Threat actor in Control of 27% of the Tor Network Exit Nodes

The Tor Network Nodes Exploit

It was recently discovered that an anonymous threat actor has established control over 27% of the exit capacity of the Tor network in the start of February this year.


According to Nusenu, an independent cybersecurity researcher, the hacker (or hacking group) has been exploiting users of the Tor network for more than a year and the whole operation has expanded to record levels. On average, the exit fraction controlled by the hacking entity has been approximately 14% throughout the past year but has jumped to over 27% in February.

The first documented attacks occurred in the start of 2020 and were first discovered in August of the same year.

The Tor browser is an open-source web browser that allows for anonymous online communications and data transfer. The Tor network obfuscates the network traffic by relaying the data through different destinations in order to hide its sender and receiver (much like how VPNs work). This masks the IP addresses of the sender and the receiver and makes it very difficult for anyone to learn them (including hackers and government agencies). The middle relays are responsible for receiving the traffic data and passing it along to the follow-up nodes. The final node (the exit relay) is responsible for sending the data to its final destination.

There have been past incidents where exit nodes of the Tor network have been compromised and modified to inject malware to the transferred data (such is the case with the OnionDuke malware). However, this is the first instance where a single hacker/hacking group succeeds in controlling such a large portion of the entirety of the Tor network exit nodes.

According to the research reports, the hacking entity controlled 380 Tor exit nodes in August 2020, before the directory authorities of the Tor network managed to ameliorate the situation. However, this incident pales in comparison to the peak from the beginning of the current month, when over 1,000 Tor exit nodes were discovered to be under the control of the hacking entity. After that peak, the issue has been taken care of and all infected exit nodes have been culled by the Tor network administrators.

According to Nusenu, the goal of this attack is to perform “person-in-the-middle”-type of cyberattacks on users of the Tor network. The way of performing the attacks is to manipulate the data traffic when it passes through the exit nodes. More specifically, the attackers seem to have performed SSL stripping so as to downgrade the traffic that is directed towards Bitcoin mixer services. The traffic gets downgraded from HTTPS to HTTP which allows the attacker to replace the bitcoin address and, by doing so, redirect the transaction’s final destination to their own cryptowallets. Such operations are yet another example of the growing number of cryptocurrency hacking and scam attacks.

The Tor network maintainers explain that if the user visits the HTTP version of a given site – the one that is not encrypted and not authenticated – this will prevent the user’s redirect to the HTTPS site version (the one that is secured via encryption and is authenticated). In such cases, most users don’t notice that they are on the HTTP site version and not the HTTPS one (there is no padlock icon next to the site URL in the browser URL bar) and proceed with performing operations on the site that involve the transfer of sensitive data which could, in turn, be intercepted by the hacker.

In order to mitigate this sort of hacking attacks, the Tor Project maintainers have given several important recommendations. For example, the site owners are advised to keep their sites’ HTTPS enabled by default and avoid exit nodes by deploying.onion sites.

According to CISA (the US Cybersecurity and Infrastructure Security Agency), the risk of getting compromised through compromised security nodes if the Tor network is different for each company and organization and so each entity should assess their risk potential individually and then take adequate measures to mitigate such attacks.

The measures that must be taken for each individual organization should be determined by the specific operation of the organization and the possible weak links of its network according to CISA’s advisory from 2020.

About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment