en
Back to the list

Malicious Tor Network Servers Are Targeting Users’ Cryptocurrencies

source-logo  decrypt.co  + 1 more 10 May 2021 15:29, UTC

Users of the anonymity-focused Tor Network are at risk of losing their cryptocurrencies to a continuous large-scale cyberattack that was launched in early 2020, new data suggests.

According to a report published by cybersecurity researcher and Tor node operator Nusenu yesterday, an unidentified hacker has been adding thousands of malicious servers to the Tor network since as early as January 2020. Despite being shut down several times, the attacker continues to track and intercept users’ crypto-related data to this day.

Exploiting demand for anonymity

Tor is free and open-source software that allows users to anonymize their Internet traffic by sending it through a network of servers operated by volunteers. In order to take advantage of this system, the hacker has been adding their own malicious nodes, marked as “exit relays,” to the network.

“In May 2020 we found a group of Tor exit relays that were messing with exit traffic. Specifically, they left almost all exit traffic alone, and they intercepted connections to a small number of cryptocurrency exchange websites,” Tor developers revealed last August.

As the name suggests, Tor exit relays are responsible for sending users’ requests back into the “normal” Internet after they have been anonymized. However, the hacker made some adjustments to the code that allowed him to pinpoint crypto-related traffic and modify it before sending it out.

The Tor Project explained that these servers stopped websites from redirecting visitors to more secure HTTPS versions of their platforms. If users didn’t notice, and continued to send or receive sensitive information, it could have been intercepted by the attacker.

It is believed that the hacker is using their servers to switch crypto addresses in transaction requests made by users and redirect their cryptocurrencies to their own wallets. The hacker recently also began modifying downloads made through Tor, but it is unclear to what end or what other techniques they might be using.

Long game of whack-a-mole

Over the past 16 months, the hacker’s servers have been shut down by Tor developers at least three times already, Nusenu explained. Notably, the malicious nodes accounted for roughly a quarter of the Tor network’s exit capacity on several occasions, peaking at 27% in February 2021.

Recently, the hacker even turned all of their servers on suddenly, boosting the network’s exit capacity from roughly 1,500 relays to 2,500. Such a sharp increase did not go unnoticed, however, and the malicious relays were removed.

However, the hacker is constantly rebuilding their network. By Nusenu’s estimations, up to 10% or even more of Tor’s exit relay capacity could still be controlled by the attacker to this day.

“The reoccurring events of large scale malicious Tor relay operations make it clear that current checks and approaches for bad-relays detection are insufficient to prevent such events from reoccurring and that the threat landscape for Tor users has changed,” Nusenu concluded.

decrypt.co

Similar news (1)
Add similar news

Add similar news

Send us a link to a similar news story on another source.

Why do we need it

The citation rate of a news item indicates its importance and significance. The number of mentions in different sources allows you to look at an event from different angles.

Please help us improve the application. If we have published news and you have found a similar one in another source, send us a link to it.