Someone Is Hijacking Tor Exit Nodes to Conduct MITM Attacks

• A group of actors is engaging in cryptocurrency transaction redirections by hijacking Tor nodes.
• This has been going on since December 2019, peaked in May 2020, and is ongoing to this day.
• The Tor Project is slowly but steadily failing, as it can no longer manage the privacy and security risks of its users.

Security researcher ’nusenu’ is reporting about an alarming case of a large-scale Tor relay hijack by an unknown actor. More specifically, the researcher has noticed increased malicious Tor exit relay activity in December 2019, and warned both the project and the community about it.

Still, until today, no real risk mitigation systems have been implemented. According to the researcher, the main focus of the actors seems to be crypto-currency related websites and bitcoin mixer services in particular.

The mysterious exit node hijackers could be a group that is looking to steal money by redirecting the transactions to their wallets, or international law enforcement authorities aiming to trace web criminals. Although anything is possible, the indicators point to the former as being the most likely scenario. ‘nusenu’ has recorded money redirections on numerous occasions. Hence, the motive seems to be clear, and it’s to make a profit.

The peak of the activity was in May 2020, when the actor was in control of about 23% of all Tor network exit nodes. Even now, there are multiple indicators that the actor still runs over 10% of the Tor network’s exit capacity, so the attack is far from being over. The researcher preferred to keep some of the indicators secret so as not to burn them.

Tor users are at risk, and their chances of having their traffic passed through an exit node controlled by a malicious actor are unacceptably high. The researcher suggested some mitigating plans since last December, with email address verification for users who want to gain exit or guard relay flag being one of them.

Additionally, anyone operating more than 0.5% of Tor’s exit or guard nodes could be compelled to declare a physical address and verify it. However, Tor hasn’t bothered to proceed with any plans and just removed some of the reported relays. Since June, they even stopped removing the reported relays altogether, so everything was left to chance.

Related: Researcher Discovered Two Zero-Days on Tor, but There Are More

The Tor Project has a serious resource shortage problem, which we have discussed before, and as time passes, the security of the Tor Network is getting worse. We are now at a point where Tor can be characterized as unsafe for most critical applications.

A few weeks back, Dr. Neal Krawetz pleaded for attention on two highly risky zero-days he had reported to Tor a long time ago. He also warned about three even worse zero-days that could be used to de-anonymize Tor users and compromise the network.