Dark Web Investigations and I2P

Share This Post

Before we had the popularity of Meta’s Facebook messenger and end-to-end encryption apps like Telegram, there was AOL Instant Messenger (AIM for short). AIM was brilliant, and from my high school to college years, it was the preferred method of staying in touch with my friends. With the success of AIM, there were competitors: Yahoo Messenger and MS Messenger, and while not comparative in the popularity of AIM (here in the United States at least), both services had their own features which set them apart. Amidst the height of popularity of these messenger services, specifically the late 90s to early 2000s, we also had the advent of peer-to-peer sharing services like Napster and later LimeWire. The way we used the internet and communicated was changing, and the colloquial “dark web” was in its infancy. While onion routing, what we know today as TOR, had been in existence since 1995, and Ian Clarke’s “Freenet” became live in 1999, 2001 was the year Lance James created what would later become I2P – The Invisible Internet Project. Celebrating its 20th anniversary last year, I2P is evolving and has positioned itself as the second largest dark net, with an estimated 35,000 to 45,000 users daily. Humbled by comparison to the TOR network metrics, with an estimated 2.5 million end users each day, it is easy for those who investigate dark web related cases to dismiss I2P and equate it to a novelty. However, I2P matters, and it is something that investigators need to understand and learn to navigate.

When the media outlets began to report on the “Silk Road” ten years ago, the popularity of the TOR network exploded. What we know as the “dark web” has become synonymous with the criminal underworld, ripe with contraband and all things illegal. While the focus of law enforcement has been combating the TOR .onion domains ranging from narcotics to child pornography, it is understandable that familiarity to I2P on the LE front has been scarce. Requiring more configuration than the “download and go” aspect of TOR, it is not surprising that the lay user of the “dark web” would shy away from I2P, and that lay user definition also encompasses law enforcement! Being on the forefront of dark web investigations for over 8 years myself, I can attest that personally I only know of one case that had a nexus to I2P. In May 2019, the darknet contraband market “Libertas” moved its hosting from the TOR network exclusively to I2P, encouraging other darknet markets to follow suit. At the time, “Libertas’s” administrators espoused vulnerabilities in the TOR network is what eventually leads law enforcement to finding where dark net markets are hosted. While this sentiment was not new and in fact was echoed two years prior in 2017 from darknet market admins after law enforcement had seized the darknet markets “AlphaBay”, “Hanza”, and “RAMP”, the initial push from TOR to I2P had failed due to the dark web lay user not knowing how to configure and use I2P. While “Libertas’s” effort in 2019 suffered the same fate for the same reasons, to their credit they were also the first darknet market to only allow the anonymity enhanced cryptocurrency Monero to be used utilized on the market for purchases, something the highly successful “White House Market” adopted on the TOR network before their eventual retirement. Today, we see multiple darknet markets and illicit services hosting their sites on both the TOR network and I2P, and we were likely see this trend continue.

Perhaps I2P’s biggest deterrent is the configuration required from the end user, which is intimidating to many average dark web “aficionados”. Offering compatibility with a myriad of operating systems, as well as plugins/extensions for Chrome and Firefox supported browsers, I2P does not offer the same simplicity as the TOR Browser. Users who simply want to go onto the “dark web” are more likely to download TOR and find themselves browsing the .onion domains within minutes, while I2P has a bit of a “learning curve” before you can visit any “eepsites”, or .i2p domains. In the same respect, TOR’s massive network and amount of dedicated servers and volunteer nodes creates a much more stable browsing experience, while I2P’s speed is much slower by comparison. I2P also requires end users configure their sharing of bandwidth while using the dark net in order to sustain the network traffic. Juxtaposing the browsing experience with the TOR network, users of I2P are required to utilize an outproxy service in order to visit domains on the Clearnet. 

The hosting of .i2p domains are a bit different than TORs .onion domains as well. With the latest version three of TOR’s .onion domains, they are 56 alphanumeric characters. By comparison, .i2p domains can be simple, liken to notbob.i2p or stats.i2p, or “unforgeable” Base32 domains similar to TORs alphanumeric addresses that end in .b32.i2p. There are those that espouse versus TOR alone, I2P remains a “true darknet” due to the inability to browse outside the I2P network without an outproxy configuration.

While I will not delineate the subtle nuances between TOR and I2P from a technical end, or attempt to entertain the argument over which is a real “dark net”…I will say this, especially to those reading from the law enforcement realm: I2P matters! While it is easy to solely focus on TOR .onion domains due to their popularity and likelihood of encountering a case involving a service or contraband on TOR, the rise in the cross hosting of sites on both TOR and I2P is becoming more common. While the case study of the “Libertas” market’s transition from TOR to I2P was indeed a failure, it important to not write it off as the status quo. That was 2019, and today in 2022 the I2P network has improved. Every day, what we colloquially call the “dark web” expands, and the various dark nets continue to evolve. For law enforcement and those who investigate the “dark web”, it is imperative to have a fundamental understanding of TOR and I2P, and be able to use both with confidence. Just like how AIM has become a novelty of yesteryear due to the evolution of how we communicate, it is possible that one day there will be a paradigm shift away from the TOR network to I2P. The rumblings in the undercurrent of the OPSEC forums on the “dark web” have already started, so start learning how to use I2P now.

By Keven Hendricks

More Articles


MediaTek: A Short Story

Finding that you have a MediaTek device which has its Boot ROM interface disabled land on your desk?

Access to MediaTek’s Boot ROM interface is the best way to extract the maximum amount of data from any device with a MediaTek chipset.