Report: Tor Network Users Were Spied On Via Compromised Exit Relays
Anonymous communication network Tor Network was reportedly under a continuous large-scale attack as up to 25% of its exit relay capacity was hijacked. This is according to a report published by cybersecurity researcher and Tor node operator Nusenu.
Malicious Tor Network Servers Spell Doom For Users
The attack, which was reportedly initiated in early 2020 by an unidentified hacker, went undetected for over 16 months. According to the report, users of Tor Network were spied on and might have had their data stolen as the malicious servers added to the network's exit relays, tracks. and intercepts crypto-related data.
The Tor Network is open-source software that allows users to anonymize their Internet traffic by sending it through a network of servers operated by volunteers. This is done by directing network traffic through a series of relays to mask a user's IP address and location and usage from surveillance or traffic analysis.
While the middle relays typically take care of receiving traffic on the network and pass it along–the exit relay is the final node that Tor traffic passes through before it reaches its destination.
The hacker allegedly took advantage of the system by adding their malicious nodes, disguising them as “exit relays” to the network. The plan was to intercept sensitive information like crypto addresses in transaction requests made by users to switch and redirect their cryptocurrencies to their wallets.
The report says the hacker has also recently started modifying downloads made through Tor, but it is unclear to what end or what other techniques they might be using.
Most of the malicious relays have been removed by developers, Nusenu revealed. However, the hacker has not backed down as it is still constantly rebuilding its network. If going by Nusenu's estimations, up to 10% or even more of Tor's exit relay capacity could still be controlled by the attacker to this day. Nusenu said,
“The recurring events of large scale malicious Tor relay operations make it clear that current checks and approaches for bad-relays detection are insufficient to prevent such events from reoccurring and that the threat landscape for Tor users has changed.”
Cybercriminals Continue to Torment the Tor Network
The Tor network's history with malicious actors is well documented. In December 2019, hackers distributed a compromised version of the official Tor Browser, which had malicious tools to spy on users and steal their Bitcoin.
The scammers had reportedly used forums and the Pastebin website to distribute their offering, targeting Russian-speaking users of the Tor network. The cybercriminals were first documented and exposed by researchers at IT security firm ESET.