Mirrors on the Dark Web 1/2

As we mentioned, The Dark Web in Figures, around 70% of the total volume of active sites on the dark web comprises copies (mirrors) of around 60 sites. Here we will describe the concept of mirror sites and try to explain this mass mirroring phenomenon.

A mirror is a copy of a site at a different address. In some cases, a website on the clear web may decide to create a copy on the dark web. For example, the Berlin-based daily newspaper Die Tageszeitung (taz.de) has a mirror on Tor (ibpj4qv7mufde33w.onion). Many sites on the dark web also have one or several mirrors on the same network.

There are several good reasons for a website to create one or more mirrors. On the one hand, this creates a backup copy that could be useful if the main site has technical issues. It can also help protect against DDoS attacks. The mirrors therefore guarantee service continuity if the original site becomes unavailable. On the other hand, a mirror can also redirect traffic if the main site is overloaded.

 Screenshot of the daily paper Die Tageszeitung’s Tor mirror

Typically, each mirror site will contain a link to the other mirror sites. The now-defunct HydroBull site (cannabis sales) had three mirrors, and all its homepages featured the three onion addresses of its mirrors (see red box in the screenshot).



The Aleph Search Dark search engine can display domains in the form of a graph. Each domain name is represented by a dot. If site A contains a link to site B, we connect the dots representing these sites. When we display the three HydroBull mirrors in a graph, we can see that the three sites are connected to each other.

However, this is not the case for all the mirrors on the dark web, as mirrors are not always linked (via a hyperlink) to the original site. This raises questions about the purpose of these “isolated” sites. These mirrors may be useful as backups, but if they’re not referenced by the original site, how will users know what backup address to use?

Around 60 websites on the dark web each have more than 100 mirrors, and some even have several thousand duplicates. When we plot the sites and their mirrors on a graph, we can see that the vast majority or even the totality of the mirrors are not connected. In the following example, the Xonions site has been replicated 1,070 times.

Only 27 mirrors are connected – and not interconnected – since 26 of the mirrors refer to a central site. Of these 27 sites, none originated during the massive wave of mirrors created in 2020 (from March until July, with a decrease until the beginning of September). Only four mirrors in this network were created after September 2020, while all the others were created between 2015 and October 2019.

Most of the other mirrors were created during the wave (more than 800) and later. The following graph shows the number of Xonions mirrors we detected from January 2020 to June 2021 (we highlighted the period from March to September 2020).

The same pattern has occurred for sites that were cloned multiple times: the mirrors are almost all isolated and created around the same time, as we can see in the case of Buy Real Money (1,613 mirrors) and Amazon Gift Cards (2,126 mirrors).

Given the very strong similarity in relational patterns and the timeframe during which the mirrors were created, it is likely that this mass mirroring in 2020 was the work of the same person or the same community.

Comment utiliser le Dark Web de façon professionnelle ?