Tor enables anonymous web browsing and access to anonymous onion websites. Prior work has focused on crawling and content analysis rather than on what users actually try to access. Our honeypot approach measures engagement across onion-site categories, revealing behavioral interest rather than inferred popularity. In March--April 2025, we deployed honeypot onion websites and seeded neutral-looking links via three channels -- the Ahmia Tor search engine, Stronghold paste onion "paste" service, and pastebin.com -- to observe discovery and subsequent interaction events (CAPTCHA solves; registration/login attempts). We observe that, almost without exception, human users originate from Ahmia.fi; after removing the honeypot links from the Ahmia.fi search results, visits dropped to nearly zero and no users solved CAPTCHAs. The honeypot landing front pages represent different forums for cybercrime activities -- child sexual abuse, violence, malware, stolen goods, illegal firearms, illegal drugs, and forgery items -- and, as a baseline comparison, an unclear forum. Within that set, the CSAM-themed honeypot drew markedly higher engagement than the other honeypots. When identical sites were offered in multiple languages, interaction events occurred most often on the English-language versions.

翻译：Tor实现了匿名网页浏览与匿名洋葱网站的访问。先前的研究主要集中于爬取与内容分析，而非用户实际尝试访问的内容。我们的蜜罐方法测量了跨洋葱网站类别的参与度，揭示了行为兴趣而非推断的受欢迎程度。在2025年3月至4月期间，我们部署了蜜罐洋葱网站，并通过三个渠道——Ahmia Tor搜索引擎、Stronghold粘贴洋葱“粘贴”服务以及pastebin.com——散布了看似中立的链接，以观察发现过程及后续的交互事件（验证码破解；注册/登录尝试）。我们观察到，几乎毫无例外，人类用户均源自Ahmia.fi；在将蜜罐链接从Ahmia.fi搜索结果中移除后，访问量降至近乎零，且没有用户破解验证码。蜜罐着陆首页代表了网络犯罪活动的不同论坛类别——儿童性虐待、暴力、恶意软件、赃物、非法枪支、非法毒品及伪造物品——并设置了一个内容不明的论坛作为基线对照。在此集合中，以儿童性虐待材料为主题的蜜罐吸引了显著高于其他蜜罐的参与度。当提供多语言版本的相同网站时，交互事件最常发生在英文版本上。