrative methods. This involves sending a request to the Internet hosting provider with a request to provide data on all connections and traffic associated with the suspected rogue server. If several intermediate links are used (for example, several best VPN services) requests are sent to each hosting provider, starting with the last one. As a result, it is possible to reach the first host in the link to which the user connected from his real IP address.

De-anonymization using spyware. This method involves sending a malicious program that, once on the victim’s computer, transmits information about it to the management server controlled by the police. The information transmitted includes the real IP address of the victim. A malicious program can be disguised as an image file, PDF document, or any other file. This type of software is actively purchased by law enforcement agencies of various countries, it is also actively used by hackers to collect data on the victim.

De-anonymization using timing attacks. This method has a lot of variants. To make it easier to understand what timing attack is, imagine plenty of tangled hoses. Water flows from all of them but there is only one switch. How to understand which hose this switch belongs to? You just turn off the water for a couple of seconds and look at the water, where it gets weaker for a moment, that hose leads to the switch.

De-anonymization by exploiting connectivity vulnerabilities. This method involves detecting vulnerabilities in one of the elements used by hackers (again like VPN or TOR networks). In some cases, one vulnerable element will lead to de-anonymization of the user. However, many systems are resistant to this method.

De-anonymization by exploiting the vulnerability of a web browser. This method requires that hackers click a specific weblink. As a result of numerous vulnerabilities of web browsers that are constantly being discovered and closed, the victim’s real IP address will be known to the website owner (the police). I have placed this de-anonymization method last but today it remains the most common. It is popular because it is highly efficient and easy to implement since to make the hacker click the link is much easier than convincing him to open the file.

How hackers stay anonymous online

And now let’s see what tools and methods hackers use to preserve their privacy and anonymity.

Double / Triple / Quad VPN

Protection against de-anonymization using administrative methods: medium

Protection against active de-anonymization using spyware: none

Protection against de-anonymization using timing attacks: low

Protection against de-anonymization by exploiting connectivity vulnerabilities: none

Protection against de-anonymization by exploiting web-browser vulnerabilities: none

This is a cost-effective solution which allows not to lose Internet connection speed. Traffic is securely encrypted, and your real IP address is hidden from average websites. Not only your Internet Service Provider but also the special services of your country will not be able to intercept such communication. However, if law enforcement really wants to find people that hide after Double / Triple / Quad VPNs, then using administrative resources and making requests to hosting providers, it is not difficult to find crooks. In addition, this scheme does not protect against active methods of de-anonymization.

TOR network

Protection against de-anonymization using administrative methods: high

Protection against active de-anonymization using spyware: none

Protection against de-anonymization using timing attacks: medium

Protection against de-anonymization by exploiting connectivity vulnerabilities: none

Protection against de-anonymization by exploiting web-browser vulnerabilities: none

Using TOR noticeably slows down Internet speed. At the same time, TOR is free. TOR enhances protection against timing attacks and makes it almost impossible to use administrative means. At the same time, TOR has one critical flaw: traffic on exit nodes is often intercepted by other hackers and police who deploy exit nodes solely for this purpose. Therefore, hackers have to use their personal TOR exit nodes, to which no one can get access.

 

VPN > Remote Desktop > VPN

Protection against de-anonymization using administrative methods: medium

Protection against active de-anonymization using spyware: high

Protection against de-anonymization using timing attacks: high

Protection against de-anonymization by exploiting connectivity vulnerabilities: medium

Protection against de-anonymization by exploiting web-browser vulnerabilities: high

Full anonymity is almost impossible without the use of a remote desktop. Remote desktop serves as a reliable barrier against active methods of de-anonymization. This method provides excellent Internet speed but is vulnerable to de-anonymization by administrative methods. As a rule, TOR is added here, but TOR gets turned off at times when high speed is more important than anonymity.

VPN > Remote Desktop >TOR

Protection against de-anonymization using administrative methods: high

Protection against active de-anonymization using spyware: high

Protection against de-anonymization using timing attacks: high

Protection against de-anonymization by exploiting connectivity vulnerabilities: high

Protection against de-anonymization by exploiting web-browser vulnerabilities: high

This is the most reliable method. It is resistant to both active de-anonymization and de-anonymization through the use of administrative resources. The main disadvantage of this tactic is the Internet speed that is affected by the use of TOR. Finally, hackers often add proxy to all these schemes and regularly change their IP addresses.