Fake Tor Browser Has Been Stealing Bitcoin For Years

  • The hackers used two websites to promote an “official Russian language version of the Tor Browser”.
  • Even though the compromised version of the Tor Browser has been on the market for years, it has reportedly stolen only around 4.8 BTC.
Tor Project logo

Cover image with the Tor Project logo. Tor Project

A compromised version of the Tor Browser has been spying on users and stealing Bitcoins (BTC) for years now, IT security firm ESET reported on 18 October.

According to WeLiveSecurity, the editorial division of ESET, only a small amount of BTC has been lost to date, with the hackers mainly targeting Russian speaking users.

The funds were stolen when users tried to pay on dark net markets, by swapping the original crypto addresses.

Anton Cherepanov, a senior malware researcher at ESET, wrote:

“Utilizing a trojanized version of an official Tor Browser package, the cybercriminals behind this campaign have been very successful – so far their pastebin.com accounts have had more than 500,000 views and they were able to steal US$40,000+ in bitcoins.”

The hackers used two websites that were created back in 2014, tor-browser.org and torproect.org, which claimed to offer the official Russian language version of the Tor Browser.

The websites would display a message which prompted users to “update” their browser, even if it already was up to date, and then redirected them to a second website where they could download the fake version containing the malware.

The research was able to identify three wallets that were used by the hackers, which had received around 4.8 BTC, though the actual amount stolen is probably higher as the campaign has also been stealing money from the Russian payments service QIWI.

The malware-ridden Tor Browser allowed its creators to monitor the websites that a user is visiting, change the data on pages, and copy content from data forms.

Even though the hackers had such access, the research says that the fake browser was used only to change the wallet addresses and steal BTC.

An app that was impersonating MetaMask on Google Play store was also found by ESET in the beginning of the year. The app contained a malware capable of intercepting the content of the clipboard, and if recognised as an address of a cryptocurrency wallet, replace it with the address of the hacker.

The app was removed from the store on the same day that researchers from the IT security firm tipped off Google.

Discussion
Related Coverage
Bitgrail’s Founder Responsible for Hacks, Italian Police Allege
  • Italy’s Postal and Communications Police has accused Francesco Firano, the founder of the exchange, of fraud related to the hacks on the exchange in 2018.
  • During its investigation, the police found Firano had transferred 230 BTC to his personal account three days before reporting the hacks.
December 22, 2020, 3:28 AM

Image from Shutterstock

dForce Refunds Users After $25 Million Hack
  • The attack, which took place on 29 April, exploited a known vulnerability in the ERC-777 token standard.
  • Two days after the hack, the attacker returned the stolen digital assets, after accidentally revealing his identity during a transfer.