A TOR server operator called @Nusenu reports on Medium.com that a threat actor has added servers to the TOR network to conduct SSL stripping attacks on users entering cryptocurrency sites using the TOR Browser, and was so successful that a malicious actor was running more than 23% of the entire Tor network’s exit capacity, and an estimated quarter of all connections leaving the network were going through exit relays controlled by a single attacker conducting person-in-the-middle attacks. The blog post notes: “It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.
People think that TOR is a bullet proof anonymity tool. It’s not. It has been known that sometimes even authorities run TOR exit nodes just to monitor traffic. The anonymity of TOR comes from its distributed nature and its ephemeral relay servers. But if someone manages to throw enough servers into the mix, they might just control enough of the traffic to get a pretty good idea of what’s flowing though the network.