hackers hijack a quarter of Tor traffic in just a year

As of February 2020, a malicious individual or group controlled 27% of the exit nodes on the Tor network. He uses it in particular to divert Bitcoin addresses and transfer them to his wallet. This is an unprecedented threat to the network that claims to be one of the most secure in the world.


Tor is the gold standard for anonymity on the Internet. Best known for being the main gateway to the dark web, it was originally designed to anonymize all actions and communications on the Internet. It does this by using a system called “onion routing,” which involves overlapping multiple security nodes in order to hide the user’s IP address. The central nodes are responsible for receiving and redistributing the traffic between them, while the exit nodes take care of redirecting to the targeted web address.

These exit nodes are therefore an essential element of user security. To compromise them is have access to all the information that the previous nodes are supposed to have hidden. In the past, exit nodes have been attacked, including injecting malware called OnionDuke capable of stealing the credentials of those affected. This time, it was an operation of a whole new magnitude that was discovered.

27% of Tor exit nodes are compromised

For over a year, an unknown entity controls no less than 27% of exit nodes, says a study by nusenu, an independent cybersecurity researcher. “The entity that attacks Tor users has been actively exploiting them for over a year and has extended the scale of its attacks to a new all-time high.”, explains the latter. “The average exit share controlled by this entity was greater than 14% over the past 12 months”. Last February, this share therefore rose to more than a quarter of total traffic.

The operation started in December 2019. The first reported attacks date back to January 2020, according to a study published in August of the same year. At that time, the entity then had 380 compromised exit nodes. Following the researchers’ report, Tor disabled these broken nodes in hopes of eliminating the threat. It was a failure since, at the beginning of May 2021, we identified more than 1000 nodes checked by the attackers. Again, Tor has disabled these.

On the same topic: Dark Web — an underground forum offering weapons and narcotics on Tor dismantled by the police

Hackers Use Corrupt Nodes to Hijack Bitcoin

According to nusenu, this control allows hackers to launch man-in-the-middle attacks, in other words to intercept data sent by the user before they reach their destination. More specifically, they attack Bitcoin addresses exchanged over the HTTP and HTTPS protocols in order to transfer the transaction to their own wallets. “If a user visits the HTTP version of a site, they prevent the site from redirecting the user to its HTTPS version”Tor explains. “If the user does not notice that they are not on the HTTPS version of the site and proceeds to send or receive sensitive information, it can be intercepted by the attacker.”

To limit attacks, Tor calls website administrators to urgently adopt the HTTPS protocol and add a .onion domain extension to bypass the exit nodes. “The risk of being the target of malicious activity perpetuated through Tor is unique to each organization.”, the US Cyber ​​Security Agency (CISA) said in July 2020. “An organization should determine its individual risk by assessing the likelihood of an attacker targeting its systems or data and the likelihood of success given current security measures and controls.”.

Source: nusenu

Leave a Comment