Demonoid is a semi-closed community of file sharers. They host a public BitTorrent tracker, but their website is closed to the general public. Unlike with most private trackers’ websites, users can’t register online with Demonoid without providing an invite from an already existing member. Is Demonoid therefore a honeypot?
Before Demonoid members start commenting here that one could also register once or twice a month via the website without invites: yes, I’ve read that too, and no: I never saw registrations open on their site even once (and I’ve tried persistently for months and months). Perhaps it’s true, perhaps it’s not. Perhaps it was true in the past, and they morphed into an invites-only site and have not yet updated their scripts?
But back on topic: is Demonoid a honeypot because it relies on invites? It’s a remote, though quite real, possibility. An invites-based user base forms a graph of relationships. If a member sends N invites to his/her friends, and those invited do the same with their free invites, Demonoid admins get an extremely accurate insight into relationships of their users. That is much more than what most other private tracker sites get to see… and is perhaps the only reason for them running this site at all.
This graph of relationships is actually a godsend for any serious honeypot operator. If Demonoid had been taken over by some anti-piracy organization, the most effective way to infiltrate the file sharer scene isn’t identifying who’s in a swarm (that’s trivial), it’s to know how members — esp. torrent uploaders — are related to each other. This knowledge is critical for investigators trying to establish trust within the community, identifying introducers etc. Adding to this the knowledge of the kinds of torrents that each member uploads/downloads (only members can download and upload torrents), group profiling becomes even more easy.
If Demonoid were a honeypot, it would also explain why they periodically open registrations (as they say) once or twice in a month: this way, they can add disconnected groups to their graph database. It would also explain why they open only for a day or two: due to limited resources in real private investigators, they would have no need to explore more groups than the few they acquire within a couple of hours per month.
Even though Demonoid is well-known for hosting excellent torrents to rare and high quality data, and has good reputation, users should be aware of the pitfalls related to this invites-only model. It’s not only about identifying individual file sharers, it’s about identifying groups of friends and like-minded people… including users who have not registered yet, but who may eventually. If this (hypothetical?) Demonoid honeypot spans multiple domains (nothing prevents them from expanding into a honeynet), the analysis of groups would be even easier.
Any serious file sharer (torrent uploader) considering joining Demonoid or another website via an invite, should think twice, and think hard, before doing so. You’re exposing social relationship data to an organization that may use it against you… if not now, then when they sell out, or when someone hacks into their database. It’s not worth the risk. If you really must register with them, wait until they open for registration again and register anonymously on their website. Good luck!
Update 12/13/2009: Demonoid is back after a long hiatus… and, perhaps unsurprisingly, they’re still invites-only — which kind of proves me point, or at least reinforces it.
Update 02/07/2010: Demonoid registrations are open. Yeah, I’ve finally caught the small time window. 