Connect with us

Hi, what are you looking for?


Security Infrastructure

Many Tor Relays Found Snooping on Dark Web Services

Researchers at Northeastern University have analyzed the Tor anonymity network and discovered that there are at least 110 nodes that spy on dark web services.

Researchers at Northeastern University have analyzed the Tor anonymity network and discovered that there are at least 110 nodes that spy on dark web services.

Experts have developed what they call honey onions, or HOnions, honeypots designed to identify misbehaving relays that have a hidden services directory (HSDir) flag. The privacy of Tor hidden services depends on the honest operation of these nodes, which provide the information needed by users to access .onion websites.

An analysis conducted between February 21 and April 24 using roughly 1,500 HOnions revealed that there are at least 110 snoopy nodes. These misbehaving relays were mostly located in the United States, Germany, France, UK and the Netherlands. According to the Tor Project, there are a total of more than 3,000 relays with the HSDir flag.

While in most cases these relays automatically queried the root path of the server, in some cases the honeypots detected what appeared to be manual probing. Researchers identified Apache- and search engine-related queries, and also attempts to find or exploit SQL injection, cross-site scripting (XSS), Drupal user enumeration, path traversal, Ruby on Rails and PHP vulnerabilities.

Some of the offending nodes were more sophisticated than others. Experts noticed that some of them visited the HOnions within 24 hours after hosting them, while others waited longer – most likely in an effort to evade detection or avoid raising suspicion.

Researchers also determined that more than 70 percent of the malicious relays are hosted in the cloud, including on infrastructure provided by companies that accept payment in Bitcoin, which makes it more difficult to detect the nodes and identify their operators.

Some of the snoopy hidden service directories are also exit nodes – these types of nodes have been known to be abused for malicious activities, including by APT actors. SecurityWeek has reached out to the Tor Project for comment on this research.

Advertisement. Scroll to continue reading.

Recent events have shown that Tor is not 100 percent trustworthy. A team of university researchers funded by the U.S. government managed to help law enforcement deanonymize Tor users suspected of conducting criminal activities by adding more than 100 rogue relays to the anonymity network.

Several improvements have been made over the past period to anonymity protections, but an increasing number of people are losing their faith in Tor’s capabilities due to the recent incidents. MIT researchers announced earlier this month that they have created a new anonymity system, dubbed “Riffle,” that is claimed to provide not only stronger security, but also more efficient bandwidth usage.

Related: Tor Browser Gets Multiple Security Enhancements

Related: Tor, CloudFlare Spar Over Malicious Traffic

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).