A Threat Actor Has Been Running Hundreds of Malicious Tor Relays Since 2017

Drako · 12-07-2021, 02:36 AM

Well, I guess nobody is anonymous. Even while using Tor.

Quote:Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users.

Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000.

Now, if you don't know how Tor relays work or what they are, here's the rundown: Tor functions like an onion. You have to send a connection through many 'layers' to get from point A, to point B. And those layers are known as 'Tor relays'. These relays are open source, and can be ran by anybody. This leaves a small window open for attackers. This attacker, KAX17, is using these malicious relays to gather information on users, and map their routes.

Quote:Nusenu said this is strange as most threat actors operating malicious Tor relays tend to focus on running exit points, which allows them to modify the user’s traffic. For example, a threat actor that Nusenu has been tracking as BTCMITM20 ran thousands of malicious Tor exit nodes in order to replace Bitcoin wallet addresses inside web traffic and hijack user payments.

KAX17’s focus on Tor entry and middle relays led Nusenu to believe that the group, which he described as “non-amateur level and persistent,” is trying to collect information on users connecting to the Tor network and attempting to map their routes inside it.

To me, this sounds like an undercover operation to de-anonymize any would-be criminals running things like drugs on the Tor network. Having this much consistent server power, and without any known stream of revenue, this sounds very likely to me.

Source - https://therecord.media/a-mysterious-thr...or-relays/

Dismas · 12-07-2021, 03:37 AM

If KAX17 can do it on a minuscule level, 3-letter organizations can as well. I've always maintained that you could be better off with a VPN outside of intelligence agreements.

Drako · 12-07-2021, 04:10 AM

(12-07-2021, 03:37 AM)Dismas Wrote: If KAX17 can do it on a minuscule level, 3-letter organizations can as well. I've always maintained that you could be better off with a VPN outside of intelligence agreements.

Agreed. Go with something that has a real reputation for privacy like Mullvad or iVPN.

[Image: m6vzBa4.png]

DrangBrang · 12-07-2021, 06:49 AM

yeah agree seems like undercover operation

mothered · 12-07-2021, 03:42 PM

I've never used Tor purely on Its own. It's a poor decision to do so.

Tor over VPN and VPN over Tor (at the least) for added layers of anonymity. Primary and secondary DNS server encryption, Is also part of the equation.

echo_blini · 12-30-2021, 10:50 PM

(12-07-2021, 03:42 PM)mothered Wrote: I've never used Tor purely on Its own. It's a poor decision to do so.

Tor over VPN and VPN over Tor (at the least) for added layers of anonymity. Primary and secondary DNS server encryption, Is also part of the equation.

How do you keep websites from timing out through all that? Tor even without a VPN seems to be slow enough to timeout frequently on many sites.

ConcernedCitizen · 12-31-2021, 12:14 AM

(12-30-2021, 10:50 PM)echo_blini Wrote:
(12-07-2021, 03:42 PM)mothered Wrote: I've never used Tor purely on Its own. It's a poor decision to do so.

Tor over VPN and VPN over Tor (at the least) for added layers of anonymity. Primary and secondary DNS server encryption, Is also part of the equation.
How do you keep websites from timing out through all that? Tor even without a VPN seems to be slow enough to timeout frequently on many sites.

Honestly, this Sybil attack isn't uncommon and the Tor Project struggles to keep up with it sometimes. The KAX17 isn't the first or last major attempt to de-anonymize darknet users.

Here's a very detailed post by Nusenu about the threat landscape and how to protect yourself. Mostly, just use a VPN. You will have encrypted traffic from the exit node. Turn on the VPN, then connect to the Tor network. You can find guides on going the other way but it's not recommended. Yes, it's slower, but it isn't really noticeable when your internet speeds are not dialup.

Also, don't simply block entire countries' nodes. That should be a given. Problematic nodes are automatically banned from the network if they fail to meet specific criterion.

laininthewired · 12-31-2021, 01:12 AM

Quote:To me, this sounds like an undercover operation to de-anonymize any would-be criminals running things like drugs on the Tor network.

[Image: unknown.png?width=569&height=559]

mothered · 12-31-2021, 02:59 AM

(12-30-2021, 10:50 PM)echo_blini Wrote: How do you keep websites from timing out through all that? Tor even without a VPN seems to be slow enough to timeout frequently on many sites.

Seldom do I experience timeouts.

Sure, It's a lot slower than running Tor per se, but for the most part, It serves my needs well. If certain sites don't load for you, try creating a new circuit.

Marshland · 01-14-2022, 02:50 PM

Honestly I had no idea this was possible. I wonder how they would be able to manipulate the traffic. Pretty scary stuff