Anonymous Cybercrime: Before Tor

TL;DR

Before tools like Tor became common, cybercriminals used a combination of techniques to hide their identities and locations. These included compromised machines (botnets), public Wi-Fi networks, email spoofing, proxy chains, dial-up connections, and physical distance/relays.

How Cybercriminals Stayed Anonymous Before Tor

1. Compromised Machines (Botnets)
   • Cybercriminals would infect thousands of computers with malware to create a botnet.
   • They then used these bots to launch attacks or relay traffic, making it difficult to trace the origin back to them directly.
   • The attacker controlled the bots remotely, often using IRC (Internet Relay Chat) channels.

     # Example IRC command to send a command to all bots:
     SEND ALL !attack target_ip 

2. Public Wi-Fi Networks
   • Using open, unsecured public Wi-Fi hotspots allowed criminals to mask their IP address.
   • The network’s IP address would be seen instead of the attacker’s home or work IP.
   • This was a simple but effective method for basic anonymity.
3. Email Spoofing
   • Attackers could forge email headers to make it appear as if emails originated from legitimate sources.
   • Tools like sendmail and Perl scripts were used to manipulate the ‘From:’ address.

     # Example (simplified) email spoofing using sendmail:
     /usr/sbin/sendmail -t  < /path/to/spoofed_email.txt 

   • This was often used in phishing attacks and to spread malware.
4. Proxy Chains
   • Attackers would route their traffic through multiple proxy servers located in different countries.
   • Each proxy server only saw the IP address of the previous one, obscuring the attacker’s original IP.
   • Tools like Proxychains allowed easy chaining of proxies.

     # Example Proxychains configuration file (/etc/proxychains.conf):
     strict_chain
     proxies 127.0.0.1:8080
     prompt
     

   • The more proxies used, the harder it was to trace the connection.
5. Dial-up Connections
   • In the early days of the internet, dial-up connections were common and often used dynamic IP addresses.
   • Attackers could disconnect and reconnect frequently to get a new IP address, making tracking more difficult.
   • The slower speeds also made tracing harder due to limited logging capabilities at the time.
6. Physical Distance & Relays
   • Some criminals would physically travel to different locations and use internet cafes or public computers.
   • They might also enlist accomplices in other countries to act as relays, forwarding traffic through their connections.
   • This added a layer of complexity for law enforcement investigations.
7. Steganography
   • Hiding messages within images or audio files made it difficult to detect malicious communication.
   • Tools like Steghide were used to embed data.

     # Example using Steghide:
     steghide embed -cf image.jpg -ef message.txt