De-anonymization of Tor Users through Honeyfiles

No matter how trivial and obvious this attack may seem to you, it has managed to identify a huge number of cybercriminals. The features of this attack are its simplicity and effectiveness against Tor browser users.

We will create documents capable of de-anonymizing the person who opens them as part of our course; no special skills are required for this. We discussed how to create a link to obtain the IP address of a conversation partner in this chapter.

Tor provides maximum anonymity among all tools for hiding one's true IP address. While a user of a VPN or proxy can be tracked through requests, connection matching, via third-party sites and other methods, this does not apply in the case of Tor.

Typically, a cybercriminal installs the Tor browser and immediately receives a high level of anonymity "out of the box." Only their stupidity, a mistake made, a very complex attack (like Cross-device tracking), or a vulnerability in the Tor network or Tor browser can lead to their de-anonymization.

Vulnerabilities are rare, but they should not be ruled out. For example, due to one vulnerability, more than 900 visitors to the child pornography site PlayPen were de-anonymized and arrested. All of them used Tor, but this did not save the pedophiles from the FBI and justice.

PlayPen is more of an exception to the rule, and cybercriminals using Tor feel safe. However, a cybercriminal encounters a Word (or PDF) document that has been sent to them and which it is in their interest to open.

They download it, check it on Virustotal and run it on