A Threat Actor Has Been Running Hundreds of Malicious Tor Relays Since 2017

Drako · 12-07-2021, 02:36 AM

Well, I guess nobody is anonymous. Even while using Tor.

Quote:Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users.

Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000.

Now, if you don't know how Tor relays work or what they are, here's the rundown: Tor functions like an onion. You have to send a connection through many 'layers' to get from point A, to point B. And those layers are known as 'Tor relays'. These relays are open source, and can be ran by anybody. This leaves a small window open for attackers. This attacker, KAX17, is using these malicious relays to gather information on users, and map their routes.

Quote:Nusenu said this is strange as most threat actors operating malicious Tor relays tend to focus on running exit points, which allows them to modify the user’s traffic. For example, a threat actor that Nusenu has been tracking as BTCMITM20 ran thousands of malicious Tor exit nodes in order to replace Bitcoin wallet addresses inside web traffic and hijack user payments.

KAX17’s focus on Tor entry and middle relays led Nusenu to believe that the group, which he described as “non-amateur level and persistent,” is trying to collect information on users connecting to the Tor network and attempting to map their routes inside it.

To me, this sounds like an undercover operation to de-anonymize any would-be criminals running things like drugs on the Tor network. Having this much consistent server power, and without any known stream of revenue, this sounds very likely to me.

Source - https://therecord.media/a-mysterious-thr...or-relays/