Tor-based hidden services host substantial criminal infrastructure, yet de-anonymization research remains fragmented across heterogeneous techniques. No prior work has organized these techniques into a unified taxonomy oriented toward forensic investigation. This paper proposes a five-layer vulnerability taxonomy for Tor hidden services, distinguishing network-level (L1), application-level (L2), side-channel (L3), operational-security-failure (L4), and ecosystem-level (L5) categories. The taxonomy is derived from a structured review of literature published between 2002 and 2024. We further propose a Traceability Evaluation Framework (TEF) that scores 11 vulnerability types along three dimensions: Applicability, Technical Difficulty, and Legal Admissibility. The TEF dimension weights are derived through Analytic Hierarchy Process elicitation from a five-member expert panel of cybercrime investigators, digital forensics researchers, and a legal scholar. The resulting weights of (0.385, 0.204, 0.412) for Applicability, inverted Technical Difficulty, and Legal Admissibility prove robust to ±0.10 perturbations in sensitivity analysis. Under this framework, four application-layer (L2) and operational-security-failure (L4) vulnerabilities receive the highest traceability scores (TS ≥ 2.80), while two network-level (L1) attacks and one side-channel (L3) technique fall to the lowest tier. The framework integrates technical exploitability with legal admissibility constraints across U.S., EU, and other evidentiary regimes, providing a structured reference for investigators and a methodological foundation for case-based empirical validation in future work.
Shin et al. (Sun,) studied this question.