Pierluigi Paganini May 10, 2021

Since early 2020, bad actors have added Tor exit nodes to the Tor network to intercep traffic to cryptocurrency-related sites

Starting from January 2020, a threat actor has been adding thousands of malicious exit relays to the Tor network to intercept traffic and carry out SSL stripping attacks on users while accessing mixing websites, The Record first reported.

SSL Stripping (aka SSL Downgrade Attack) allows downgrading connection from secure HTTPS to HTTP which could expose the traffic to eavesdropping and data manipulation. 

In the case of the attacks against the Tor network, threat actors aimed at replacing the addresses of legitimate wallets with the ones under the control of the attackers to hijack transactions.

In August 2020, the security researcher and Tor node operator “Nusenu” described this practice in an analysis on how malicious Tor Relays are exploiting users in 2020.

Nusenu has published a new part of its research that reveals that threat actor are still active.

“You can see the repeating pattern of new malicious relays getting added to the tor network and gaining significant traction before dropping sharply, when they got removed.” reads the study.

“In terms of scale of the attacker’s exit fraction, they managed to break their own record from May 2020 (>23% malicious exit fraction) twice:

• on 2020–10–30 the malicious entity operated more than 26% of the tor network’s exit relay capacity
• and on 2021–02–02 they managed more than 27% of tor’s exit relay capacity. This is the largest malicious tor exit fraction I’ve ever observed by a single actor.”

Threat actors operated more than 26% of the tor network’s exit relay capacity two times in the last year, reaching 27% in February 2021.

The attackers remained under the radar because they were adding a limited number of new malicious exit relays each time.

The attacks were all detected and the malicious Tor exit relays were removed from the Tor network, anyway, the experts pointed out that threat actors were able to intercept the traffic for months.

Earlier May the malicious Tor relays were removed again, but this time the threat actors attempted to replace them by adding a large number of new exit nodes.

The rapid increase was immediately spotted by the maintainers at the Tor Project, but according to Nusenu their response was not effective because as of 2021–05–08 he estimates the attackers are controlling between 4-6% of the tor network’s exit capacity used to perform SSL stripping attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Tor)

[adrotate banner=”5″]

[adrotate banner=”13″]