What Expert Says On Hackers exploited Tor exit relays to generate bitcoin

At one point this spring, a single set of money-hungry hackers controlled nearly a quarter of the endpoint infrastructure through which the anonymizing internet browser Tor routed traffic, a researcher who tracks Tor claimed this week.

Notify of

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Chad Anderson
Chad Anderson , Research Engineer
InfoSec Expert
August 13, 2020 10:41 am

One major flaw of Tor is that any dedicated actor with enough resources can spin up enough nodes to break anonymity in the network. This has been a known type of attack, and something that intelligence agencies have been observed doing in the past. The scale of the effort required means that only groups with large financial resources are capable of pulling this off so typically these operations are state-sponsored or research funded.

Tor works by having users\’ connections hop through, by default, three internal nodes before finding an exit node to route to the regular Internet, then route back through another path. Those three-hop nodes, or paths, shift on a given time interval. By controlling enough of those nodes one can de-anonymize users by controlling all nodes along a user\’s path. In this case, this group only needs to control the exit node to decrypt communications as they leave the Tor network bound for the regular Internet. This was much easier in the past before certain vulnerabilities were fixed in TLS.

Here this actor is downgrading secure connections and intercepting the traffic in between to then rewrite bitcoin wallets in traffic to steal funds. This by no means is a new attack, but this scale is interesting since taking over a quarter of the exit nodes on the network is so expensive to do.

Last edited 2 years ago by Chad Anderson
Information Security Buzz
Would love your thoughts, please comment.x