KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays

Pierluigi Paganini December 03, 2021

Since 2017, an unknown threat actor has run thousands of malicious Tor relay servers in the attempt to unmask Tor users.

A mysterious threat actor, tracked as KAX17, has run thousands of malicious Tor relay servers since 2017 in an attempt to deanonymize Tor users.

KAX17 ran relay servers in various positions within the Tor network, including entry and exit nodes, researchers at the Tor Project have removed hundreds of servers set up by the threat actor in October and November 2021.

In August 2020, the security researcher that goes online with the moniker Nusenu revealed that in May 2020 a threat actor managed to control roughly 23% of the entire Tor network’s exit nodes. Experts warned that this was the first time that a single actor controlled such a large number of Tor exit nodes. A Tor exit relay is the final relay that Tor traffic passes through before it reaches the intended destination. The Tor traffic exits through these relays, this means that the IP address of the exit relay is interpreted as the source of the traffic.  Tor Exit relays advertise their presence to the entire Tor network, so they can be used by any Tor user.

Controlling these relays it is possible to see which website the user connects to and, if an insecure connection is used, it is also possible to manipulate traffic. In May 2020, the threat actor managed to control over 380 Tor exit nodes, with a peak on May 22, when he controlled the 23.95% of Tor exit relay.

Nusenu told The Record that it has observed a recrudescence of the phenomenon associated to the same attacker.

“But a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017.” reads the post published by The Record. “Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point.”

Most of the Tor relay servers set up by the KAX17 actor were located in data centers all over the world and are configured as entry and middle points primarily. Nusenu pointed out that, unlike other threat actors he analyzed in the past, the KAX17 group only operates a small number of exit points.

This circumstance suggests that the group is operating to track Tor users within the anonymizing network, Nusenu also believes that the KAX17 is an APT group.

Below are some insights on the KAX17 profile provided by the researcher in a post:

  • active since at least 2017
  • sophistication: non-amateur level and persistent
  • uses large amounts of servers across many (>50) autonomous systems (including non-cheap cloud hosters like Microsoft)
  • operated relay types: mainly non-exits relays (entry guards and middle relays) and to a lesser extend tor exit relays
  • (known) concurrently running relays peak: >900 relays
  • (known) advertised bandwidth capacity peak: 155 Gbit/s
  • (known) probability to use KAX17 as first hop (guard) peak: 16%
  • (known) probability to use KAX17 as second hop (middle) peak: 35%
  • motivation: unknown; plausible: Sybil attack; collection of tor client and/or onion service IP addresses; deanonymization of tor users and/or onion services

The expert states that the probability to connect a guard relay operated by KAX17 was 16%, a percentage that pass to 35% when analyzing the probability to pass through one of the middle relays set up by the threat actor.

“The following graph shows (known) KAX17′ network fraction in % of the entire tor network for each position (first, second and last hop of a tor circuit) over the past 3 years.”

KAX17 Tor

Nusenu shared its findings with the Tor Project since last year, and the Tor security experts removed all the exit relays set up by the group in October 2020. The Tor Project also removed a set of KAX17 malicious relays between October, and November 2021.

The expert also states that KAX17’s poor OpSec revealed the use of email address in relay’s ContactInfo, but it is impossible to determine its authenticity, we cannot exclude that it is a false flag.

“Detecting and removing malicious tor relays from the network has become an impractical problem to solve. We presented a design and proof of concept implementation towards better self-defense options for tor clients to reduce their risk from malicious relays without requiring their detection.” concludes the researcher.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Tor)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment