In recent weeks, the number of “hidden services”—usually Web servers and other Internet services accessible by a “.onion” address on the Tor anonymizing network—has risen dramatically. After experiencing an earlier spike in February, the number of hidden services tracked by Tor spiked to 114,000 onion addresses on March 1. They then dropped just as quickly, falling to just below 70,000 hidden services seen by Tor on Thursday—still twice the number that Tor had held steady at for most of 2015.
“We don’t know what’s causing this,” said Kate Krauss, the director of communications and public policy for the Tor Project. “But it’s not difficult for even one person—a researcher, for instance—to create a lot of new onion addresses—which is not the same as actual websites or services. In fact, we want the process of creating onion addresses to be as easy as possible to encourage the creation of more onion services. These spikes are typically temporary—and as you see from the chart, this one is already going away.”
Still, there has never been this sort of wild gyration in the number of addresses in recent times—or at least as far back as the Tor Project has kept metric data. So what caused the sudden near-tripling of the size of Tor’s hidden Web and its rapid contraction? Based on a deeper look at Tor’s metrics and discussions with both Tor developers and security experts, the huge spike in the “size” of the hidden Web within Tor was likely caused by a perfect storm of coincidences: major Internet censorship events in at least two countries, the relatively rapid adoption of a new messaging tool, a malware explosion, and ongoing attempts to undermine the privacy of the network.