In search of light: detecting cybercrime through the analysis of unencrypted traffic on the TOR network

Since its inception, the TOR network has garnered criminological interest due to its association with criminal services and its ability to provide anonymity for accessing the Dark Web. While often linked to illicit activities, TOR was originally designed to protect user privacy, and there is no evidence it was created solely to facilitate crime. This study examines traffic routed from TOR to external services, aiming to assess its regular, non-criminal use. A technological method captures unencrypted traffic to analyse DNS queries made to the Surface Web, evaluating the geographical distribution, service volume, and digital reputation of the accessed pages. The findings challenge the notion that TOR is primarily used for criminal activities, revealing that most traffic is directed toward legitimate Internet services unrelated to illegal behaviour. This study provides a more balanced view of TOR's role in online privacy and crime prevention.