De-anonymization of VPN and Proxy Users through Cookies
Cookies are files that a website saves on a visitor's computer to recognize the user, collect statistics, save personal settings, and perform some other tasks.
We will discuss cookies and ways to delete them in detail as part of our course; for now, just remember that there are session cookies, which are deleted when the browser is closed, and persistent cookies, which are saved even after the browser is closed. The exception is private modes in browsers, where all cookies are forcibly treated as session cookies.
Cookies, along with browser history, are used by forensic experts when conducting forensic analysis of a computer, and there are situations where a user, having cleared their history, forgets to delete cookies, leading to the recovery of data about their activity.
You should remember that if you visit a website, for example, a social network, without logging in, but previously logged in from the same browser, the website will be able to recognize you through cookies. If you use two accounts and close the browser and change your IP address when switching accounts, the website will still be able to recognize you using cookies.
How do cookies lead to the de-anonymization of users VPN and proxy? This tactic was used by law enforcement agencies in one European country to catch hackers. Hackers typically use numerous forums for communication and trading, the largest of which is Hack Forums.
Unlike drug traffickers and arms dealers, hackers are reluctant to move to the Deep Web, continuing to use open Internet forums in the old-fashioned way. Forums have administrators—those who maintain the forum and ensure its functionality, and they were the targets of law enforcement agencies.
After the arrest, the forum administrator was offered a secret collaboration in exchange for freedom, and of course, most of the arrested chose freedom. After that, the forum was reconfigured to check cookies for all unauthorized users, recording information about their accounts on the forum and their current IP addresses.
How did this lead to de-anonymization? When hackers accessed the forum under their account, they used a VPN or proxy, worrying about their anonymity, but when they simply read the forum, they often neglected anonymity, believing that at that moment they were not connected to their account.