Malicious Tor Relays Are Exploiting Users’ Cryptocurrencies

Jafrin  |  May 11, 2021

Users of Tor Network are at risk of losing their cryptocurrencies to a continuous large-scale cyberattack, launched in early 2020. Reportedly, an unknown hacker has been placing a large-scale attack on the Tor Network for over a year, hijacking up to 25% of its “exit relay” capacity. The attacked nodes are then moving to modify users' data to steal their cryptocurrencies.

Malicious Tor Network Relays Stealing Users’ Cryptocurrencies

According to a report published by a cybersecurity researcher and Tor node operator, Nusenu an unidentified hacker has been adding thousands of malicious servers to the Tor network for over a year.

Despite being shut down several times, the attacker continues to track, steal and attack crypto users of the network even today.

Apparently, the threat actor has been adding malicious servers to the Tor network since the early 2020s, making them exit relays. These are done in order to track users accessing cryptocurrency-related sites.

The attacker then moves to downgrade traffic to HTTP in order to replace cryptocurrencies addresses with their own to steal users' cryptocurrencies.

Reportedly, over the past 16 months, the developers of the Tor network have shut down the hacker’s servers at least three times already. However, the hacker is constantly rebuilding its network. Interestingly, up to 10% or even more of Tor’s exit relay capacity could still be controlled by the attacker to this day.

Tor Exit Nodes Exploiting Cryptocurrency Users

Tor is free and open-source software that allows users to anonymize their Internet traffic by sending it through a network of servers operated by volunteers.

Taking advantage out of this, an unknown attacker (acting as a volunteer) has been adding their own malicious nodes as “exit relays,” to the network. Apparently, the hacker modified the code that allows him to pinpoint cryptocurrencies related traffic and modify it before sending it out.

It is believed that the hacker used Tor netwrok servers to switch crypto addresses in transaction requests made by users and redirect their cryptocurrencies to their own wallets.

Related News