Sometime in the year 2018, cybersecurity firm Proofpoint published an article that reported the existence of multiple Tor-to-web proxy operators that were covertly replacing user Bitcoin addresses – the replacement meant that the operators would gain access to ransomware payment portals and hijack the payments submitted by victims.
The Growing TOR Problem
In December 2019, article titled "The growing problem of malicious relays on the tor networks" popped up to raise awareness regarding the Tor situation while plugging into hope for an improved cyber situation for Tor users.
Today, since beginning of the year 2020, an unknown threat actor has been reportedly linking servers to the Tor network to perpetrate SSL stripping attacks against users browsing crypto-related platforms via the Tor browser.
The mysterious threat actor’s actions have been described as aggressive and persistent, to the extent that they managed to run a quarter of all Tor exit relays – servers where user traffic leaves the Tor network to enter the public internet - by the fifth month of 2020.
According to details shared by a report written by independent security expert and Tor server operator Nusenu, the threat actor launched three hundred and eighty Tor exit relays at their peak – even before the Tor network stepped in to provide interventions against the attacks.
SSL Stripping Attacks Targeting Crypto Users
Nusenu’s report intimated that the threat actor involved in 2020’s malicious Tor relays has been using “person-in-the-middle attacks” against Tor users by altering web traffic as it moves via their exit relays – specific targets are users accessing crypto-related platforms using Tor.
It turns out that the primary goal of the threat actor’s actions is to enable the mysterious group to replace Bitcoin addresses within HTTP traffic heading to crypto mixing services. Such replacement leads to the successful hijacking of user funds without the victim or crypto mixer’s knowledge.
According to Nusenu’s research, a number of contact email addresses were identified to be linked with the malicious servers. A tracking process revealed the existence of more than nine different malicious Tor exit relay groups operating for the past seven months.
It turns out that the malicious network’s May 22 peak saw the threat actor controlling 23.95 percent of all Tor exit relays, which meant that Tor users were walking on a landmine – there was a one-in-four chance that a user would encounter a malicious exit relay.
As far as Nusenu is concerned, he has been alerting the malicious exit relays to Tor administrators since the month of May that preceded the major June 21 takedown that slashed the malicious actor’s capacities.
Nonetheless, even as Tor seemed to have regaining control of the network from the enemy’s grip, Nusenu notes that the events following the takedown were accompanied by evidence that the attacker is still in control of more than 10 percent of the Tor network exit capacity.
Solution – Averting the Risks
In previous writing, Researcher Nusenu attempted to recommend a solution to the spate of SSL stripping attacks that have plagued the Tor network for the last two years.
In highlight, he claimed that there is no real solution for the malicious Tor relays owing to the infrastructural challenges posed by the threats – although risk reduction stands to be the best bet at the moment.
In his counsel, he advised that Tor directory authorities figure out a way to make it difficult and inconvenient for threat actors to add massive amounts of Tor capacity.
Otherwise, Nusenu seemed to be at crossroads with what adversaries can achieve – determined hackers have demonstrated unmatched agility and consistency in the past, an aspect that may suggest that the Tor network is far from eliminating the existing threat of malicious relays.