tor dark web markets

Large Scale Malicious Attack Through TOR Network Exit Relays 

For anyone spending time on dark web markets, this is for you. Were you aware that cyber attackers manage to control nearly 24% of all TOR network exit relays. Hackers then use these malicious exit relays to SSL strip cryptocurrency transfers and payments. The hackers targeted traffic inside the TOR network that was related to cryptocurrency. This was revealed by an independent analyst that follows TOR privacy and security issues.

With nearly 24% of the exit relays being malicious, TOR users have a one-in-four chance of being redirected through one of these servers. This chance to get redirected through a malicious server runs higher over a larger portion of time due to the TOR client using multiple exit relays over time.

In a report by analyst Nusenu, the attackers controlled around 380 of TOR’s exit relay nodes at the peak of their operations in May of 2020. TOR soon reacted by eliminating the 150 new relay servers which had been detected by its Sybil Attack Detection tool. These servers, however, were allowed to rejoin the network after configuring the “MyFamily” setting to declare itself as a group.

The Method Of Attack Through SSL Stripping

The reason for the attack seems to be purely to profit off of unsuspecting TOR users. The attacks are MITM or “Man in the Middle” attacks. Such attacks carefully redirect and manipulate traffic that is flowing outwards through the network exit relay. They take them to unencrypted HTTP versions of their destination instead of the HTTPS versions without alerting TLS certificate warnings. This is known as SSL stripping.

Without the security of encryption, the attackers quickly switch the bitcoin addresses from their intended recipient to the wallets of the attackers. The attack was primarily concerned with bitcoin mixer services and a few other websites related to cryptocurrency.

TOR’s Response

Roger Dingledine, the TOR Project’s cofounder, has planned to allocate a fixed minimum boundary to TORs “known” pool of server of operators. Analyst Nusenu also suggests the requirement of email verification for every single exit. He also suggests guarding relay servers and the verification of physical addresses for any large operators.

Why The Threat Of More Attacks Remains

SSL stripping attacks are successful because most users rarely check to differentiate between “https://” and “http://” in their browser’s address bars. This allows malicious entities to redirect traffic to unsafe results that open users to unencrypted access from the same entities.

While countermeasures like HSTS preloading and HTTPS are everywhere but these are not available on all the affected domains. Although TOR has asked for domains to enable HSTS, they have no method of enforcing such a thing.

Summing Up

The TOR project is not able to track all known operators, and neither is it able to verify all server operators over the entire network. It is clear the current system for the prevention of large-scale malicious attacks is not functioning.

This leads to a large information gap of which servers are and aren’t malicious. The only way to find out would be to end up as a victim of such an attack. Up to 10% of the relays responsible for the SSL stripping attacks remain hidden within TOR’s network. Be careful out there on the dark web markets, folks!