What is The Invisible Internet Project (I2P)?

Dread users abandon tor

Over the past few weeks our threat intelligence team has been monitoring a prolonged outage of the Tor site of the popular dark web forum, Dread. 

Dread is a Reddit-style forum that includes conversations on criminal topics that would be banned from a website on the clear web. Indeed, it was born out of Reddit’s clampdown on discussions around dark web markets and scamming techniques. Almost since its inception, Dread has been plagued by denial-of-service (DoS) attacks and its administrator has confirmed that the forum’s most recent downtime is the result of a persistent actor targeting its onion site. According to them, the objective of the attacker is to extort the dark web markets that use Dread to communicate with their users.

While criminal infighting is very common on the dark web, what is significant about this case is that it has led many users to migrate to Dread’s I2P mirror to access the forum, as an alternative to its Tor onion. This move from a significant forum like Dread warrants organizations and law enforcement to take a closer look at I2P, as a burgeoning dark web network that they need to be aware of.

What is i2p?

The Invisible Internet Project (I2P) is an anonymous network layer designed to facilitate private communication between its users. As it intentionally obfuscates activity, it fits the definition of what is commonly referred to as a dark web network (you can read our blog on the differences between the clear, deep, and dark web here).

Like Tor (the most popular dark web network) I2P works by encrypting traffic and passing it through a series of proxies to conceal the identity of the user and their location. However, there are a few key differences in how I2P works and how it is used.

One of the key characteristics of I2P is that it is a decentralized, peer-led network, where users contribute to the bandwidth of the network and also volunteer to act as “nodes”, routing the traffic through multiple IPs to make it harder to trace. This distinguishes it from Tor, which takes a centralized directory-based approach.

Another key distinction is that I2P is not designed for anonymous browsing of the internet, as Tor is. It does not connect to the internet directly, acting instead as a completely separate network layer on top of the internet. In that sense, I2P is very much a closed loop – designed for users to interact anonymously within the network, but not outside.

Therefore, the main use of I2P is for the websites built on the network, which are concealed from the internet at large. As Tor sites end in .onion, I2P’s end in .i2p, but it claims that its sites are optimized to run faster than those on Tor.

Why is it important to know about i2p?

While Tor is by far the most popular dark web network it is important to acknowledge (as we did in our How Tor Works blog) that it is not the only one. Moreover, while its size means that it is more established and better funded, it also makes it a target for blocking and DoS attempts, such as those currently impacting the Dread forum.

Below: The Dread Administrator Explains The Transition to I2P, After Failing to Fix Its Tor Onion

These challenges benefit Tor’s competitors, and there is a notable upward trend in the users of I2P. According to its own data, the number of routers (i.e. nodes) on the I2P network peaked at more than 33k in November 2022, up from 25k in November 2019. While these numbers remain small (certainly compared to Tor, which has millions of users), that is nearly a 30 percent increase in I2P’s user base and we should expect these numbers to increase if criminals are forced to find alternatives to Tor.

For organizations that are looking to protect themselves from dark web activity, and law enforcement agencies that are trying to crack down on online crime, it is important to understand how I2P and other dark web networks work. The criminal underground is always evolving and keeping a close eye on new trends is imperative to stay on top of emerging threats.