Bitcoin Mixing in TOR network isn't safe due to Malicious Tor Exit Relays

Over the past 16 months, unknown attackers have been embedding malicious servers in the Tor network, and then using them to intercept cryptocurrency-related traffic and perform SSL stripping attacks.

This malicious campaign began in January 2020. Its essence was to add severs to the Tor network, which were marked as exit nodes (servers through which traffic leaves the Tor network and re-enters the public Internet).

Since then, the attackers have injected thousands of malicious servers into the Tor network, and with their help identified traffic sent to the sites of cryptocurrency mixers, and then staged attacks such as SSL stripping (downgraded user traffic from HTTPS addresses to less secure HTTP). After downgrading to HTTP, criminals were able to change the deposit addresses of cryptocurrency wallets with their addresses.

The attacks were first documented in August last year by an information security specialist and Tor server operator known under the pseudonym Nusenu. Then he reported that on the best days, attackers managed to control 23.95% of all Tor exit nodes.

Now Nusenu has published a new report, in which he says that attackers continue their attacks. Even worse, the attacks increased: in February 2021, the criminals were responsible for 27% of all Tor exit nodes.

Although the second wave of attacks was eventually detected, and malicious servers were removed from the Tor network, before that, the attackers’ infrastructure worked and intercepted user traffic for long weeks or even months. The fact is that hackers introduced their servers into the network in small amounts, accumulating a powerful infrastructure and not attracting attention to themselves.

The hackers changed this tactic only this month: when their infrastructure was again disabled, they tried to restore all the servers at the same time. This attack was detected within a day because the simultaneous increase in the number of exit nodes from 1500 to 2500 could not be overlooked.

The expert claims that as of May 5, 2021, attackers still control between 4% and 6% of Tor’s exit nodes, and attacks using SSL stripping continue.

Read the full investigation: