Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malicious Actor Controlled 23% of Tor Exit Nodes

A malicious actor was at one point in control of roughly 23% of the entire Tor network’s exit capacity, a security researcher has discovered.

A malicious actor was at one point in control of roughly 23% of the entire Tor network’s exit capacity, a security researcher has discovered.

While malicious relays on the Tor network are not something new, this was the first time that a single actor managed to control such a large number of Tor exit nodes, a Tor server operator going by the name of Nusenu reveals.

The exit relays are the last in the chain of 3 that are used in connections made over the Tor network, and are those closest to the destination. Thus, they can see which website the user connects to and, if an unsecure connection is used, can also manipulate traffic.

In May this year, a malicious actor ended up controlling more than 380 exit nodes on Tor, accounting for over 23% of the relays.

At the peak of the attack on May 22, when opening up Tor, “you had a 23.95% chance to end up choosing an attacker controlled Tor exit relay. Since Tor clients usually use many Tor exit relays over time the chance to use a malicious exit relay increases over time,” the researcher says.

The actor, Nusenu explains, shows persistence: in March, after more than 150 new relays they had registered over a short period of time got removed, they managed to have them back in the network after declaring them as a group.

In May, most of the actor’s nodes were removed, but they were able to grow from 4% exit capability to over 22% in less than one month.

“[This] also gives us an idea that they apparently will not back-off after getting discovered once. In fact they appear to plan ahead for detection and removal and setup new relays preemptively to avoid a complete halt of their operations,” the researcher explains.

The threat actor continued to use the MyFamily configuration to declare the relays as a group, but no longer linked all of them together, using multiple relay groups instead. They used various email addresses (on Hotmail, ProtonMail, and Gmail) to register nodes.

Nusenu also discovered that the actor was mainly relying on OVH to host their infrastructure, but also used ISPs such as Frantech, ServerAstra and Trabia Network, known providers for relays. Another provider they used was “Nice IT Services Group.”

The main purpose of the attack, the researcher says, appears to be the manipulation of traffic flowing through their relays. For that, they remove HTTP-to-HTTPS redirects, thus being able to access the unencrypted HTTP traffic. The attack is not specific to Tor and the actor did not attack all websites.

“It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks,” Nusenu says.

The problem, the researcher says, does not appear to be gone, especially after the COVID-19 pandemic forced Tor to lay off a third of its staff, impacting the project’s ability to tackle malicious nodes. At least tighter policies and the inclusion of additional checks are required to better mitigate the problem.

As of August 8, the threat actor was still in control of over 10% of Tor’s exit capacity.

Related: CISA Warns Enterprises of Risks Associated With Tor

Related: Firefox 77, Tor Browser 9.5 Released With Patches, Security Improvements

Related: Tor to Reject End-of-Life Relays by Default

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.