Hackers steal Bitcoin through large-scale exploit on Tor: report
Hackers at their peak operated about a quarter of "exit relays" on Tor this year, allowing them to redirect Bitcoin transactions.
Hackers this year controlled 24% of exit relays on Tor—that's more than ever in the last five years, according to a cyber security researcher.
This is allowing hackers to snoop on crypto transactions and redirect Bitcoin funds to themselves.
"Bitcoin address rewriting attacks are not new, but the scale of their operations is," the researcher said.
Hackers this year exercised significant influence over the privacy browser Tor, according to a report by pseudonymous cyber security researcher “nusenu.”
And they’re using this influence to hijack cryptocurrency transactions, specifically targeting Bitcoin mixer services.
The Tor browser works by bouncing your traffic about several different anonymous relays. This means that it’s very difficult to trace your identity. When, say, a search query hits the final relay, called the “exit relay,” your data the Internet and out pops your search result.
But the researcher found that hackers at their peak operated 24% of the exit relays on the network, or 380, by May of this year. That’s the most control they’ve had over Tor exit relays in the last five years, the researcher said. Controlling these exit relays, hackers can remove encryption protocols on websites to see the users’ data and manipulate it. And they’re using the control to steal Bitcoin, said the researcher.
“It appears that they are primarily after cryptocurrency related websites—namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address,” said nusenu.
While these sorts of man-in-the-middle attacks are not new, nor are they unique to the Tor browser, the scale of this particular attack is unprecedented, according to the report.
The researcher has been reporting the hackers’ misdeeds to Tor administrators since May and many were taken down on June 21. But the attacker still controls more than 10% of the exit relay nodes, said nusenu.
The vulnerabilities come as a shock to those for whom Tor is the gold standard of anonymity for a web browser. Tor is the interface many use to access the dark web, the underbelly of the Internet that houses drug marketplaces and other illegal activity. The browser is also used by whistleblowers and journalists trying to evade surveillance.
To fix the issue, the researcher suggests a short term solution—limiting the amount of exit relays, and a long term solution—having a certain amount of “known” operators; those may require, say, verifying email addresses or submitting physical addresses.
The threat actor was also able to see the user’s transmitted data on the Tor browser in unencrypted format and tamper with it for their own ill-motives.
For users really concerned about government surveillance and privacy in general, the Tor browser offers a suitable escape anonymizing your internet activity. However, just like any piece of technology, it too comes with its flaws.
One of these is that the Tor network uses 3 different nodes or relays for any communication that occurs on it to hide the real source of the traffic. The last of these relays is an exit relay which gets to see where the data is being actually sent. Yet, what happens when this exit relay is malicious?
This is exactly what has been reported recently by a researcher going by the online handle of “nusenu” who found out that up to 24% of the exit relays on the Tor browser were being controlled by a single threat actor up to May 2020 which placed an enormous amount of power in one hand.
This allowed this threat actor to see the user’s transmitted data in unencrypted form and therefore tamper with it for their own ill-motives. One way they did so was by changing the original Bitcoin addresses of users and replacing them with their own in order to steal the coins being transferred.
23% of TOR relays found to be stealing Bitcoin
Number of malicious relays in different time periods during 2020
Explaining in detail, the researcher states in their blog post that,
They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays. They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings. It is hard to detect for Tor Browser users that do not specifically look for the “https://” in the URL bar.
The good thing though is that till now, a sizeable portion of the malicious relays has been taken down. The downside is that still, about 10% of these relays are active placing a lot of users at risk.
For the future, it is up to the Tor project’s management and community to raise their voice on this particular issue and be more vigilant about removing such actors from the ecosystem.
On a parting note, Hackread.com would like to remind readers that according to the author, things do not seem to be improving for good in the future as the researcher states:
After the blog post from December 2019 [post talking about malicious relays] the Tor Project had some promising plans for 2020 with a dedicated person to drive improvements in this area, but due to the recent COVID19 related layoffs that person got assigned to another area. In addition to that, Tor directory authorities apparently are no longer removing relays they used to remove since 2020–06–26.
This should be alarming considering that many look solely to the Tor browser to protect their privacy. A suitable method to tackle this issue may be to require a real-world-identity verification of those who wish to run a relay so that the concerned authorities could take action against them in the case that any malicious activity is found to be occurring.
Furthermore, cryptocurrency sites also need to take security measures accordingly considering that they are a frequent target.
The fake version was targeting users for years.
Cryptocurrencies like Bitcoin, anonymity-retaining browsers like Tor and underground platforms like the Dark Web have offered users a great opportunity to carry out their nefarious deeds online without getting caught. However, tables have turned now as hackers and spammers aren’t sparing Dark Web users.
Reportedly, a malicious version of the widely used Tor browser is spying on Dark Web users and stealing bitcoin from their wallets. It is worth noting that the privacy ensuring Tor browser is the main program used by many to access the Dark Web.
Researchers at ESET claim that so far hackers have managed to steal over $40,000 worth of Bitcoin (4.8 BTC) through a trojanized version of the original Tor browser package. The fake version redirects users to two websites, which inform the user that the version of Tor is outdated even if the user has the latest version of the browser.
When the user clicks on the link provided on the page for downloading the updated version of Tor, another website appears containing the download link. When the infected Tor is downloaded and used, it starts spying on the user. When the user adds funds to the Bitcoin wallet or pays for any service on the Dark Web, the malicious Tor diverts the funds to the wallet controlled by the scammers by changing the target address.
ESET senior malware researcher Anton Cherepanov stated in a blog post that whatever the user does on the Dark Web is being tracked by the malicious Tor operators.
“This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills into forms and display fake messages, among other activities. However, we have seen only one particular functionality–changing the bitcoin and cryptocurrency wallets,” says Cherepanov.
According to ESET, the fake Tor browser version was promoted back in 2017 and 2018 quite fiercely on many Russian forums and Pastebin accounts as the Russian language version of Tor. Interestingly, the Pastebin accounts so far have over 500,000 views.
Fake Tor browser stole Bitcoins from dark web users
Screenshot of the malicious website pushing fake download for Tor browser
The header of a paste that promotes fake Tor Browser websites:
BRO, download Tor Browser so the cops won’t watch you.
Regular browsers show what you are watching, even through proxies and VPN plug-ins.
Tor encrypts all traffic and passes it through random servers from around the world.
It is more reliable than VPN or proxy and bypasses all Roskomnadzor censorship.
Here is official Tor Browser website:
Tor Browser with anti-captcha:
Save the link
Moreover, ESET researchers have discovered three bitcoin wallets that are used in this campaign. What’s alarming is the fact that this campaign has remained active for many years and the stolen amount may actually be higher than the reported one.
“It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets,” added Cherepanov.
Tor browser is mostly used for accessing illegal goods/services on the Dark Web and most of the trading is carried out in virtual currency. The fake Tor is designed so genuinely that non-tech savvy users may not even notice any difference between the fake and original browser.