Investigator Use
Tor IP Relay (Tor Exonerator) is an official service provided by the Tor Project at exonerator.torproject.org that allows investigators and system administrators to determine whether a specific IP address was operating as a Tor exit node, relay, or bridge at a specific date and time in the past.
For OSINT investigators and law enforcement, the Tor Exonerator solves a critical problem in Tor-related investigations: when a suspicious or malicious connection originates from an IP address, it is essential to know whether that IP was a Tor exit node at the time of the connection. If it was, the actual originating user could be anywhere in the world — the exit node IP is the last Tor relay, not the user's real IP address.
Primary investigative use: When analyzing logs from a compromised system, threat intelligence platform, or abuse report, run suspicious IP addresses through Tor Exonerator with the relevant date and time. If the IP is confirmed as a Tor exit node at that time, the investigation must account for the Tor anonymization layer and cannot attribute the connection to the IP address owner.
This determination is also critical for exonerating individuals whose IP addresses appear in connection logs due to running Tor relays. A Tor relay operator whose IP appears in a criminal access log may simply have been operating a legitimate Tor node — Tor Exonerator confirms this distinction.
For threat intelligence work, Tor Exonerator helps categorize suspicious connections. Organizations experiencing repeated attacks from Tor exit nodes can use this context to understand the attacker's likely use of anonymization infrastructure and adjust their defensive posture accordingly.
The service queries the historical Tor consensus data maintained by the Tor Project, which records relay and exit node status at each consensus period. Results include whether the IP was listed as a relay, exit, or guard node and the relevant time period.
Record all Tor Exonerator query results with the IP address queried, date and time range, and the exact result returned for inclusion in investigation documentation.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
Ahmia
Dark Web OSINT
Ahmia indexes Tor hidden services, enabling investigators to search .onion sites by keyword without the Tor browser.
BlackWeb
Dark Web OSINT
BlackWeb is a community-maintained blacklist of malicious and spam domains for network filtering and threat infrastructure identification.
Dark Web Tools
Dark Web OSINT
IACA Dark Web Tools is a law enforcement-oriented collection of resources for searching Tor hidden services and dark web content.
Onion Inspector
Dark Web OSINT
Onioff inspects .onion URLs to verify availability, extract page metadata, and map Tor hidden service content for dark web OSINT.
Onion Links
Dark Web OSINT
Find the best onion links list here. Working onion links for 2025 with the best dark web links to explore. All working and updated.
Onion Scan
Dark Web OSINT
OnionScan investigates dark web sites for misconfigurations, operator errors, and links to clearnet infrastructure revealing real identities.