Cybersecurity researchers have said a threat actor has been adding malicious servers into the Tor network to intercept traffic heading to cryptocurrency websites and carry out SSL stripping attacks on users while accessing mixing websites.
The threat actor, through its exit relays, performed an SSL stripping attack on traffic headed towards cryptocurrency websites, downgrading the encrypted HTTPS connection to plaintext HTTP. In the case of the attacks against the Tor network, threat actors aimed at replacing the addresses of legitimate wallets with the ones under the control of the attackers to hijack transactions.
In August 2020, the security researcher and Tor node operator Nusenu first highlighted this malicious behavior and has now shared more details about the ongoing malicious behavior in a follow-up post. Nusenu has revealed a new part of its research that says threat actors are still active.
“You can see the repeating pattern of new malicious relays getting added to the tor network and gaining significant traction before dropping sharply, when they got removed.” reads the study
“In terms of scale of the attacker’s exit fraction, they managed to break their own record from May 2020 (>23% malicious exit fraction) twice:
• on 2020–10–30 the malicious entity operated more than 26% of the tor network’s exit relay capacity
• on 2021–02–02 they managed more than 27% of tor’s exit relay capacity. This is the largest malicious tor exit fraction I’ve ever observed by a single actor.”
According to the researcher, the threat actor managed to fly under the radar for more than a year because the malicious exit relays were added to the Tor network in small increments until they made up more than 23% of all exit nodes. Threat actors operated more than 26% of the tor network’s exit relay capacity two times in the last year, reaching 27% in February 2021.
Once the scheme was discovered, the exit relays were removed from the Tor network, anyway, the experts pointed out that threat actors were able to intercept the traffic for months. Despite being outed, the threat actor continues to add new malicious nodes and Nusenu estimates that between 4% and 6% of the Tor exit nodes are still under the control of the threat actor.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.