They used to say anonymous networks are hiding people… Are they?


Protecting privacy or supporting fraudulent activity?

On 24 August 2016 protesters called for action to the users of TOR, an anonymity providing network. They requested TOR users to stop using TOR and endpoint providers to shut down endpoints on the 1st of September, because of allegations of TOR developers being involved with government agencies, like the CIA and other sexual harassment charges.

At we monitor all sorts of networks that may be used for fraud. This include anonymity providing networks such as TOR. Luckily TOR exposes all the endpoint’s IP addresses, that we collect on a regular basis. Let’s see how the TOR endpoints behaved the last 19 days and how the blackout went!

Well, to be honest, it did not went too well…


On an average hour there are around 1,000 different endpoints in the network. On September 1st figure shows that the number of TOR endpoints peaked so to speak. So the call to action was not a big success.

Let’s fiddle with this data some more.

Out of the 2126 IPs observed through the 19 days. 33.4% percent operate 24/7. 50% of all IPs operate less than 144 hours. Interesting pattern is that 11.4% of all IPs operate for only 1 day.


There are 71 countries with at least 1 TOR endpoint. The Top 10 countries for number of distinct TOR endpoints operated at some time in the dataset are Germany, United States, Russia, France, The Netherlands, India, Great Britain, Canada, Italy and Sweden. They comprise roughly 72% of all IPs in the system.


If we look at the aggregated uptime of all endpoints we see a slightly different story. Now United States takes the lead, followed by The Netherlands, France, Germany, Great Britain, Canada, Russia. A new contender is Romania, followed by Sweden and Switzerland.


Observing the mean and median uptime of the Top 10 countries of all aggregated uptime we see, that German and Russian endpoints tend to have a shorter lifespan than the other countries.

For example let’s see the German IPs, there are 317 of them. A whois request reported different asn_country_codes for 13 IP addresses from Ripe NCC. The largest registrar of these IPs are Deutsche Telekom AG, ARCOR AG and Telefonica Deutschland, about 50% of all IPs are registered by them. There are a large number of hosting services providing TOR endpoints like Keyweb AG, Contabo, Hetzner Online AG or xsserver.ue.

This post gave you an insight into how an anonymity providing network like TOR works. They used to say anonymous networks are hiding people. But not ad fraudsters. We will keep an eye on this and similar networks…

Written by Gabor Nagy, Data Scientist at

Leave a Reply

Your email address will not be published. Required fields are marked *