Unknown attackers launched 380 new output nodes in the Tor network, which were used to intercept user traffic.
The cybercriminals targeted bitcoin owners. The latter, when trying to perform a cryptocurrency transfer, were almost 25% likely to вЂњgiftвЂќ it to hackers, without even paying attention to it.
An unknown group of cybercriminals added Tor servers to the network for anonymity in order to carry out attacks on users conducting operations with cryptocurrencies.
Attackers spoofed the addresses of target wallets directly in traffic, thereby depriving their victims of digital assets. This was reported by the ZDNet portal with reference to the report of a security researcher known by the nickname Nusenu.
The group started its activity in January 2020, and by may it controlled almost a quarter of all tor output nodes (23.95% or 380 units) вЂ” special servers through which user traffic leaves Tor вЂњoutsideвЂќ вЂ” in the open segment of the Internet.
Nusenu notes that it was able to identify at least nine different clusters of malicious Tor nodes added to the network over the past seven months, based on contact email addresses associated with the aforementioned nodes.
At the end of June 2020, Tor administrators organized a вЂњpurgeвЂќ of the network, significantly weakening the attackers attacking power. However, more than 10% of network traffic still passes through the servers they manage.
According to the expert, the group will continue its illegal activities, since the procedure for adding new servers to the network does not provide for thorough verification of candidates.
The threat to Bitcoin owners
Nusenu, which is itself the operator of the output node, could not give an assessment of the scale of the criminal activity of the group, but its goal, in his opinion, is to obtain financial benefits.
The researcher believes that attackers use the вЂњintermediary attackвЂќ technique (MITM, Man-in-the-middle), manipulating traffic passing through the output nodes under their control. First of all, according to Nusenu, cybercriminals were interested in users of sites related to cryptocurrencies.
Using a technique known as SSL Stripping, attackers вЂњrolled backвЂќ encrypted HTTPS traffic of users to unencrypted HTTP, which allowed them to freely analyze and modify data intercepted without spoofing the SSL certificate at their discretion before they left the Tor network. In particular, according to the security researcher, addresses of Bitcoin wallets were searched in user traffic, then these addresses were replaced with those belonging to the group.
As a result, a careless user of Tor Browser, when trying to transfer funds from his Bitcoin wallet somewhere and being the target of an attack, could transfer funds to fraudsters unnoticed.
A similar attack comes from 2018
As noted by ZDNet, a much similar attack on cryptocurrency owners using Tor was carried out in 2018, but then it was not the output nodes of the network that were involved, but Tor2Web proxies-special web portals on the open Internet that allow users to visit sites in the pseudo вЂ” domain zone.onion, which are usually accessible only from Tor.
The American is-company Proofpoint told about the existence of at least one operator Tor2Web proxy, which quietly and imperceptibly robbed and so became victims of ransomware (Ransomware) users who tried to pay a ransom in the hope of regaining access to encrypted malware data. As a result, the poor people found themselves without keys to decrypt information, and without money.
Tor is a system of proxy servers that support вЂњonion routingвЂќ вЂ” a technology for the anonymous exchange of information over a computer network. Tor allows the user to keep incognito on the Internet and protects their traffic from the analysis.
The technology behind Tor was developed by the US Navy to encrypt military communications, but later acquired the status of an open project available to everyone.
The majority of funds for the development of Tor come from funds controlled by the US government, but in recent years, the share of such donations has been rapidly declining.
Among the current sponsors of the Tor Project from various government agencies, today are the Swedish office for international development cooperation, the office of advanced research projects of the US Department of Defense (DARPA), the US State Department, and the national science foundation.
Recall that hackers вЂњtargetedвЂќ home routers.