The Tor project said it could face attempts to incapacitate its network in the next few days through the seizure of specialized servers.
The project did not name the group or agency that may try to seize its directory authorities, which guide Tor users on the list of distributed relays on the network that bounce communications around.
"We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use," wrote "arma" in a post Friday on the Tor project blog. The "arma" developer handle is generally associated with project leader Roger Dingledine.
Rather than take a direct route from source to destination, data packets on the Tor network, designed to mask people's Internet use, take a random path through several relays that cover user tracks.
Unless an adversary can control a majority of the directory authorities, he can't trick the Tor client into using other Tor relays, according to the Tor project website. There are nine directory authorities spread across the U.S. and Europe, according to arma.
There were no reports of a seizure by late Sunday. The project promised to update the blog and its Twitter account with new information.
Users who live under repressive regimes look to Tor as a way to escape surveillance and censorship. But the network has also been used by illegal websites including online sellers of drugs, like the underground drug market Silk Road. A second version of the market, Silk Road 2.0, was launched a few weeks after the first was seized by law enforcement in October 2013, according to the U.S. Department of Justice.
Millions use the Tor network at their local Internet cafe to stay safe for ordinary Web browsing, as also banks, diplomatic officials, members of law enforcement, bloggers and others, according to the Tor project.
"Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker," it added.
An exit node cluster operator for the Tor network reported unusual network activity late Sunday. But that was not seen as an indication of the expected attack. "No, this is an exit relay operator, not a directory authority operator," wrote arma in a comment.