This article is more than 1 year old

This is node joke. Tor battles to fend off swarm of Bitcoin-stealing evil exit relays making up about 25% of outgoing capacity at its height

Cash-strapped privacy devs face determined miscreants who keep coming back for more

The Tor Project has confirmed someone, or some group, is in control of a large number of Bitcoin-snaffling exit nodes in its anonymizing network, and it's battling to boot them off.

One observer reckons more than 23 per cent of the entire Tor network’s exit capacity was under the command of one miscreant, or one group of miscreants, at one point in May, with the end goal being the theft of people's cryptocurrency.

Tor works by randomly routing your connections through a network of nodes spread across the world. When you use the open-source Tor software to connect to a public website, the connection is relayed between a few nodes and out to the site via one of many exit nodes. All the site sees is a connection from that particular exit node, and can't trace you back to the IP address you used to enter the Tor network, and thus you're kept anonymous. The network is maintained in an ad-hoc manner, with nodes joining and leaving.

Crucially, whoever is running an exit node can access the traffic flowing through it. Thus it is wise to ensure your connections to websites and other services are wrapped in additional encryption, such as HTTPS or SSH, so that exit node operators cannot snoop on you and alter any information you send over the internet. (Connections are encapsulated in layers of encryption as they are routed through the Tor network.)

It's one thing to be mindful of a rogue exit node operator eavesdropping on you, it's another thing when someone successfully adds a large number of exit nodes to Tor, all under their control, because it means some kind of elaborate campaign is underway to undermine Tor's security.

In this case, it appears someone or some group is adding malicious exit nodes that perform a form of SSL stripping to eavesdrop on visitors to cryptocurrency websites – specifically, Bitcoin mixer services. If any Bitcoin wallet addresses are spotted in the passing unprotected traffic, the addresses are rewritten on the fly so as to funnel transactions into the miscreants' coffers, thus stealing victims' digital money.

Tor soups up onion sites with bountiful browser bump: No more tears trying to find the secure sites you want


The exit nodes take advantage of the fact that when you type in a URL like in your browser, it typically tries to connect first to the dotcom using non-encrypted HTTP, only to be redirected by the website's server on port 80 to the safer and encrypted HTTPS service on port 443. The malicious exit nodes intercept some of these insecure HTTP requests to prevent them being upgraded to HTTPS-encrypted connections, and tamper with the unprotected data in transit, namely any Bitcoin wallet addresses.

Yes, there are plugins like HTTPS Everywhere that force browsers to use encryption, but not everyone uses them, or they disable them after a while because the extensions complain too much when they can't establish a connection to non-HTTPS pages. And there are things like HSTS Preloading that can thwart this kind of attack, but not every website owner uses it. Thus, some folks using Tor may end up running unencrypted traffic through one of these bad nodes to a crypto-dosh mixer, and have their Bitcoins swiped.

This is all according to Nusenu, a developer who has been monitoring the Tor network's health for years. They revealed this month that, earlier in 2020, "roughly about one out of four connections leaving the Tor network were going through exit relays controlled by a single attacker."

Whoever is behind the spy nodes is determined and persistent, we're told. Even though the malicious group was detected at the end of May with more than 23 per cent of the network's exit capacity, and removed from the Tor network's directories, they returned in June with about 22 per cent, were discovered and banned again, only to return a few days later with about 20 per cent. Nusenu noted:

This also shows us how fast the malicious entity recovered from a single removal event and that we didn’t detect all of them at the same time. It took them less than 30 days to recover after a removal and reach 22 per cent exit probability again (starting at 4 per cent). It also gives us an idea that they apparently will not back off after getting discovered once. In fact they appear to plan ahead for detection and removal and setup new relays preemptively to avoid a complete halt of their operations.

"So far 2020 is probably the worst year in terms of malicious Tor exit relay activity since I started monitoring it about five years ago," Nusenu added. "As far as I know this is the first time we uncovered a malicious actor running more than 23 per cent of the entire Tor network’s exit capacity. Since Tor clients usually use many Tor exit relays over time the chance to use a malicious exit relay increases over time."

Ongoing war

The Tor Project confirmed to us it has been trying for months to get the bad actor off its network, including banning the malicious nodes in May and June only to see the surveillance menace return. We're told the Tor team is hampered right now due to being short-staffed. Back in April, the project had to drop 13 people, about a third of its staff, due to funding shortfalls amid the coronavirus pandemic and economic downturn. That means there's not enough people monitoring the anonymizing mesh for wrongdoers.

"We still have contributors watching the network and reporting malicious relays to be rejected by our directory authorities, but they cannot do this full time," a Tor Project spokesperson told The Register. "Our goal is to recover our funds to be able to get that Network Health team back in shape."

While the Tor Project said it is trying to mitigate the malicious operation, including considering disabling HTTP connections, it also has a more permanent solution in the works, once its thinly stretched staff is able to finalize the defense mechanism, which seeks to minimize the use of exit nodes that aren't trusted. That hopefully ought to take care of exit relays appearing out of nowhere that later turn out to be malicious.

"We also have a design proposal for how to improve the situation in a more fundamental way, by limiting the total influence from relays we don't 'know' to some fraction of the network," the spokesperson said. "Then we would be able to say that by definition we trust at least 50 per cent (or 75 per cent, or whatever threshold we pick) of the network."

In the meantime, use HTTPS Everywhere, be mindful of HTTPS downgrade attacks, and keep your internet traffic encrypted as it exits the Tor network. ®

More about


Send us news

Other stories you might like