Tor Project logo
Cover image with the Tor Project logo. Tor Project

A compromised version of the Tor Browser has been spying on users and stealing Bitcoins (BTC) for years now, IT security firm ESET reported on 18 October.

According to WeLiveSecurity, the editorial division of ESET, only a small amount of BTC has been lost to date, with the hackers mainly targeting Russian speaking users.

The funds were stolen when users tried to pay on dark net markets, by swapping the original crypto addresses.


Anton Cherepanov, a senior malware researcher at ESET, wrote:

“Utilizing a trojanized version of an official Tor Browser package, the cybercriminals behind this campaign have been very successful – so far their accounts have had more than 500,000 views and they were able to steal US$40,000+ in bitcoins.”

The hackers used two websites that were created back in 2014, and, which claimed to offer the official Russian language version of the Tor Browser.

The websites would display a message which prompted users to “update” their browser, even if it already was up to date, and then redirected them to a second website where they could download the fake version containing the malware.

The research was able to identify three wallets that were used by the hackers, which had received around 4.8 BTC, though the actual amount stolen is probably higher as the campaign has also been stealing money from the Russian payments service QIWI.

The malware-ridden Tor Browser allowed its creators to monitor the websites that a user is visiting, change the data on pages, and copy content from data forms.

Even though the hackers had such access, the research says that the fake browser was used only to change the wallet addresses and steal BTC.

An app that was impersonating MetaMask on Google Play store was also found by ESET in the beginning of the year. The app contained a malware capable of intercepting the content of the clipboard, and if recognised as an address of a cryptocurrency wallet, replace it with the address of the hacker.

The app was removed from the store on the same day that researchers from the IT security firm tipped off Google.