Report: Hacking Operation Controlled 24% Of Tor Exit Relays

  • The hackers focused primarily on mixer services and other cryptocurrency-related websites.
  • At present, their reach has been reduced to only 10%, but a full solution is yet to be implemented.
Tor browser wallpaper

Tor browser wallpaper. HipWallpaper

On August 9, a report explaining a Bitcoin exploit using exit nodes was released on Medium by pseudonymous cybersecurity researcher “nusenu”. According to the report, a group of hackers exercised influence over the privacy browser Tor to hijack cryptocurrency transactions by manipulating user exit relay data.

The researcher also found that in May this year, the hackers controlled an astonishing 24% of all exit relays on the network, which is the most control they have had over the last five years. Their scam consisted of using the relays to remove encryption protocols on websites to see users’ data and steal BTC.

“Tor exit relays are the last hop in the chain of 3 relays and the only type of relay that gets to see the connection to the actual destination chosen by the Tor Browser user. The used protocol (i.e. http vs. https) by the user decides whether a malicious exit relay can actually see and manipulate the transferred content or not,” said “nusenu”.

According to the report, such attacks are a frequent occurrence, but an exploit of this scale is something that has not happened in quite some time. Moreover, while the full extent of their operation is still unknown, one thing is clear – the offenders’ goal is to profit from this endeavor by maliciously stealing users’ Bitcoin.

The anonymous researcher also proceeded to explain exactly how the scam works:

“Malicious relays are just used to gain access to user traffic. To make detection harder, the malicious entity did not attack all websites equally. It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.”

As Tor is considered the standard for web anonymity, this vulnerability will certainly have a massive effect on its online community. To fix the issue, the researcher suggests limiting the amount of exit relays in the short term and establishing a certain amount of “known operators” in the long term, including email address verification or submitting physical addresses.

Related Coverage
Bitcoin’s Rise in The Central African Republic
  • While not the largest countries in the world, CAR and El Salvador’s decision to legalise Bitcoin will surely have an effect on the rest of the world.
  • With the rise of Bitcoin, more and more crypto-based platforms will increase their popularity and improve the industry’s potential.
May 19, 2022, 8:56 PM


The New COVID Variant and Market Reactions – What Does it Mean for Bitcoin
  • A typical store of value would outperform riskier assets during moments of recession fears. Bitcoin has historically done the opposite.
  • Given the performance of cryptocurrencies during fearful markets, their place in a portfolio is the one for high-risk, high-reward assets.
Founders of South African Crypto Firm Go Missing With Billions in BTC
  • Back in April, the two founders informed investors the platform had suffered from a hack, but asked them not to report the incident to the authorities.
  • Shortly after the incident, all contact was lost with the two brothers, and there was no trace from the platform’s 69,000 Bitcoins.