As of February 2020, a malicious individual or group controlled 27% of the exit nodes on the Tor network. He uses it in particular to divert Bitcoin addresses and transfer them to his wallet. This is an unprecedented threat to the network, which claims to be one of the most secure in the world.
Tor is the benchmark for anonymity on the Internet. Best known for being the major gateway to the dark web, they originally designed it to anonymize all actions and communications on the Internet. It does this by using a system called “onion routing,” which involves overlapping multiple security nodes in order to hide the user’s IP address. The central nodes take care of receiving and redistributing the traffic between them, while the exit nodes take care of redirecting to the targeted web address .
These exit nodes are therefore an essential element of user security. To compromise them is to have access to all the information that the previous nodes are supposed to have hidden. In the past, exit nodes have already been the victims of an attack, in particular by injecting malware called OnionDuke capable of stealing the credentials of those affected. This time, it was an operation of a whole different magnitude that was discovered.
27% of Tor Exit Nodes are Compromised
For more than a year, an unknown entity has controlled no less than 27% of exit nodes, says a study by nusenu, an independent cybersecurity researcher. “The entity that attacks Tor users has been actively exploiting them for over a year and has extended the scale of its attacks to a new all-time high,” said Tor. “The average exit share controlled by this entity was greater than 14% over the past 12 months”. Last February, this share therefore rose to more than a quarter of total traffic.
The operation started in December 2019. The first attacks recorded date back to January 2020, according to a study published in August of the same year. The entity then had 380 compromised exit nodes. Following the researchers’ report, Tor disabled these broken nodes hoping to eliminate the threat. It was a failure since, at the beginning of May 2021, there were over 1000 nodes controlled by the attackers. Again, Tor has disabled these.
Hackers Use Corrupt Nodes To Hijack Bitcoin
According to nusenu, this control allows hackers to launch man-in-the-middle attacks, which means intercepting data sent by the user before it reaches its destination. They attack Bitcoin addresses exchanged over the HTTP and HTTPS protocols in order to transfer the transaction to their own wallets. “If a user visits the HTTP version of a site, they prevent the site from redirecting the user to its HTTPS version,” Tor explains. “If the user does not notice that he is not on the HTTPS version of the site and sends or receives sensitive information, the attacker can intercept it.”
To limit attacks, Tor calls on website administrators to urgently adopt HTTPS and add a. onion domain extension to bypass egress nodes. “The risk of being the target of malicious activity perpetuated through Tor is unique to each organization,” the US Cyber Security Agency (CISA) said in July 2020. “An organization should determine its individual risk by assessing the likelihood that a malicious individual targets their systems or data and the likelihood of success given current security measures and controls”.