On August 9, a report explaining a Bitcoin exploit using exit nodes was released on Medium by pseudonymous cybersecurity researcher “nusenu”. According to the report, a group of hackers exercised influence over the privacy browser Tor to hijack cryptocurrency transactions by manipulating user exit relay data.
The researcher also found that in May this year, the hackers controlled an astonishing 24% of all exit relays on the network, which is the most control they have had over the last five years. Their scam consisted of using the relays to remove encryption protocols on websites to see users’ data and steal BTC.
“Tor exit relays are the last hop in the chain of 3 relays and the only type of relay that gets to see the connection to the actual destination chosen by the Tor Browser user. The used protocol (i.e. http vs. https) by the user decides whether a malicious exit relay can actually see and manipulate the transferred content or not,” said “nusenu”.
According to the report, such attacks are a frequent occurrence, but an exploit of this scale is something that has not happened in quite some time. Moreover, while the full extent of their operation is still unknown, one thing is clear – the offenders’ goal is to profit from this endeavor by maliciously stealing users’ Bitcoin.
The anonymous researcher also proceeded to explain exactly how the scam works:
“Malicious relays are just used to gain access to user traffic. To make detection harder, the malicious entity did not attack all websites equally. It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.”
As Tor is considered the standard for web anonymity, this vulnerability will certainly have a massive effect on its online community. To fix the issue, the researcher suggests limiting the amount of exit relays in the short term and establishing a certain amount of “known operators” in the long term, including email address verification or submitting physical addresses.