A group of cybercriminals has succeeded in introducing hundreds of additional servers to the network of privacy-focused Tor browser, which are being used to launch attacks on the cryptocurrency community.
The Tor operators have been wrestling the hackers for control since January, according to a report from independent security researcher Nusenu, who has monitored the network for a number of years.
At the peak of the attack in May, the hackers operated a total of 380 Tor exit relays (the servers that bridge the network with the public internet), meaning each user had a roughly one in four chance of being funneled through a dangerous server.
Despite three separate attempts to rid the network of the malicious servers after alarms were raised by Tor directory authorities, the group still reportedly controls more than 10% of exit relays today.
Tor Browser security
Having gained a strong foothold in the Tor network – which is usually considered among the most secure around – the hackers have launched targeted attacks against users of cryptocurrency websites.
“They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays,” wrote Nusenu. “They (selectively) remove HTPP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings.”
This type of attack is known as SSL stripping and allows malicious actors to capitalize on the fact users rarely type out full website URLs (including https://). In this context, the hackers are using the exploit to replace bitcoin addresses in unsecured HTTP traffic and funnel cryptocurrency payments into their own wallets.
Tor Browser reportedly lacks the ability to verify new relay operators at sufficient scale, meaning there is no immediate resolution in sight. However, Nusenu claims to have contacted the cryptocurrency websites used to execute the hijacking attacks, which could choose to implement countermeasures (such as HSTS Preloading or HTTPS Everywhere).
Tor Browser did not respond immediately to our request for comment.